Regulatory Compliance for Cybersecurity
- ISACA SSH Audit Practitioner Guidance
- HIPAA Security Rule
- ISO/IEC 27001:2013
- NIST Cybersecurity Framework
- NIST IR 7966 on SSH Keys
- NIST SP 800-53 / FISMA Law
- PCI DSS Compliance
- SANS Top-20 Critical Security Controls
- Sarbanes-Oxley Act
- EU GDPR
Compliance is a critical component of any security program. Compliance lives by the rule that states We Trust but Verify. The concept is that we must obtain evidence of compliance with stated policies, standards, laws, regulations, etc. in order to issue the proper attestations as required.
Compliance, which is only a point in time, is directly impacted by the ever changing and always evolving rules and regulations which makes it quite challenging for organizations to maintain a sound compliance posture. The continuous expansion and extension of our production environments also adds to the compliance challenges we all face today.
SSH and Compliance
At SSH Communications Security, we recognize these challenges and always strive to align our solutions’ functions, features and reports with the laws, regulations, and technologies that potentially impact what the industry defines as trusted access.
When organizations are faced with having to comply with key controls such as privileged access, segregation of duties, third-party access and much more, it becomes an apparent nightmare to ensure continuous authorized access. SSH Communications Security solutions are designed with compliance in mind.
SSH key based access has been labeled the dark side of compliance. It has been ignored or simply slipped under the audit radar for years. Organizations must take action and assess their SSH key situation and pursue means to inventory, control, remediate and govern SSH keys within their production environments.
How Do Frameworks Come into Play?
HIPAA law along with the HITECH act are actively being audited in health organizations to ensure compliance. Access to electronic Protected Health Information (ePHI) must be controlled and authorized while data is at rest, in use and in transmission.
Payment Card Industry (PCI) Data Security Standards (DSS) clearly specify how merchants and acquirers must protect card holder data. The twelve (12) domains of PCI DSS cover a wide range of security requirements that are designed to protect card holder data from point of creation to destruction or obsolescence.
Sarbanes-Oxley, which is also referred to as SOX, is a government act from 2002 that hit all financial organizations as a tidal wave that caused them to scramble to identify and implement internal controls to ensure effectiveness of their financial statements and attestations. The controls were designed to ensure effectiveness as it relates to key controls such as logical access, privileged access, segregation of duties and much more.
National Institute of Standards and Technology (NIST), which has been around for over 115 years, has supported the smallest of technologies to the largest and most complex of human-made creations. NIST has released many special publications and Internal or Interagency Reports over the years that supported all aspects of our industries. Please visit our NIST pages to learn more how NIST recognizes the SSH keys access gap and what recommendations are suggested to minimize risks to your production environments. Of particular importance are NIST SP 800-53, the NIST Cybersecurity Framework, and NIST IR 7966 - guidelines on SSH access management.
Monetary Authority of Singapore (MAS) an Act to establish a corporation to be known as the MAS, to provide for the exercise of control over and the resolution of financial institutions and their related entities by the MAS and other authorities, and to establish a framework for the issue of securities by the MAS and the regulation of primary dealers of such securities, and for matters incidental thereto and connected therewith.
Our Compliance Goal
At SSH Communications Security we continue to evaluate the above mentioned frameworks, review current vulnerabilities and threats to confidential and sensitive information and assess risks associated with access to protected data. We label what is important as Protected Data which encompasses ePHI, Credit Card Data, Personally Identifiable Information (PII) and much more. Our sole purpose is to ensure access to protected data is authorized and approved. We support the security principle of least or minimal privileges which requires that access to information is only granted as necessary and required for its legitimate purpose.
SSH Communications Security solutions are a critical component to privileged access and identity access management programs. We continue to evangelize the fact that excluding SSH keys access from security assessments, compliance assessments and audits will only open the door to potential audit exceptions and security breaches. As you navigate our website, you will learn about our solutions and will further understand the need to address SSH keys access today.
For additional information, please download our whitepapers:
- A Secure Shell Guide for PCI DSS 3.2 Compliance
- What Health Organizations need to learn about SSH Key Management
- What Financial Institutions Need to Know About the Management of SSH Keys
- What You Need to Know About NIST Guidelines for Secure Shell (NISTIR 7966)
- Secure Shell (SSH) And SANS Center for Internet Security Critical Security Controls (CIS CSC)
- A Secure Shell Guide for Basel II & Basel III