Lax Secure Shell Key Management Endangers Enterprise Networks - Page 3

Secure Shell protocol inventor warns that uncontrolled SSH credentials could cause major security incidents, gives best practices for mitigating the risks.

 By Jude Chao
Page 3 of 3   |  Back to Page 1
Print Article

What regulators are doing, and the role of the PCI Council

All those steps require a significant investment in money and manpower, of course, particularly for a risk that can be "hard to quantify," Ylönen said. That's why many organizations "don't do anything as long as they can get away with not doing anything," he added. And they'll continue to get away with not doing anything for as long as they can.

For the past year, Ylönen has been on a crusade to change that. He's been traveling and communicating the risks to various standards organizations. The U.S. government, he said, is taking the matter seriously: within the next few weeks, the National Institute of Standards and Technology (NIST) will release a document with guidelines on how to manage automated access via SSH. In addition, the Internet Engineering Task Force (IETF) has released a draft of SSH key management guidelines, which Ylönen co-authored.

The Payment Card Industry council, however, has lagged behind, according to Ylönen. While the PCI-DSS requirements are generally good, he said, "the PCI is being almost negligent in addressing automated access more properly in the standards."

The current standards focus primarily on access to systems by people rather than access by machine, since at the time the current standards were drafted, virtualization and machine-to-machine access weren't as prevalent as they are now. Compounding the problem are the people in charge of the PCI standards. They come mostly from a background of payment terminals and Windows-based systems, Ylönen explained. SSH applies more to infrastructure, virtualization platforms, and Unix or Linux environments, requiring a different kind of expertise. And the security issues have so far failed to catch enough PCI interest to drive a change to the standards.

Additionally, lack of knowledge or exposure at the auditor level hinders enforcement of what relevant standards the PCI-DSS does currently have. Some PCI auditors do understand automated access and SSH keys, he conceded. Most, however, don't. "If the PCI standard says you have to manage authentication credentials, then they think passwords, security tokens, and so on. They don't think of SSH keys, so they never actually know to ask about SSH keys during an audit. They don't address automated access and credentials, even though those have become the majority of access in many environments in the last five years," Ylönen said.

Ylönen expressed frustration at this. This week, he attended a meeting of the PCI Council in Las Vegas, where he hopes to convince regulators to strengthen PCI-DSS rules around the management of SSH credentials. The trip coincides with the announcement of SSH Communications Security's new Auditor and Compliance Education Program, aimed at helping implement new regulatory requirements to strengthen access control and the security of encrypted networks.

"I'm worried that if nothing is done about this, we'll see major incidents within the next five years, the lifetime of the current round of PCI standards," he said. The next round of PCI standards, PCI-DSS 3.0, will go into effect in mid-2015; Ylönen later clarified that "if the SSH key issue does not get sufficiently addressed on this round (3.0), the next PCI-DSS version will likely be three years from now and come into force mid-2018." He added that "I don't think it can wait that long."

Editor's Note: This article was updated to reflect a clarification provided on the timeframe until the next round of PCI standards mentioned in the last paragraph.

ENP editor Jude ChaoJude Chao is executive editor of Enterprise Networking Planet. Follow her on Twitter @judechao.

This article was originally published on Sep 25, 2013
Get the Latest Scoop with Networking Update Newsletter