Welcome!

@CloudExpo Authors: AppNeta Blog, Elizabeth White, Carmen Gonzalez, Yeshim Deniz, Pat Romanski

Related Topics: @CloudExpo, Cloud Security, @BigDataExpo

@CloudExpo: Article

The Blind Spot of the Security Industry | @CloudExpo #Cloud #Security

The SSH protocol is not well understood by the majority of people, much like the subprime loan market

The Blind Spot of the Security Industry: SSH User Keys

More than 95 percent of the world's enterprises rely on SSH user keys to provide administrators and developers an effective means of gaining encrypted access to critical infrastructure: operating systems, applications, payment processing systems, databases, human resource and financial systems, routers, switches, firewalls and other network devices. It is a lifeline of traffic flow within our data centers, our cloud environments and how our third-party vendors and supply chain access our environments. It has done its job quietly and efficiently over the last two decades. Unfortunately, the access that SSH has been providing, in particular the access SSH user keys provide, has gone largely unmanaged - to an epic degree.

There's an unfortunate parallel here to a recent Oscar-winning film based on the events that took down Wall Street in 2008: The Big Short. Iconoclastic investor Michael Burry discovered that the subprime home loans market was headed for default. He bet more than $1 billion against the housing industry - an unprecedented move. Sadly, for everyone but him and his investors, Burry was right.

Just as Wall Street had the blind spot when it came to subprime loans, the security industry has a blind spot regarding SSH protocol and SSH user keys. In fact, there are three parallels between the movie's plot and the current state of SSH management:

  • Lack of understanding about the problem and its severity
  • How challenging oversight of the problem is
  • How significant the impact or consequences are of not addressing the problem

A Real and Far-Reaching Problem
The SSH protocol is not well understood by the majority of people, much like the subprime loan market. In fact, very few understand in sufficient detail the underlying critical access it is providing to our most important infrastructure. In this case, however, ignorance is not bliss.

For instance, in a typical financial enterprise with 20,000 Unix/Linux servers, one can expect to find up to 4 million SSH user keys providing interactive and machine-to-machine-based access. In many cases, 10 to 20 percent of these keys provide root-level access and cannot be associated to an owner within the enterprise. Root-level access is the highest level of privilege at an operating system level. It is not just a compliance and risk issue. It is an issue of resilience that has the opportunity to impact the potential downtime of critical services within operations.

Oversight and Governance Are Difficult or Non-Existent
Chiefly because SSH has long been seen as an encryption protocol rather than a means of access, this problem has gone unnoticed for a long time. As a result, it has not been considered as a part of the access governance processes and frameworks. In fact, up until October 2015, there were no NIST guidelines related to the best practices associated with SSH user key-based access.

HIPAA, SOX, PCI and other regulatory guidelines do mention access controls, such as least privilege and segregation of duties, but none of them specifically address SSH user keys as a form of access that needs to be controlled. Is this due to a lack of understanding of SSH or an unwillingness to open Pandora's Box?

In terms of the lack oversight and governance of SSH user key-based access, there are three technical aspects that must be considered. First, SSH user keys are the only form of access a user can provision themselves without oversight or control. Unlike passwords, an administrator, developer or third-party vendor can provision themselves with access to your critical infrastructure or automate a process or file transfer. This process of provisioning, de-provisioning and recertification of SSH user key-based access is infrequently if never addressed in the IAM frameworks of enterprises.

The second consideration is that SSH user keys don't have expiration dates, in contrast to certificates. This means that SSH user key-based access continues to exist, even after an application is decommissioned or a user leaves the company.

And the third consideration: an SSH user key does not need to be associated to a user account. This means a key will not necessarily establish the identity of the user associated with it. When an SSH user key is generated, the identity that associated is not connected.

Taken together, here's what these considerations mean. A user can provision SSH user key-based access themselves without oversight to my most critical infrastructure. This key-based access does not expire. It's not clear which identity it's associated with, and there are millions of these across an enterprise, which no one has an inventory of, and they are providing access to the most critical systems.

The Ramifications Are Significant
There is an additional cause for concern in addition to the lack of understanding of the technical aspects of the SSH protocol and the lack of regulatory oversight and governance of SSH user key-based access. SSH is the malicious actor's (either a rogue insider or hacker) tool of choice, and it is the primary means by which they move laterally within an enterprise to gain access to new assets and further elevate privilege, as well as how they exfiltrate data and assets from an organization. In fact, LightCyber's Cyberweapons 2016 Report indicates that in over 50 percent of the cases, the SSH protocol is the tool of choice to gain this lateral movement across the assets of an enterprise.

It's also important to factor in the reality that bad actors are aware that SSH user keys are not being managed. As a result, they go after private keys to gain access to assets. From there, they will often create new key pairs, which will generate them access to the outside directly or move those assets automatically to servers in the cloud. This is all achieved using something called "port forwarding" via "SSH tunneling," which would allow the malicious actor to extract this data via the encryption itself, rendering firewalls ineffective.

This kind of activity takes place right within our defensive structures. Why? Because we don't know who owns the keys to attain that encrypted access and because we are not able to look inside the encryption of those sessions. The potential impact is clear. We lose our data - or worse, our customer's data. We lose our intellectual property. We lose our reputation, we lose our brand and, in turn, we lose revenue and shareholder value.

The financial implications are clear here, but there's another implication that's at least as serious: operational resilience. The potential downtime in critical systems, should SSH user key-based access to those systems be compromised, is a concern we need to seriously consider. Our disaster recovery systems, which are failovers to our production systems, often share identical SSH user keys that ensure the processes of those systems fail over in an identical manner. This means that any compromised keys in production environments can also equally affect the failover to disaster recovery systems.

Clear Parallels Pointing to Danger
Let's circle back to the similarities between what's going on with SSH user key management and the events leading up to the housing crisis. The parallels are uncanny. There's a lack of market understanding around the power of the SSH protocol and the criticality of the access it provides to our infrastructures. There's a gap in regulatory and governing oversight of how this SSH user key-based access should be monitored, provisioned, de-provisioned and recertified. There's an encrypted protocol, which malicious actors use as their tool of choice to extend their access and reach within our enterprises, create backdoors and exfiltrate data. As a result, there's a potential financial, operational and brand impact that can conservatively be described as significant to our businesses.

Poor SSH user key management may not send all organizations using SSH into a rapid downward spiral that obliterates most of them, but it can still result in devastating damage to any organization that's ignored this issue.

More Stories By Matthew McKenna

Matthew McKenna is Chief Strategy Officer and vice president of Key Accounts at SSH Communications Security. He brings over 15 years of high technology sales, marketing and management experience to SSH Communications Security and drives strategy, key account sales and evangelism. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader.

Prior to joining the company, Matthew served as a member of the executive management team of ADP Dealer Services Nordic and Automaster Oy, where he was responsible for international channel operations and manufacturer relations. In addition, he was responsible for key accounts including Mercedes Benz, General Motors, and Scania CV. Before this, he played professional soccer in Germany and Finland.

Matthew holds a Bachelor of Arts degree in German from the University of South Carolina and an MBA from the Helsinki School of Economics and Business Administration.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"We're bringing out a new application monitoring system to the DevOps space. It manages large enterprise applications that are distributed throughout a node in many enterprises and we manage them as one collective," explained Kevin Barnes, President of eCube Systems, in this SYS-CON.tv interview at DevOps at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and 21st International Cloud Expo, which will take place in November in Silicon Valley, California.
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Extreme Computing is the ability to leverage highly performant infrastructure and software to accelerate Big Data, machine learning, HPC, and Enterprise applications. High IOPS Storage, low-latency networks, in-memory databases, GPUs and other parallel accelerators are being used to achieve faster results and help businesses make better decisions. In his session at 18th Cloud Expo, Michael O'Neill, Strategic Business Development at NVIDIA, focused on some of the unique ways extreme computing is...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
WebRTC sits at the intersection between VoIP and the Web. As such, it poses some interesting challenges for those developing services on top of it, but also for those who need to test and monitor these services. In his session at WebRTC Summit, Tsahi Levent-Levi, co-founder of testRTC, reviewed the various challenges posed by WebRTC when it comes to testing and monitoring and on ways to overcome them.
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
In his session at @ThingsExpo, Sudarshan Krishnamurthi, a Senior Manager, Business Strategy, at Cisco Systems, will discuss how IT and operational technology (OT) work together, as opposed to being in separate siloes as once was traditional. Attendees will learn how to fully leverage the power of IoT in their organization by bringing the two sides together and bridging the communication gap. He will also look at what good leadership must entail in order to accomplish this, and how IT managers ca...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
SYS-CON Events announced today that Outlyer, a monitoring service for DevOps and operations teams, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outlyer is a monitoring service for DevOps and Operations teams running Cloud, SaaS, Microservices and IoT deployments. Designed for today's dynamic environments that need beyond cloud-scale monitoring, we make monitoring effortless so you...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo 2017. The @DevOpsSummit at Cloud Expo New York will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and @DevOpsSummit at Cloud Expo Silicon Valley will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at @ThingsExpo, Steve Wilkes, CTO and founder of Striim, will delve into four enterprise-scale, business-critical case studies where streaming analytics serves as the key to enabling real-time data integration and right-time insights in hybrid cloud, IoT, and fog computing environments. As part of this discussion, he will also present a demo based on its partnership with Fujitsu, highlighting their technologies in a healthcare IoT use-case. The demo showcases the tracking of pati...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settle...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...