Beruflich Dokumente
Kultur Dokumente
The Challenge of Identity and Access Management in Secure Shell Environments TABLE OF CONTENTS:
Introduction.......................................................................................................................... 1 Secure Shell in the Enterprise.............................................................................................. 1 Security Risks Related to Public Key Authentication............................................................ 2 Administrators who have left years ago that still have access to critical systems.......... 2 Other Unauthorized Copies of Private Keys..................................................................... 3 Unused User Keys Still Granting Access to Critical Hosts.................................................. 3 Lack of Key Rotation........................................................................................................ 3 Unintended Escalation of Access..................................................................................... 3 Lack of visibility of trust relationships crossing production and test boundaries....... 3 Lack of visibility of trust relationships crossing organizational boundaries................. 3 Inability to enforce and audit policy compliance............................................................. 4 The quantity of individuals who can create permanent trust relationships................... 4 Human errors in manual key setup and removal process................................................. 4 Best Practices for Reducing Risk........................................................................................... 5 Implementing Best Practices with Universal SSH Key Manager........................................... 6 Discovery.......................................................................................................................... 6 Remediation..................................................................................................................... 6 Management.................................................................................................................... 6 Summary............................................................................................................................... 9
Introduction
SSH (Secure Shell) is a protocol and software suite for securely transmitting files and data between computers, point-to-point tunneling of sensitive data, and securely administering remote computers. Developed in 1995, by Tatu Ylnen, it is now an IETF (Internet Engineering Task Force) standard and is available in commercial and open source versions. Implementations of the SSH protocol are available for practically all platforms including Unix, Linux, Windows, IBM Mainframes as well as routers, embedded systems and smart phones. It is deployed on millions of servers and used ubiquitously across IT infrastructure. Almost every systems administrator working in a large IT environment relies on SSH to perform their day to day job functions. SSH typically is implemented with public key authentication because it is very well suited to supporting automated processes and efficient system administration. The public key system is initialized with the creation of a private and public key pair. The private key resides on the system requesting access to another system, and the corresponding public key is installed on all the systems granting access. The public keys that grant access to services are called SSH User Keys. As organizations deploy SSH across the IT infrastructure the process of key creation and distribution to target servers is repeated many, many times. The usual result is an extended, poorly managed access infrastructure built upon SSH user keys. Enterprises face numerous challenges in managing this infrastructure. These include manual, time consuming and error prone processes for creating new keys and trust-relationships; a lack of process, visibility and tools for key removal; the risk that private keys can be copied and misused; a lack of visibility as to which user accounts have access to what servers and services. In short, the accepted security standards for identity and access management (IAM) are generally lacking with respect to systems and application administration. This is exposing large organizations to heightened risk, compliance failures and cost. This white paper explains these IAM issues in more detail and describes the practical challenges enterprises face in addressing them. The paper concludes with a description of Universal SSH Key Manager, a comprehensive solution to this emerging problem.
A large global enterprise likely has up to a hundred thousand servers running the SSH protocol. These in turn run thousands of individual applications and transact thousands if not hundreds of thousands of automated data transfers very day. A typical server has multiple SSH User Keys installed. For example, there may be several different SSH User Keys granting root access to different server administrators each with authorization to update and maintain the operating system. Other User Keys may grant access to specific applications and yet other keys grant access to specific processes such as automated backups. In working with numerous enterprises, SSH Communications Security has found typical servers have anywhere from 8 to over 100 SSH User Keys installed. Multiplied by the thousands of servers running in a large enterprise the extent of the SSH user key infrastructure becomes staggering. At one global enterprise an audit conducted by SSH Communications Security found over 1.5 million SSH user keys, including over 150K keys that not only granted root access but also had no identified ownership. This is analogous to finding 150K unique username password accounts granting the highest level of privileged access, without knowing the identity of the individuals associated with those accounts. This scenario is typical of organizations that have a large IT infrastructure, whether they be commercial enterprises or in the public sector. The proliferation of SSH User Keys and lack of governance over the SSH infrastructure has developed over time. Few enterprises have a structured and automated approach to managing SSH User Keys. This has led to ballooning administrative costs as manual processes fail to keep pace with the infrastructure. There is increased risk as the lack of control over access to critical systems and processes exposes the organization to both insider and external threats. Finally, compliance mandates such as PCI-DSS, SOX and HIPAA are beginning to address the requirements for secure SSH User Key management. In short, the need to bring governance to SSH infrastructure is bubbling up for in the priority list of security initiatives in both the public and private sectors for reasons of cost, risk and compliance.
1.6 Lack of visibility of trust relationships crossing production and test boundaries
Many organizations have policies prohibiting most data transfers and application-to-application connections between production and development/test environments. These policies may be enforced by firewalls. However, firewalls do not have visibility to the user accounts used within encrypted sessions. This creates a potential hole in the enforcement mechanism. Once a connection between two systems across a firewall has been enabled, it is possible to add other public key authorizations between those systems enabling non-authorized activities. The firewall cannot enforce what operations are performed in such connections because it cannot see inside the encrypted connection.
Unauthorized trust relationships to a service provider can expose the organization to rogue service providers personnel and even highly systematic data leaks. Such trust relationships might have been established years ago (possibly using a penetration attack). Unfortunately, in many cases the people who set up the initial trust relationships have since left the organization. Nonetheless, in many cases the unauthorized automated transfers are still operating.
1.9 The quantity of individuals who can create permanent trust relationships
In a typical large organization trust relationships are set up manually by individual administrators. There is often no control over what trust relationships are set up and whether they are properly documented and approved. This makes it difficult to audit and remove unneeded authorizations because of lack of information as to what the authorizations are for. Large enterprises may have hundreds of administrators with an even greater number cycling through those positions over the years. With the increase of administrators churning through the organization and a lack of auditing and monitoring, the risks increase that User Key policies will be violated - by accident and by design. The more individuals authorized to set up trust relationships the greater the risk.
authorized (adding the public key as an authorized key), editing the client configuration file to add the private key as an identity key, ensuring that privileges of public and private keys are properly set, and testing that the setup works This process can easily take from fifteen minutes to many hours, and becomes substantially more complicated if disaster recovery sites, replicated/fault-tolerant systems, or load sharing clusters are involved. Possible human errors during the key setup process include: Accidentally deleting other identity keys or authorized keys from the configuration file (possible impact: system outage for some unrelated application) Copying wrong public key (possible impact: someone gets unauthorized access) Copying to wrong host or account (possible impact: unintended access authorization, possibly to root account on a server if user name forgotten from copy destination) Forgetting to copy (and test) to some server (e.g., disaster recovery server) (possible impact: outage when the backup systems should go online)
Many of these best practices can be implemented by utilizing the configuration options and tools available within SSH itself. For example, it is technically possible to restrict the IP address from which a login using a particular public key is permitted as well as restrict the commands that may be executing using such pubic key login. However these are rarely used due to the complexity of setting them up manually and the difficulty in maintaining them in a dynamic IT environment.
3.1 Discovery
The first phase is to discover what private and public keys exist in the environment in their current state and to which users, service accounts or applications they relate to. The purpose of this phase is to gain visibility to the current environment and find who is able to access where and what is the overall status of the SSH user key environment. This phase establishes an inventory of private and public keys, trust relationships and other information such as key types, sizes, ciphers, SSH versions, etc. The next component of the discovery phase involves monitoring the environment. It is important to identify the keys that are actively used and those that are unused. UKM follows key activity to determine how often keys are used and where the keys are used from. This baseline information feeds into the next phase: Remediation
3.2 Remediation
Remediation comprises several components including: removing unused keys from the environment, relocation of keys from user home directories to root owned directories and policy enforcement. Policy in turn comprises several elements cipher, version and configuration control, authorization and separation of duties. For example, it may be desirable that a group such a SAP users only be able to access the SAP servers in the organization, or that a group of Unix administrators only be able to access those Unix servers they are assigned to manage.
3.3 Management
Once the organization of the environment is achieved then UKM manages the user key infrastructure in terms of automating private and public key deployments, renewals, and ensuring key removals when individuals, service accounts or application IDs are taken out of the AD or LDAP. The combined benefits include cost reduction from the elimination of manual processes related to key setups and removals, the mitigation of risk through accountability of what private and public keys may access which hosts, and compliance in terms of sound key management practices with full key rotation and removals. The UKM solution provides enforcement and auditing through monitoring of key usage and centralized control over SSH client and server configurations.
Table 1 summarizes the challenges and corresponding solution provided by Universal SSH Key Manager.
Driver
1.1 Administrators who have left years ago that still have access to critical SSH Servers
Solution
Scan the managed environment, users and authentication keys, and discover and identify which user accounts are able to access which of the servers Integrate to existing directory sources and use up-to-date information to revoke trust-relationships that are no longer valid Identify multiple instances of the keys within the environment and enforce restrictions and access policies to restrict and lock down the private key use Enable automated private and public key renewal processes per defi ned policies Discover and report the user accounts trust relationships, who is able to access where using which of the user accounts
1.4 Lack of Key Rotation 1.5 Lack of visibility who has access to what and breakdown of segregation 1.6 Lack of visibility of trust relationships crossing production boundaries 1.7 Lack of visibility of trust relationships crossing organizational boundaries 1.8 Inability to audit existing trust relationships 1.9 The quantity of individuals who can create permanent trust relationships
Enforce the creation of key setups and trustrelationships through Key Manager. All the manually created keys can be automatically noticed, revoked and informed Key Manager can automate the whole entire key creation and management process minimizing the manual work and change for mistakes
The UKM Architecture permits enterprises to solve these risks and challenges in a minimally invasive manner by leveraging existing infrastructure and processes. Figure 1 illustrates a UKM deployment scenario. The key architectural components include: Within the discovery of the key environment, UKM has the ability to function in an agentless and thin agent mode causing minimal burden on network resources and decreasing the challenges related to deploying additional agents in the environment. UKM can also leverage the agent of Tectia Manager if this is already in use in the environment. Through a centralized database UKM works via multiple backend and front end configuration points enabling management of fragmented network environments in a controlled manner. Direct integration into Active Directory and LDAP allows SSH User Key Manager to make use of existing account structures to simplify the key deployment process and ensure the timely creation and remove of keys. APIs permit key manager to easily integrate to possible already existing approval processes within the enterprise and can function as the engine for key setup and removal with no change to that existing process.
3. Summary
Secure Shell is widely used within enterprise and public sector IT infrastructure. As an infrastructure level security protocol used primarily by automated processes and systems administrators SSH has been deployed without many of the management safeguards that govern general end user access. The result is elevated risk, excessive overhead costs and lack of compliance to security mandates. With the regular cycle of organizational changes large enterprises face, merger and acquisition activity, employee turnover and increasing virtualization, the lack of SSH key management is fast becoming a critical security risk. Alternatives such as Kerberos and X.509 certificates can address many of the governance challenges related to public key authentication but each comes with complexities and limitations. In particular, both approaches require significant, time consuming and often expensive changes to existing infrastructure and processes. Moreover, a transition to these technologies is disruptive to ongoing processes and such transitions entail operational risk and expense that few enterprises are willing to accept. Universal SSH Key Manager from SSH Communications Security provides a comprehensive, nondisruptive solution. The UKM approach of utilizing the existing SSH authentication infrastructure delivers a cost effective, methodical and less risky transition from an unmanaged to a fully managed SSH infrastructure. The benefits are risk mitigation, lower ongoing operational costs and compliance. However, the transition from unmanaged to managed SSH also requires personnel with the expertise to design, plan and implement a solution. Many organizations have a skills gap in this area. As inventors of the SSH protocol, SSH Communications Security are the industry experts. SSH Communications Security understands the challenges and brings the knowledge and experience to help organizations take control over their SSH infrastructure.
www.ssh.com