Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

NIST publishes guidelines for SSH key management: What happens next?

Tatu Ylönen, Chief Innovation Officer, SSH Communications Security | Nov. 17, 2015
Secure Shell (SSH) is a tool for secure computer system management, file transfers and automation in computer and telecommunications systems.

This vendor-written tech primer has been edited to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Secure Shell (SSH) is a tool for secure computer system management, file transfers and automation in computer and telecommunications systems. The Secure Shell protocol ships standard with every Unix, Linux and Mac system and is also widely used on Windows (Microsoft has announced plans to make it a standard component of Windows). It is also included on practically every router and mobile network base station. In many ways, the connected world as we know it runs on Secure Shell. Its keys are ubiquitously used for automating access over a network, and modern systems could not be cost-effectively managed without it.

The U.S. Federal Information Security Management Act (FISMA) requires that all agencies must meet minimum information security standards developed by NIST, the National Institute of Standards and Technology. The mandatory controls required to achieve this minimum level of security is set in NIST Special Publication 800-53, rev. 4. It represents the industry best practice and is also widely followed in the commercial sector; its recommendations are largely reflected in industry-specific security standards as well.

Just recently, NIST published NIST IR 7966, “Security of Interactive and Automated Access Management Using Secure Shell (SSH).” It provides guidance for enterprises, government agencies and auditors for implementing Secure Shell key management practices and polices.

The NIST IR provides an overview of Secure Shell authentication and public key authentication in particular. It then provides recommendations on how Secure Shell keys should be managed and maps these recommendations to mandatory requirements in NIST SP 800-53. The document was written by the best experts in the field, based on years of practical experience in working with customers (including several of the world’s largest banks and private enterprises) on Secure Shell key management solutions. It defines the best current practice for the industry.

For example, NIST mandatory controls include limiting access to an information system based on valid authorization (business need), the principle of least privilege, termination of access when it is no longer needed and a defined access control policy. Secure Shell keys are just one way of providing such access, similar to passwords or smart cards.

Negligence of the Most Basic Security Control

All information security—confidentiality, integrity and continued operation of a system—starts from controlling who is given access to the system and with what privileges. If anyone can get administrative access, there is no security.

If an organization does not even know how many Secure Shell keys grant access to their information systems, let alone who has those keys, why they were put in place, or if they are still needed, it is being negligent. In most organizations, about 10% of all configured Secure Shell keys grant privileged administrative access. In many organizations, 90% of all configured Secure Shell keys are no longer used – they represent a failure to properly terminate access when it was no longer needed.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.