SSH Industry Focus: Insurance Sector

Innovation and disruption are two sides of the same coin when describing the global insurance industry. Innovation in the form of digital transformation, new payment platforms, and mobility provide the basis for expansion by meeting evolving customer needs. Adoption of innovation also increases the complexity of your infrastructure and increases the need for managing risk proactively. Legacy infrastructure must become more dynamically provisioned with the rapid transition to the cloud. Existing threat surfaces built up over time must be reduced as bad actors target insurance companies. Governance must be increased to meet the complex and growing set of compliance regimes impacting the insurance industry. All of this comes back to better support for consumers across multiple channels and platforms while protecting the firm’s reputation and lines of business.

Transition to the Cloud

Insurance companies are rapidly adopting cloud-based resources. Agility is key to leveraging InsurTech and FinTech innovations.

“More than 70% of insurers use some cloud, and those that do are planning to use more. About 10% of insurers run most of their infrastructure on cloud.”

Source: Cloud Adoption in Insurance: Trends and Issues, Published: March 2018 

The drivers for cloud adoption include both cost reduction and increased efficiency driven by increased demands for mobility and business cycles. But before claim handling is mostly automated and the majority of the functions in the cloud, there are some potential obstacles on the way to the promised land.

Obstacle 1: Your Legacy IT Access Paradigm can be an Obstacle to Cloud Transformation

The Secure Shell protocol is the defacto method of remotely accessing Linux-based servers and transferring data securely between them. An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users. Based on our research, major enterprises might have millions of these keys in their environment. Some reasons:

• These keys can be self-provisioned by system administrators in minutes
• It is easier to create new keys than to delete existing ones without breaking anything on the network
• The keys can be shared without assigning an identity to them and they can exist outside your network if granted to 3rd parties
• These can grant access that is invisible to established security controls, such as traditional Privileged Access Management (PAM) solutions
• This is happening today with an encryption protocol that has existed for the last 20 years, quietly doing its’s work while spreading because of the growth of an open source distribution model. SSH uses encryption keys that have been forgotten yet provide the most critical form of access into your networks.

Who uses SSH in your organization? More people than you probably realize…

• IT administrators use the SSH protocol to remotely access operating systems, application databases and network devices.
• Developers accessing systems, moving code between systems and into cloud environments
• Applications on autopilot securely moving data between applications, both on premise and to the cloud.
• Supply chain vendors and outsourced managed service providers that support and maintain corporate networks.
• Applications on autopilot securely moving data between applications, both on premise and to the cloud.

This creates an incredibly complex web of connections and critical access credentials that is impossible to keep track of manually. Moving the cloud without solving this problem means that your business loses the efficiency and agility gains promised by the cloud.

Obstacle 2: Unmanaged SSH Keys

• Recent breaches at Anthem and Premera Blue Cross signify an increasing cybersecurity threat. There’s more.
• The threat surface is increasing because of larger and more complex networks. This is only likely to continue with the massive rise in cloud platforms, sophisticated mobile stacks and the advent of Enterprise-present IOT and embedded systems.
• The bad guys are getting more sophisticated, stockpiling delivery mechanisms and payloads and developing sophisticated supply chains and cyber assets, as exemplified by the SWIFT incident and concerns over payment systems.
• Third party and supply chain risk increase exposure as more outsourcing takes place and more complex and global business ecosystems emerge.
• Insider threats stemming from the dark web, which has been reaching out to insiders to buy their SSH login credentials.

Perhaps the most worrisome application of the SSH protocol comes from hackers and malicious insiders; it is their preferred method to move laterally throughout our networks. In many financial institutions, accountability, manageability, governance and even knowledge of these keys is unclear, opening the door to compliance violations. At the heart of the issue is access control. It’s all about protecting the data (PII, credit card data, etc.) and making sure it has authorized access. It doesn’t matter whether access is being requested by a machine, admin or business user.

Recently ISACA issued guidance to the compliance and audit community on how to leverage SSH key management best practices titled “SSH: Practitioner Considerations.”

In a specific customer case, 10,000 Unix/Linux hosts, lacked strong SSH key management that equated to 1.5 million application keys granting access and 70,000 keys each for database administrator and system admins. There can be up to one billion authentications per year granting access. The majority of the access available via these keys is obsolete, having been assigned to employees or third parties who no longer work with or for the financial institution.

Obstacle 3: Compliance

The recent data breaches have also increased the scrutiny of state regulators along with the U.S. Department of the Treasury's Financial Banking and Information Infrastructure Committee (FBIIC) and the Executive Branch and Independent Agency Regulatory Cybersecurity Forum. After all, the insurance industry is one of the most heavily regulated-especially by state regulators. Trust relationships between customers and insurance companies is intrinsic to the industry and its survival. The SSH protocol is in fact the backbone of today’s insurance industry.

Regulatory pressure and market dynamics have made compliance a key function in managing risk-especially as it relates to cybersecurity across the enterprise. Specifically, data protection laws, data breach reporting, and the increased use of out sourced providers all relate to the ubiquitous and unmanaged use of SSH across the estate. Proactive management of SSH reduces costs and lowers cyber risk.

Solutions

Fix the legacy: Discover, manage and automate your entire SSH key environment

Before moving your infrastructure to the cloud, simplify and take control of the complex web connections. This ensures that you don’t replicate the problem in the cloud, have a better security posture to make the move and mitigate existing risks at the same time. With our Universal SSH Key Manager®, you will:

• Gain full visibility into how critical servers are accessed and by whom on the network
• Eliminate the SSH keys that no longer should exist, for example, if they are obsolete or in violation of your security policies
• Prevent backdoor access and find the keys created outside your PAM software
• Grant server specific access with limited privilege for tasks that do not require admin or root-level access like application-specific
• Gain compliance with regulations and face an audit with confidence

Build the future: agile and lean access at scale

Digital requires agility in all functions and processes. Back your cloud strategies while delivering a more cost effective and secure solution that is PrivX®. Compared to legacy PAMs (privileged access management), PrivX helps you to:

• Fortify your cloud deployments by controlling access to your AWS, GCP and Azure-host servers
• Cut the costs of credentials lifecycle management and vaulting by instead granting short-lived authentication to users only when they need it.
• Strengthen your security posture; eliminating credentials also reduces your threat surface.
• Economize on deployment and maintenance efforts by avoiding the use of agents, commonly required by PAMs, on your client workstations and hosts.

How to get started with your secure could transformation?

SSH.COM offers insurance institutions:

• a Risk Assessment that delivers a detailed analysis of risks around SSH mismanagement.
• a workshop on SSH key management best practices
• Universal SSH Key Manager®-a product offering that addresses SSH key management issues
• PrivX® access gateway for cloud resources

SSH.COM is committed to partnering with you to provide clear sailing and prevent the factors that could conspire to threaten your organization. Taking advance of disruptive technologies, protecting your infrastructure, while increasing governance is a winning formula for continued growth in the insurance industry.