1

// Make SSH Keys a Security Asset, Not a Liability

DATA SHEET

SSH Protect at a Glance

Digital transformation and growth in the number of machines continue to push IT system administrators to new levels of productivity. By creating and deploying SSH keys, system administrators establish a secure, automated connection to managed assets. These SSH keys serve as machine identities, identifying and authenticating administrators and machines for critical business functions.

Consequently, these SSH machine identities have taken on an important role in automating administrative tasks between assets and tools. However, once created, organizations can lose track of SSH keys and the trusted connections they enable, and poor SSH configuration and management practices can leave organizations vulnerable to cybercriminals, insider threats and failed audits.

Manual SSH Key Management Falls Short

Management of SSH keys is left in the hands of IT admins who often manually manage them for the systems they control, skipping security best practices or using inconsistent policies. Despite the never-expiring and sweeping access they grant, most organizations leave their SSH keys untracked, unmanaged and unmonitored. A continuously growing set of SSH machine identities creates several risks:

• Weak SSH machine identities. Because they havea simple file format, SSH keys easily can be copiedor shared, making the automated connections theyenable subject to compromise and misuse.

Venafi Trust Protection Platform with SSH Protect assists InfoSec and risk management teams to safeguard mission-critical SSH keys and the automated connections they enable.

• Discover enterprisewide, agent-based or agentless SSH keys

• Create central key inventory, map connectivity and analyze for risks

• Remediate risks by prioritizing and rotating out-of-compliance SSH keys

• Automate SSH machine identity lifecycle through self-service on boarding

• Notify InfoSec and risk teams of policy violations

SSH has become a ubiquitous. SSH keys provides IT operations and development team with ubiquitous, secure, automated connections. Lack of key oversight, unknown keys and weak controls expose the business to new threat risks and expensive failed audits.

• Gain smart visibility into SSH machine identitiesand the connections they enable

• Automate key rotation and remediation

• Prevent SSH key misuse and unauthorized access

• Eliminate SSH audit failures

2

• No usage restrictions. SSH connections offera spectrum of configuration options such asport forwarding or network source/destination restrictions. However, these restrictions oftenare not applied consistently. This can allow administrators to use them for traffic tunneling or connections across development environments.

• Unprotected root access. SSH keys embedan authorization of a certain user. This can be a service account but can also be a root or superuser account. SSH machine identities that embed a superuser type of authentication need solid protection from misuse.

As a result of poor SSH practices, SSH machine identities have become a security liability for InfoSec teams, causing related assets and services to become more vulnerable to unauthorized access and misuse. Once an SSH machine identity gets into the wrong hands, an attacker can gain unauthorized access to mission-critical systems, rapidly pivot from system to system and circumvent security controls.

Best Practices to Manage SSH Risks

InfoSec teams need a step-by-step approach to carefully mitigate unnecessary risks, given the size of most IT environments, the high number of business-critical SSH keys and involvement from multiple administrators. These are the critical steps to follow:

Step 1: Adopt a Standards-Based Policy and Procedure Framework (e.g., NIST 800-53)

Policies and procedures play a critical role in securing SSH by establishing a consistent usage baseline across diverse systems and environments where SSH is deployed—including rapidly evolving cloud environments. Using a framework, such as NIST SP 800-53, forms a solid backbone in defining best practices for SSH access control policies, helping organizations harden SSH implementations, identities and deployment of authorized keys.

Step 2: Discover, Compare Against Policies and Prioritize

With SSH keys never expiring, most organizations end up holding at least 3-5 times more SSH keys than estimated.1 Locating all keys, assets, accounts and usage data is an essential starting point for recognizing SSH key sprawl and identifying unused or weak keys. More than just a spreadsheet, this large inventory should provide InfoSec teams a map of all trusted relationships as well as an overview of potential policy violations and imminent risks.

Trust relationships created by SSH public key authentication must be reviewed and evaluated for poor configuration and management practices, which can lead to potential misuse. Once poor practices are identified, organizations need to establish a remediation plan that prioritizes fixing the most high-risk practices first.

3

Step 3: Remediate Step by Step

Once out-of-policy SSH keys or protocol implementations have been identified, security teams can start remediation by removing or rotating high-risk keys. During the remediation process, relevant SSH configurations should be backed up before making a change so that it can be quickly rolled back if something breaks. This step-by-step process should be executed without any manual interaction and across all IT environments (on-premises and cloud) as well as prioritized by risk level.

Step 4: Govern the SSH Key Lifecycle

A fully controlled lifecycle process typically includes request, approval, provisioning, usage logging, review and termination of SSH access keys. When approving or taking actions against SSH keys, InfoSec teams need to have full insight on the lifecycle step for each key. When provisioning and configuring access to an account for interactive users and automated processes, it should be an informed process that balances the level of access requested against the risks of granting that access. Also, by imposing a lifecycle to SSH keys, organizations reduce risk by eliminating rogue or unsafe keys.

Step 5: Monitor and Audit Continuously

The purpose of continuous monitoring and auditing is to ensure that the processes for provisioning, lifecycle management and termination are consistently followed and enforced. During monitoring, all unauthorized and misconfigured SSH user keys should be detected, including SSH keys that may have been illicitly provisioned by attackers as a backdoor into systems. For example, anyone or anything (including malware) with access to a superuser account can technically configure new authenticators, granting access to any account. Similarly, a comprehensive audit of SSH user keys and SSH configuration and management practices is essential for risk analysis and should be performed by all organizations that use SSH or SFTP protocols.

Visibility, Intelligence and Automation at Your Fingertips with SSH Protect

InfoSec teams need to combine best practices outlined in standards, such as NIST, with an enterprise-grade SSH management solution to discover, remediate, govern and audit all SSH machine identities. SSH Protect, as part of the Venafi Platform, provides visibility, intelligence and automation to reduce risks from poorly managed SSH keys and help safeguard the trusted connections SSH keys enable.

Visibility

Network Discovery • Discover SSH servers, host keys and network settings (e.g., supported authentication methods)

• Configure IP addresses and ports • Schedule discovery job execution • Apply rules-based results processing • Use multiple discovery job configurations

SSH Key and Configuration Discovery

• Discover authorized, user, private, host and known host keys• Discover configuration information• Configure discovery paths (include/exclude)• Schedule execution• Apply rules-based discovery results processing and organization • Conduct discovery via agent and/or agentless access

4

Intelligence

Dashboard Analytics

• Get a comprehensive view of the SSH inventory• Obtain rapid identification of vulnerabilities, including SSH access via root,

potential backdoor keys, weak key lengths, old keys, duplicated private keys and much more

• Remediate directly from the dashboard

Policy-Based Management and Workflow Approval Enforcement

• Enforce policy definitions, including allowable key lengths, algorithms, formats, source restrictions and much more

• Designate hierarchical definitions to enable global policies per group • Generate policy compliance reporting • Delegate administration to groups/admins• Set workflow approval gates—global or group-based workflow configurations

Key Usage Tracking • Track key usage to enable identification of unused keys and support rapid remediation

• Identify new locations from which keys are accessed

Comprehensive Reporting

• Customize reports, including the ability to select data to include in reports, filter on multiple criteria, sort by column, etc.

• Configure automatic report delivery• Assign multiple report recipients—groups and users • Select report formats (CSV or PDF)• Schedule execution (e.g., weekly, monthly or annually)• Generate entitlement reports that show all SSH key-based access is formatted

to allow easy import into privileged access review systems

Configurable Alerts/Notifications

• Configure alerts based on security events, such as SSH access changes, impending rotations, discovered SSH systems and keys and much more

• Send notifications to multiple groups or individuals • Deliver alerts via email, syslog, SNMP, Splunk, file and other methods

Automation

SSH Access Management

• Add, modify and remove SSH key-based access centrally• Automate management (add, modify, remove) of authorized, private and known

host keys• Restrict access and control management-level permissions easily• Require workflow approvals for management operations• Manage via agent and/or agentless access

User and Host Key Rotation

• Rotate user keys, including large keysets (10,000+ public/private keys)• Perform uninterrupted SSH operations while user keys are rotated (no downtime)• Conduct host key rotation—both host and known host keys• Configure maximum key lifetimes that automatically trigger rotations to meet

audit requirements• Rollback key rotations easily, if needed • Rotate via agent and/or agentless access

5©2020 Venafi, Inc. All rights reserved.

Are you leaving your SSH machine identities unprotected?

SSH keys are one of the most valuable—yet least understood—machine identities. They provide privileged access but are often weakly defended. With the Venafi Platform, your organization can implement an enterprise-grade solution that delivers SSH machine identity protection through a combination of identity and risk intelligence and intelligence-driven automation across highly complex IT environments.

References1. Results from Venafi SSH Risk Assessments and Venafi

Professional Services SSH deployments.

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access.

Learn more at venafi.com

Trusted by

5 OF THE 5 Top U.S. Health Insurers 5 OF THE 5 Top U.S. Airlines 3 OF THE 5 Top U.S. Retailers 3 OF THE 5 Top Accounting/Consulting Firms4 OF THE 5 Top Payment Card Issuers 4 OF THE 5 Top U.S. Banks 4 OF THE 5 Top U.K. Banks 4 OF THE 5 Top S. African Banks 4 OF THE 5 Top AU Banks

Programmatic Automation

• Leverage a comprehensive set of REST APIs to enable rapid programmatic automation of management and reporting operations

• Integrate rapidly into enterprise systems (e.g., IAM, CMDB, etc.) for streamlined end-to-end operations

Scalable Fault Tolerant Architecture

• Use load balanced architecture that enables horizontal scaling—with support for 10 million keys and 100,000 hosts

• Apply robust fault tolerance (data center/geography)

Host, Application and Integration Support

• SSH Managed Systems: Red Hat, SuSE, AIX, Solaris, HP-UX and Windows• SSH Products: OpenSSH, Tectia, PuTTY • IAM: Active Directory and LDAP• HSMs: Gemalto and Thales