In my last two posts, I talked about SSH risks and provided a high-level view of best practices for addressing those risks. Now, we’ll start digging into some of those best practices. The first one I’d like to dig into is establishing SSH policies.
You are probably cringing right now and thinking, “Why on Earth would he suggest creating policies? Every time a new one gets defined, the auditors use it to make us work more hours than we already are!”
I understand. But, the challenge is that management and use of SSH is distributed across many individuals and groups in most organizations. To maintain consistent security across the board, you need some way of making sure everyone who might enable or use SSH understands what they must do to secure SSH. You then must make sure they do it. If they don’t, your organization is left with significant security risk.
Many organizations and security teams shy away from defining SSH policies because they’re concerned about getting more work and scrutiny from auditors. Or, the process of getting policies approved takes so long. In general, you’ve got a few options:
Centralize all SSH management into a single team—though this will, at a minimum, require a policy that says no one can setup and manage SSH on their own.
Define and communicate a set of SSH best practices that include everything that’s required to manage and use SSH securely but don’t have any enforcement.
Define and enforce SSH polices that are enforceable and used by auditors to make sure that they’re being followed.
The common element in these three options is the best practices. For example, if you centralize SSH management, the team that does that is going to need a clearly defined set of best practices to use in their processes. If you keep management decentralized and define policies, your policies need to be guided by a set of best practices.
So, at a minimum, you need to make sure you have good SSH best practices defined and you keep them up to date (as new types of attacks or vulnerabilities may arise). Once you have best practices defined, you can decide whether you codify them as enforceable policies.
To help in creating best practices (and, if you choose, policies), I’ve created a rough SSH best practices checklist.
These best practices are only suggestions based on our experience working with our customers. Make sure you evaluate and modify them as necessary to ensure they’re effective in your organization.
I’ve attempted to write each best practice so that you can use it in defining policies, if you choose. The goal is to help you get sound SSH security practices implemented enterprise-wide as quickly and effectively as possible so your organization can avoid a breach. There are a few places where you’ll have to specify your chosen parameters. For example, I’ve left the Interactive User Authentication method as an “X”. There are a variety of factors to consider in selecting the most appropriate authentication for people. NIST’s Security of Interactive and Automated Access Management Using Secure Shell (SSH) - NISTIR 7966 provides a good overview of the pros and cons of each.
If you see something I’ve missed in the checklist, please post a comment to this blog with your feedback. SSH security is a big topic and I love learning new things that I’ve overlooked or haven’t encountered before.
If you do choose to define enforceable SSH policies but your organization’s policies/standards are split into multiple individual documents that an SSH administrator has to piece together, you may want to publish a companion SSH best practices document that provides a single cohesive guide. That document can point to the various policies.
I hope this helps you in mobilizing your organization to secure SSH and the data/systems it protects.