Automated SSH connections - Secure M2M connections
Automated secure connections between devices, computers, and cloud systems are a very common use case of the SSH protocol. The powerful SSH protocol provides secure connectivity, automated file transfers, and strong and automatic authentication between the many M2M processes that execute in the shadows of corporate networks every day (and night).
Studies of actual corporate environments have revealed that the identities involved in these automated connections (by far) outnumber the human users. Automated SSH connections are commonly authenticated with SSH keys, and typically require no passwords.
ContentsWhy are automated SSH connections used? How are automated SSH connections set up? Managing automated SSH connections
Why are automated SSH connections used?
SSH (and SFTP for file transfer) connections are the basic tools for IT process automation. In corporate networks, automated SSH connections are used for a variety of recurring tasks and system administration processes. Scripts and processes that perform data archiving, periodic reporting, database cleanup, log data collection, system backups, and network maintenance regularly establish secure connections between systems using the ubiquitously deployed SSH procotol.
How are automated SSH connections set up?
The automated M2M connections are run without the supervision of a human user. This means that the authentication between processes needs to be completed automatically, without the interactive prompting for a password from the user. Embedding the password into the communicating programs or scripts is problematic from the security point of view, and also imposes some undesired maintenance burden in the event of a password rotation.
The SSH protocol that provides the secure connectivity offers a secure and functionally elegant way to circumvent the difficulties imposed by the password authentication. The use of SSH keys for authentication allows for strong, automated, and passwordless authentication. SSH key based authentication is considerably more secure than password authentication, and can be fully automated. When complemented with a well-designed SSH key management stategy, the automated SSH connections can also enjoy the full benefits of managemenent, for example key rotation and other lifecycle management features.
The automated connections over SSH are typically run at intervals (daily, weekly, quarterly) or triggered by certain conditions (a logfile appearing in a designated directory, or a signal from a process to initiate a system backup). The availability, flexibility, and reliability of the SSH protocol has made it into the primary system administration automation tool in corporate environments.
Managing automated SSH connections
SSH automation is typically created and maintained by the corporate IT department. Individual system administrators program the automated processes and self-provision the SSH keys used for the access. The "in-house" development nature of the automation often leads to processes that are lightly (if at all) documented.
Since the automated SSH connections often execute within the corporate core systems and regularly operate with elevated privileges, it is a good security practice to bring them under the corporate IAM strategy and policy. Bringing such unseen/undocumented processes under centralized management requires a management solution than can not only control/regulate SSH keys and access, but also detect and discover SSH access to allow a zero-disruption management roll-out.
See here for more on securing M2M connections.