Secure Shell keys used to protect machine-to-machine transactions are often going unmonitored by organizations, allowing hackers and insiders to use the unmanaged keys for malicious intent, according to a survey released by Cambridge, Mass.-based Forrester Research Inc.
The study, conducted on behalf of SSH Communications Security, the creators of the Secure Shell (SSH) protocol, found that less than half of organizations who depend on SSH monitor and log how SSH keys are used in their environments.
The SSH protocol is used to create encryption tunnels for logging in to remote machines and executing commands -- such as file transfers -- over an enterprise network. The tunnels can also be used to integrate and automate IT systems -- i.e., machine-to-machine (M2M) transactions -- and for the delivery of services, such as administering virtual machines, routers and firewalls.
Enterprises are not adequately managing SSH keys in the network, however, leaving these compromised keys open to theft. Forrester surveyed 151 U.S. enterprise IT decision makers responsible for IT security and found that of the 82% of organizations who depend on SSH, only 44% indicated that they are monitoring and logging how many SSH keys are deployed in their environment and what those authorizations are being used for, said Heidi Shey, data security and privacy analyst for Forrester Research.
"SSH security awareness is pretty low and not one that pops up a lot as a topic of conversation for IT, even though [SSH] drives many critical business processes that go on," Shey said. "But [organizations] that are not giving a lot of attention to [SSH security] are really setting themselves up for disaster down the line."
Why isn't SSH security a higher priority?
One reason the security of SSH doesn't get the attention it deserves is because enterprises have a hard time believing that anyone inside could be working against them, said John Pironti, president of Rowley, Mass.-based consultancy IP Architects LLC. In fact, SSH security is often breached by internal systems administrators.
High-profile data breaches and hacking events that have made the news may also be helping to bring SSH security to light, however. Edward Snowden may have gained access to classified NSA files by fabricating digital keys or by receiving an unmonitored SSH key from a fellow NSA employee, according to SSH Communications.
"Hackers, and even insiders [to the organization], are targeting SSH environments more and more because they know it's going unmanaged, unmonitored, and it can give them access to the most valuable information -- the lifeblood of the organization," said Jason Thompson, SSH Communications' director of global marketing.
M2M transactions, which are driven by SSH, are only going to increase, with more companies relying on M2M for critical business functions -- including management, customer service and billing. SSH enforcing and auditing will have to increase along with it in order to not only avoid catastrophic breaches, but also increase operational efficiencies and policy compliance, Thompson said.
SSH management techniques for enterprises
Once organizations make the association between M2M transactions and SSH management, they must first identify where SSH is being used within their environment in order to plug up the potential for data leaks. "Some business might think they are only using it for one use case, but once they do that inventory, they end up finding it a lot more places than they had realized," Forrester's Shey said.
More on SSH security
SSH security risks: Assessment and remediation planning
How to prevent SSH attacks
SSH attack prevention depends on network monitoring basics
Next, IT teams must treat M2M identities like they would treat human users today. To do that, IT teams must apply the same onboarding, off-boarding, audit and monitoring controls now assigned to human users, the report said.
Organizations need better overall visibility into all the SSH keys, who owns them, who is using them and what they are using them for. Some 65% of survey respondents that did audit their SSH environments admitted that SSH monitoring responsibilities were shared among individuals -- not a best practice for SSH management, Pironti said.
Centralized SSH management and privileged access management systems are among the most important best practices to follow, Forrester's Shey said. Privileged access management can help enterprises meet compliance regulations while simultaneously freeing up IT staff time. Organizations should limit the number of SSH keys deployed, rotate keys and only allow the key manager to access the server.
"By centralizing management, [organizations] are ensuring that only authorized users are given keys. … A privileged user access system allows access to be easily turned on and off, and behavior can be monitored and audited," Pironti said. "This reduces the ability for things to happen that [IT] doesn't know about -- like a rogue connection being established under the radar," he said.
Dig deeper on Network Security Monitoring and Analysis