oe Scaff, Director of Global Support and Matthew McKenna, Chief Commercial Officer for this webinar to learn about the most common myths around SSH key rotation. We see a lot of compliance mandates and security policies that tell us why key rotation is so important and in some cases even mandatory. But as we will show you key rotation for the sake of key rotation solves very little.
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
1. 25 February 2016 INTERNAL | SSH Communications Security1
MONTHLY MYTH CRACKER SERIES
“THE MYTH OF SSH KEY DISCOVERY”
“THE MYTH OF THE PRIVATE KEY”
“THE MYTH OF KEY ROTATION”
“THE MYTH OF SSH KEY MANAGEMENT AS PART OF THE
PRIVILEGED ACCESS MANAGEMENT PARADIGM”
2. PART 3: THE MYTH OF KEY ROTATION
SSH Communications Security2
Matthew McKenna
Chief Commercial Officer
February 24th, 2016
Joe Scaff
Director, Customer Services
3. WHAT WE WILL COVER
• Quick Introduction
• Who is SSH Communications Security?
• Why is SSH so important?
• How do SSH Keys work?
• What are the Myths of Key Rotation?
• Risk vs. Reward of Key Rotation
• How to approach and resolve the challenge
• More reading
| SSH Communications Security3
4. WHO IS SSH COMMUNICATIONS SECURITY
Quick Facts:
• Inventors of the SSH protocol
• Listed: NASDAQ OMX Helsinki
(SSH1V)
• 3,000 customers including 6 of
the 10 largest US banks
• Original source of OpenSSH
What We Do:
• Access Management
• Access Controls & Key
Management
• Encrypted Channel Monitoring
• Data-in-Transit Encryption
We provide the means to discover, monitor and control privileged access and
encrypted traffic without disrupting the flow of information, processes or
business practices
4
5. WHAT IS SSH?
| SSH Communications Security5
TCP/IP
client
SSH
TCP Tunneling
Terminal
SFTPSSH
server
6. SSH KEEPS THE WORLD RUNNING
25 February 2016 | SSH Communications Security6
Supply
Chain/
3rd party
Access
On
Premise
Cloud
7. GOOD VS. EVIL
SECURE SHELL IS A POWERFUL TOOL THAT HAS
POTENTIAL FOR MISUSE
CAPABILITY FOR GOOD FOR EVIL
Data-in-Transit Encryption
Prevent man-in-the-middle
attacks and protect sensitive
information
Blind security operations and
forensics teams to malicious
behavior
Remote access to systems
and applications
Convenient method for both
administrators and developers
to access systems and
applications
Convenient method for
malicious insiders and external
threats to compromise your
systems and applications
Command execution
Move, copy, delete files and
applications for business
related purposes
Exfiltrate confidential
information, deploy malware,
delete or damage databases
Tunneling
Enable application-to-
application connectivity
Bypass corporate firewall policy
8. SSH AUTHENTICATION: THE ESSENTIALS
| SSH Communications Security8
1) Server authentication:
Server proves its identity to the client
2) User authentication:
Client proves user’s identity to the server
Network
Think of the private key as a real key
while the public-key resembles a lock
SSH is commonly used to grant
administrators or automated services
access to systems.
Typically, every employee is responsible
for his own personal key, or rather for all
keys that he’s generated, e.g. for test-
and production systems.
Keys used by services are, at best, only
tied organizationally to a person or
groups.
SSH client SSH server
9. SSH USER KEY & ACCESS USE CASES
| SSH Communications Security9
Interactive SSH login using keys (individual use)
SA System Admin login to SSH server
DBA Database Admin login to SSH server
Individual Developement / Other login to SSH server
Root Root user login to SSH server
Non- interactive SSH login using keys (automated/process usage)
Application Business app login and performing app specific task
Monitoring Automated system monitoring application login and performing
application specific tasks
System Automated system admininstration tasks login and performing app
specific tasks
10. THE MYTHS OF KEY ROTATION?
Myth 1: Key rotation makes us more secure
Myth 2: Key rotation can be established fairly easily
Myth 3: Key rotation should be done automatically
Myth 4: Key rotation is a must? Or is there a more clever way?
| SSH Communications Security10
11. MYTH 1: KEY ROTATION MAKES US MORE SECURE.
| SSH Communications Security11
Rotation without
lockdown simply
rotates the
problem
Continuous
Monitoring is key
Full visibility of the
chain of trust
Risk mitigation
controls sit with
the authorized key
12. MYTH 2: KEY ROTATION CAN BE ESTABLISHED FAIRLY EASILY
| SSH Communications Security12
PROD TO PROD
NON-INTERACTIVE
SINGLE APPLICATION
PROD TO PROD
NON-INTERACTIVE
CROSS APPLICATION
13. MYTH 3: KEY ROTATION SHOULD BE DONE AUTOMATICALLY
| SSH Communications Security13
“ We want key rotation to be fully automatic” – Customer A
“ Wait. We want key rotation to be manual but automatic.” Customer A after deeper consideration.
• Interactive SSH user keys
• External 3rd party contractor
interactive SSH user keys
• External 3rd party automated key
based access with known one to one
connections
• Keys unused for X period of time
with known one to one connection
• Known, continuously monitored,
remediated chains of trust for
automated processes, with known IP
source restrictions
Candidates for Automatic Manual but Automatic
14. MYTH 4: KEY ROTATION IS A MUST.
| SSH Communications Security14
Remediation vs.
Rotation
Access
Cryptography
Configuration
Resilience vs.
Security
Interactive vs.
Automated
15. HOW TO ADDRESS THE CHALLENGE
| SSH Communications Security15
4. Risk versus Reward in Remediation Efforts
5. Discover & Remediate vs. Application Lockdown Approaches
7. Importance of IDM as Part of the Governance Process
1. Project Objectives
2. Establishment of a Policy Baseline
3. The Process
6. Standard Guidance
16. PROJECT OBJECTIVES
Issue Definition
Drivers to act
Mission
Project objectives
• Insufficient controls for access to the production estate for interactive and automated
access where SSH public key authentication is used. E.g. unauthorized root keys
• Lack of continuous monitoring of key based SSH public key based authentication
• Lack of standardized recertification process within overall key management framework
• Operational risk – internal/external misused root level access where unauthorized key based
access exists, however is not visible will have significant operational, reputational and
financial impact to the bank
• Compliance - PCI ,SOX , MAS mandate unauthorized access to production be remediated
• Process standardization- lockdown of key recertification and policy management
• Ensure stability of the IT Production Environment by implementation and management of
Application Production Access Controls where public key authentication is utilized for
interactive and automated access
• Standardization of policy for interactive/automated access utilizing SSH public key
authentication to production estate
• Discover and monitor legacy key based trust relationships across estate
• Lock down existing and future access to production estate
• Remediate against policy violations
• Create process for automation of provisioning, de-provisioning and recertification of key
based access
• Integration into SSH user key management into IDM framework
18. PROCESS
| SSH Communications Security18
Define
policies
Discover Report Monitor Lockdown Remediate Integrate Automate
Assess and Discover Control and Remediate Recertify and Govern
19. THE RISK VERSUS REWARD IN REMEDIATION & ROTATION
| SSH Communications Security
19
Risk
Reward
Decommissioned
App Keys
DEV to PROD
Connections
Interactive
Jump Server
Bypass Keys
Unauthorized
Root Trust
Unused Keys
SSH 1 Keys
Unknown Trusts
Shared
Private Keys
Weak
Encryption
Aged Keys
20. PRIORITIZATION & QUICK WINS FOR RISK REDUCTION &
COMPLIANCE
25 February 2016 INTERNAL | SSH Communications Security20
Remediation Item Reward Risk Comment
Unauthorized ROOT trust Highest Medium Undesired break of process
Decommissioned application keys High Low Often significant numbers, unnecessary exposure
SSH1 keys Low/Medium Low Deprecated keys that should not be in use
DEV to PROD connections High Low If policy does not permit, fairly easy to implement
Interactive jump server bypass keys High Low If policy does not permit, fairly easy to implement
Unknown trusts High Low/High Depends on time the environment has been monitored
Unused keys High Low/High Depends on time the environment has been monitored
Shared private key scenarios Medium High Same rule as rotation if remediating trust
Weak encryption Medium High Rotation requires full visibility in to trust chain
Aged keys Low High Rotation requires full visibility in to trust chain
21. DISCOVER & REMEDIATE APPROACH VS. APPLICATION
LOCKDOWN APPROACH
| SSH Communications Security21
Approach Pros Cons
Discover &
Remediate
Approach
• Gain quick visibility of as much as
possible across as many platforms
as possible
• Eliminate high risk items and quick
wins in fastest time
• Remediation before locked is limited to
users with local home directories or clear
policy violations
Application
Lockdown
Approach
• Stops bleed of unauthorized
provisioning most effectively
• Highest degree of control of
remediation effort
• Requires application team involvement
• Requires effective communication
process and project management for
tracking
22. STANDARD GUIDANCE
| SSH Communications Security22
• Single key Pair per authorization
• Within same or cross application context to ensure full accountability (Ownership)
and recertification.
• A From stanza should be added to constrain this relationship.
• Single SSH key across multiple servers
• Permissible with within a single application and with additional constraints of the
From stanza.
• Multi-server cross-application usage of a single key pair
• Should be remediated, retiring them in favor of dedicated SSH keys for each
interfacing application.
• In the interim, a From stanza should be added to constrain this relationship.
• Interactive User Connections
• Jump/PAM servers should be leveraged to access all Prod servers.
• Direct access to any production server is not allowed.
• Cross-communication between production and non-production environments is not
allowed.
23. IDM INTEGRATION
| SSH Communications Security23
APP OWNER
HR USER
SSH OWNER
BUSINESS OWNER APP INFO
USER
ACCOUNT APP
& POLICY INFO
KEY DATA
IDM
Key Manager
SOURCE DESTINATION
1. Reconciliation of IDM
and Key Manager
(daily)
2. Account creation
3. Off-boarding – Account
deletion/ ownership
changes
4. Unauthorized key
replacement and key
expiration
5. Account revalidation
USE CASES
24. JUST THE TIP OF THE ICEBERG
| SSH Communications Security24
National Institute of Standards & Technology
NIST-IR 7966 - Security of Interactive &
Automated Access Management
Using Secure Shell (SSH)
This publication is a public document & free
of charge for all:
http://dx.doi.org/10.6028/NIST.IR.7966
25. THE LAST SESSION IN OUR MYTH CRACKER SERIES…
25
Join us for:
THE MYTH OF SSH KEY MANAGEMENT
AS PART OF THE PRIVILEGED ACCESS
MANAGEMENT PARADIGM
March 24, 2016
13.00 ET
| SSH Communications Security
Editor's Notes
Welcome to our Myth Crackers Series were we will be going over