Many large enterprises have had about ten times more Secure Shell keys than they have user names and passwords. Finding between 500,000 and 5 million Secure Shell keys in a 100,000-employee enterprise is common. Enterprises and government agencies cannot seriously continue to pretend 90% of their access credentials do not exist. It is totally reckless!
Many IT managers know they have a massive problem with Secure Shell keys, but they do not want to call attention to it because it is going to be expensive and painful to fix, and they are very busy. Even some CISOs and CIOs just ignore the issue, but often they just aren’t technical enough to know in detail what is going on inside their systems.
Chief executives, board members, and audit committees have legal responsibility to ensure that certain standards are followed in their organizations. SOX (Sarbanes-Oxley) requires personal certification from CEO and CFO, under criminal liability, regarding the accuracy and completeness of financial reports and internal controls around financial reporting. If the company does not even know how many Secure Shell keys grant access to unknown parties at unknown privilege level to financial systems, it is failing to implement even the most basic security controls.
Companies also face major risks if they allow uncontrolled key-based access from test and development systems to production, from primary to disaster recovery sites, or from other systems to backup and logging systems. PCI (credit card processing) environments are not always audited for Secure Shell key-based access from other systems, risking massive costs and reputation loss. Secure Shell keys can be used to quickly spread an attack within an organization and also to backup and disaster recovery sites.
Substantial training is required to get auditors and risk managers to address these issues.
How Did We Get Here?
The use of Secure Shell grew in a grassroots fashion from system administration, and its deployment never got much management attention or planning in most organizations. It was a standard component included in most operating systems, requiring no purchasing decisions. It is the invisible plumbing that runs our systems.
The use of Secure Shell keys has grown for two decades, unattended, with system administrators, consultants and vendors installing them at their convenience to give themselves access, automate file transfers between applications and automate systems management. Keys have almost never been removed or changed.
With no controls and policies in place, nobody has tracked how many keys each system has installed, what they grant access to, why they are there, or whether the need still exists. Furthermore, Secure Shell keys provide a way to bypass normal privileged access management systems that are supposed to audit and control access to sensitive systems and data. The situations appears very similar across industries, from manufacturing to banking to telecommunications to government.
Sign up for CIO Asia eNewsletters.