Organizations in regulated industries—such as finance, banking, energy, and healthcare—are facing the challenge of maintaining compliance with regulations, standards and jurisdictions that impact their operations. These regulations dictate security and privacy requirements and cover all aspects of the organizations' business. One common denominator across all these regulations and standards is the requirement for trusted access to corporate resources—including connections and automations governed by SSH machine identities.
The great challenge of compliance
Compliance is a critical component of any security program. The concept is to obtain evidence of compliance with stated policies, standards, laws, and regulations before issuing the proper attestations as required. However, compliance is only a point in time and is directly impacted by the ever changing and always evolving business environment. Changes may include the introduction of new technologies, the expansion of production environments or the adoption of new regulatory requirements, such as the Schrems II decision.
The constantly changing business environment makes compliance not a one-off exercise, rather a continuous process to demonstrate sustainable compliance over time. Hence, regulatory compliance is a great challenge for all organizations, but it is also a game changer, an enabler of reliable, safe, and quality products and services. It is a competitive advantage which builds trust between the business and their customers.
What are the regulatory requirements?
The increasing number of data breaches and the impact these attacks have not only on organizations but also on citizens, have resulted in the development and enforcement of several data protection regulations.
The HIPAA Security rules along with the HITECH act are actively being audited in healthcare organizations to ensure compliance. These acts require that access to electronic Protected Health Information (ePHI) must be controlled and authorized while data is at rest, in use and in transit.
In the financial and banking sector, the Payment Card Industry (PCI) Data Security Standards (DSS) define how merchants and acquirers must protect card holder data. The twelve domains of PCI DSS cover a wide range of security requirements that are designed to protect card holder data from point of creation to destruction or obsolescence.
In the same sector, Sarbanes-Oxley, which is also referred to as SOX, requires all financial organizations to identify and implement internal controls to ensure effectiveness of their financial statements and attestations. The controls are designed to ensure effectiveness of key controls such as logical access, privileged access, segregation of duties and much more.
Finally, the EU GDPR, the Californian CCPA and numerous other privacy regulations across the globe require organizations that store and process personal data to establish security, transparency and accountability controls for the protection of this sensitive data. Failure to do so will result in huge penalties.
The importance of SSH keys to compliance
The common goal of the above regulations is to ensure trusted access to protected data. The purpose is to ensure that access to protected data is authorized and approved. To achieve that, organizations need to enforce the principle of least or minimal privileges which requires that access to information is only granted as necessary and required for its legitimate purpose.
This is exactly the objective of SSH keys. An SSH key is an access credential. Technically the SSH machine identities are cryptographic keys using public key encryption. However, functionally they are authentication credentials and need to be managed as such.
SSH machine identities grant access and security teams should control who can access what resource. Therefore, SSH keys are used in identity and access management (IAM), and they should afford the same policies for provisioning, rotation and termination as other credentials. Organizations cannot safeguard the confidentiality, integrity, and availability of their systems and data if they cannot control and manage effectively their SSH keys to enforce the required level of authenticity, privacy and security.
Despite the importance of SSH machine identities for maintaining regulatory compliance, the keys are often not managed effectively and are considered the elephant in the room. SSH key management has been neglected, creating serious security gaps that criminals are willing to take advantage to compromise sensitive data or infiltrate corporate systems. Organizations must act and assess their SSH key ecosystem and establish procedures to inventory, control, remediate and govern SSH machine identities within their environments.
How to effectively manage your SSH keys
It is therefore imperative to maintain strong standards and best practices for securing the SSH keys. NIST has published the NISTIR 7966 report, titled “Security of Interactive and Automated Access Management Using Secure Shell (SSH),” which offers guidance for organizations and businesses on adequate controls for SSH key management. The NIST recommendations emphasize on SSH key inventory, vulnerabilities identification, risk remediation, continuous monitoring, and key rotation.
- Inventory SSH keys: Having visibility into your SSH keys is to create an inventory of where those keys are and their trust relationships. The identified SSH keys must also be mapped against their owners. The inventory must then be evaluated against defined corporate security policies.
- Identify vulnerabilities: The next step is to identify vulnerabilities in the existing SSH key ecosystem. These vulnerabilities could be weaknesses in the keys’ configuration, like the use of weak encryption algorithms, or an outdated SSH protocol version. Such vulnerabilities can be exploited to gain unauthorized access to corporate systems. Organizations should perform a thorough audit to identify gaps in their existing SSH key management process and procedures.
- Remediate risks: Remediation is important for mitigating all vulnerabilities and weaknesses in the SSH deployment, securing your organization against any attackers seeking to exploit these security gaps, and strengthening your regulatory compliance posture.
- Monitor: Continuous monitoring ensures that the established SSH key management policies are followed and enforced. Monitoring is also important for detecting unauthorized actions because of a criminal activity exploiting backdoor keys.
- Rotate: SSH key rotation minimizes the risks of stolen or compromised credentials. Lifetime of SSH keys should be limited and the keys should be rotated on a defined basis.
The effective establishment of these best practices require a comprehensive SSH machine identity management solution that provides full visibility and leverages automation to manage and enforce policies. Venafi’s SSH Protect discovers where SSH keys are in your environments, as well as the strengths or weaknesses of their configurations. Automated SSH key lifecycle management empowers you to secure and streamline your SSH machine identities and the connections they enable.