HELSINKI, WALTHAM, Mass. and ROLLING MEADOWS, Ill., Sept. 12, 2017 – The use of Secure Shell (SSH) is ubiquitous, a critical service on which the security profile of most organizations depends. Yet, according to a new report issued by ISACA and sponsored by SSH Communications Security, only rarely is that usage appropriately secured, assessed, documented and managed in a systematic and risk-aware way. Consequently, poorly managed SSH key environments may lead to compliance challenges and security breaches. The full report can be downloaded free of charge from the ISACA or SSH Communications Security web sites. The report outlines considerations that technology risk professionals, auditors, security practitioners and governance professionals should take into account as they approach the use of SSH in their enterprises. It offers guidance for the assessment of SSH usage, including items to incorporate in audit plans to ensure SSH access control and management is in place. Key areas auditors should consider regarding SSH keys include:
- Security issues: Practical challenges include managing and tracking cryptographic keys at scale, responsibility for “key hygiene” and executive oversight for the use of SSH.
- Assurance considerations: The ubiquity and transparency of SSH access makes the surface area for consideration very large, while the underlying mechanics of operation make it specialized and potentially complex. The report explores the core areas that auditors should consider when evaluating SSH usage.
- Suggested controls: ISACA recommends specific areas to focus on when evaluating enterprise networks for SSH compliance, including configuration management and provisioning.