SSH Regulatory Compliance

The compliance landscape is changing and becoming more challenging. Laws and regulations are updated regularly by standards entities, government and state agencies and they’re not letting up any time soon.

The compliance landscape is changing and becoming more challenging. Laws and regulations are updated regularly by standards entities, government and state agencies and they’re not letting up any time soon. Risk, Compliance and Audit professionals are faced with answering many questions today:

  • What is your state of compliance today?
  • What regulation, standard or law must you adhere to in your every day-to-day business operations?
  • What rapidly changing technology do you have to assess to ensure continuous compliance?
  • What emerging security threats is your company facing today?

You should consider what controls you have implemented, what frameworks you have adopted, and ask yourself “Are we ready for an audit?” and “How fast can you recover from a breach?”

Organizations within most industries continually face year after year audits to ensure that they are compliant with various laws and regulations whether they are government or association based. Organizations take extra measures to ensure trust is in place for their customers by adhering to industry best practice standards and guidelines to minimize the risks that could lead to a potential data breach or loss in trust. The common digital security theme across all organizations is “It’s Not a Matter of If, But When!” As a result, many leading experts in the security industry state that organizations may have already suffered a breach, but they don’t yet know it.

Senior management, internal auditors, compliance and security teams are continuously challenged to keep up with the regulations and security measures needed to ensure the security of their “Protected Data.” Protected data is a general term used to reflect all types of sensitive and confidential information such as social security numbers (PII), credit card numbers (PCI), protected health information (HIPAA) and much more.

It goes without saying, the threat landscape is always changing based upon the evolving vectors being utilized to try and gain access to protected data. Protected data goes beyond information such as a social security number; the government, regulating bodies and industry standards have become more stringent as government agencies are conducting compliance audits associated which come with hefty fines; and much more.

SSH Communications security provides solutions that support organizations’ key controls that are designed and continuously audited to ensure restricted and authorized access to highly sensitive information. Logical and privileged access controls continue to be on top of auditors’ checklists.

The SSH protocol ships standard with every UNIX, Linux, and Mac system, as well as IBM mainframes. It is also widely used on Windows (Microsoft announced plans to make it a standard component of Windows). SSH is deployed on millions of servers and is used in approximately 90% of data center environments.

A typical example of how SSH is used can be illustrated with the following example: A large enterprise with 10,000+ servers that has been using SSH for 10 years or more is likely to have over 1 million SSH keys at large in its network environment. A malicious agent, either internal or external, could get backdoor access to production data due to improper handling of these keys, giving them the proverbial “Keys to the Kingdom”, and there would be no straightforward way to stop them.

Privileged users, such as system administrators and application developers, use SSH for secure interactive and remote access. SSH is even more widely used for automated machine to machine processes including backups, database updates, system health monitoring applications and automated systems management. In short, SSH performs a critical role in the functioning of the modern, highly automated digital networks found in every business or data center.

Enterprises that use SSH need to make sure that any potentially compromised SSH keys are replaced, but without a system in place to manage the keys - identify and track what SSH keys are on what systems, serving what purpose - there is no way to do this in a timely, cost effective and compliant way.

The use of SSH grew in a grassroots fashion from system administration, and its deployment never got much management attention or planning in most organizations. It was a standard component requiring no purchasing decision. It is the “Invisible Plumbing” that runs in nearly all systems and is most often seen as being owned by the “IT department”. As a result, the Computer Security Division of NIST concluded that poor SSH access controls within Information Technology (IT) environments constitute a major operational and security risk that could be best addressed by publishing NIST IR 7966.