Copyright 2015 SSH Communications Security SSH Communications Security SSH Access Management ENABLE, MONITOR & MANAGE ENCRYPTED NETWORKS Sean Lunell [email protected]

Copyright 2015 SSH Communications SecurityCopyright 2015 SSH Communications Security

SSH Communications Security

SSH Access Management

ENABLE, MONITOR & MANAGE

ENCRYPTED NETWORKS

Sean [email protected](408) 568-8779

Copyright 2015 SSH Communications Security

The Business Challenge

External contractors,3rd parties

Business Partners,Data exchanges

Datacenter 1

Datacenter 2

Virtualized/Cloud environments

Automated Application to Application

InteractiveSIEM

IPS

DLP

IdM

PAMJumpServer

Internal Admins

SSH key based accessBob

root

• How to go from after the fact to preventative controls?

• Can you do all this efficiently and transparently without affecting user experience or automated processes?

• How to monitor, control and audit interactive and automated encrypted traffic?• How to control and ensure secure access to your on premise and clouds at all layers?


What We Have Learned

• Average

• 80% SSH usage is Machine – Machine ( vs Interactive )

• 50 SSH user keys identified per Host

• 10% SSH user keys are unknown AND HAVE ROOT ACCESS

• Customer example:

• 10,000 servers on their network

• 1.5 million SSH Keys Identified

• 10% (150,000) user keys unknown

with root access


What We Have Learned

Business Users Developers

Production Servers Development & TestWhat You Think You Have

What You Likely Have


SSH Mapped Trust Relationships: 100 Hosts


SSH Trust Mapping


SSH Trust Mapping


SSH Trust Mapping


Business Driver: Risk

• No visibility : Who has access to What, from Where and What Can They Do?

• Who has privileged / application access to the systems and from where?

• Are there direct authorizations from Dev / Test to Production?

• No tools or methods to Remove keys

• Users may have access systems they no longer should have

• How to identify and remove revoked, orphaned and unauthorized keys?

• No tools or methods to Restrict or Rotate the private keys

• Keys may be over 10 years old, never renewed

• Keys can be copied and used by other person from different location. From stanzas?


Business Driver: Compliance

• MAS Technology Risk Mgmt Guidelines

– Separation of duties, Key activity monitoring

ꜜ IETF

• Managing SSH Keys for Automated Access - Current Recommended Best Practice

ꜜ NISTIR 7966 - Publication

• Now official

• Appendix B CyberSecurity Framework

ꜜ PCI – DSS 3.0

• Close cooperation with NIST

• COBIT / SOX Framework, HIPAA


NIST IR7966 Best Practices

• Standardize the key configuration across the environment

• Authorized key file should not allow end user write access

• Centralized key provisioning (no more “self service provisioning). Key provisioning should be centralized and limited to a much smaller number of root level administrators

• Cipher configuration – allow only strong ciphers and specified key lengths

• Require password protection for private keys

• Ensure Secure Shell server will not execute if authorized keys file and home directory are insecure

• Prevent privilege escalation by process spawning

• Segregate system accounts from person accounts

• Use controls to limit Secure Shell access to specific commands and source addresses

• Rotate keys

• Require logging of Secure Shell activity

• Remove unneeded User Keys

• Document key usage

• Regular audits


Business Driver: Cost

• Complex manual process for setting up new keys and trust-relationships

• Even more complex and time consuming manual process for rotating and removing the keys

• The more dynamic the environments are, the more key operations are required (cloud / grid computing)

• In large organizations, manual SSH user key operations can easily accumulate to several millions in annual operational costs

Key request

Approval process

Key pair creation

Public key transfer

Configuration

Testing

Times the number of remote systems

Number of SSH systems in environment 20,000 Number of new key setups per year 10,000 Average time per setup 15 min Average no. of systems per setup 10 Number of key removal operations per server 2 Time required per operation 30 min Number of other key operations per server 4 Time required per operation 15 min Average cost per hour of security admin $ 59 Estimated operational costs per year $3,835,000


Remediation Project Requirements

• Policy Generation and Enforcement

• Discover and understand existing SSH trust relationships

• Controlled provisioning, refresh and termination process

• Ensure proper configuration of SSH clients and servers

• Continuous monitoring and audit processes

• Optimize (automate) SSH key provisioning and termination processes


Project Stakeholders

SSH User Key and Access

Management

Unix Ops

SecurityArchitects IAM and

technical access mgmt.

Audit

Crypto & Key mgmt.

Application owners

Mainframe

Windows

MAS

OCC (FFIEC)

RBI

Federal Financial Institutions Examination Council


SSH Remediation: Best Practices

Discover Remediate Manage

Map trust relationships

• Inventory all SSH Keys• Monitor key activity & lockdown hosts • Start to detect & alert policy violations• Identify unused keys• Identify unauthorized keys

Centralization & Compliance

*Relocate keys to root owned directories• Remove unused Keys• Remove unauthorized keys• Renew old & non-compliant keys

Automation & Integration

• Centrally manage and enforce SSH configurations• CLI (API)• Integration with existing ticketing systems • Link to AD/LDAP • Integration with IM

systems

Copyright 2015 SSH Communications SecurityCopyright 2015 SSH Communications Security

SSH Communications Security

SSH Access Management

ENABLE, MONITOR & MANAGE

ENCRYPTED NETWORKS

Sean [email protected](408) 568-8779

Documents

Copyright 2015 SSH Communications Security SSH Communications Security SSH Access Management ENABLE, MONITOR & MANAGE ENCRYPTED NETWORKS Sean Lunell [email protected]