Balancing the Sharing of Information

CyberSecurity Journal

Subscribe to CyberSecurity Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get CyberSecurity Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Security Authors: Liz McMillan, Fouad Khalil, Nitin Donde, Daniel Joseph Barry, Elizabeth White

Related Topics: Cloud Computing, Compliance Journal, CyberSecurity Journal

Article

The Dark Side of SSH Key Compliance | @CloudExpo #Cloud #AI #Compliance

All the regulations, laws and frameworks exist to ensure, at a minimum, that protected data has authorized access

Who is accountable for SSH-related, key-based access in your organization? In many enterprises, this is not clear, leading to assumptions that leave you vulnerable to attack and compliance violations as well. This article will address the challenge of SSH user key-based access from the perspective of compliance.

It's all about access control. All the regulations, laws and frameworks exist to ensure, at a minimum, that protected data (PII, ePHI, credit card data, etc.) has authorized access. It doesn't matter whether that access is being requested by a machine, admin or business user. The fact is that:

  • Oversight and control are sorely lacking in many organizations.
  • They do not have visibility into SSH user key-based trusts or monitoring capabilities.
  • They lack processes for provisioning ownership, revocation and rotation of keys.
  • There is no ownership of the access being provided or clear policies for key-based access.

What does this look like in practical terms? In some 10,000 Unix/Linux hosts, lack of strong SSH key management equates to 1.5 million application keys granting access and 70,000 keys each for database administrators and system admins. There can be up to one billion authentications per year granting access. The majority of the access available via these keys is obsolete, having been assigned to employees or third parties who no longer work with or for the organization.

What This Means for Compliance
In security and compliance terms, that's the equivalent of a ticking time bomb, and one that gets bigger and more dangerous over time. SSH keys are a critical component of logical, privileged and third-party access; their misuse can have repercussions across all critical frameworks. Regulatory bodies won't be easing up any time soon - instead, they are levying seven-figure fines, incarceration and reputation-damaging publicity.

For example, let's look at HIPAA HITECH, administered by the Office of Civil Rights (OCR). It is the only government agency conducting security-related audits. Key focus areas are segregation of duties, access authorization and transmission security (encryption protocol). The healthcare industry has struggled to keep up with compliance mandates and audit activities. These "distractions" slowed their progress to compliance maturity and increased the risk to breaches and/or audit violations. The good news is that earlier in 2016 the OCR/HHS kicked off the effort of mapping HIPAA specifications to the NIST Cybersecurity framework. That's a positive development - because how can you sign off on an attestation when you're ignoring a huge access gap of production?

For those organizations that don't comply, the OCR regularly publishes a web page that is referred to as the "wall of shame" that lists all organizations that have had breaches affecting 500 or more individuals. There are hefty fines for non-compliance, of course. These fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000. In other words, if your organization knew there was an access issue but you did nothing, you're going to pay for it - literally.

SOX violations carry potential fines and jail time, and PCI violations pack their own punch. In addition to stiff fines, PCI can take away your payment processing privileges. This happened to a national chain, rendering the chain incapable of processing card transactions for several weeks. That's a financially devastating outcome, one that has the potential to destroy a business.

Addressing SSH Key Access Issues
Imagine that you are an auditor in the financial industry. You conduct annual IT General Controls audits for all your in-scope IT systems. You continuously assess the effectiveness of your logical access, privileged access and segregation of duties controls. Now, have you considered SSH keys? Once you learn what those keys are and what they entail, consider that the assumption that someone's managing them is often wrong. This is the "dark side of compliance." CEOs and CFOs of publically traded financial organizations are required by law to attest the state of their internal controls annually. Access control is a key component of these attestations, so how accurate are they if SSH Keys based access (elevated in nature) is not part of the assessment?

Put this way, people know that they must take action on SSH-related, key-based access. Then the logical three questions follow:

  1. Do you know where your keys are? How many do you have (inventory)?
  2. Do you know who and what connects to your production environment?  Is the access authorized?
  3. Are the SSH keys managed as part of your provisioning or governance processes? If so, who managed them?

If the answer to any one (or more) of these questions is vague or "I don't know," then you need to take action immediately.

Start Now
The work of gaining control of SSH user key-based access can be difficult, but it can be done. The more security controls you implement as a standard business practice, the more likely you are to be compliant out of the box. Adopt the mindset of continuous compliance. It's not a matter of checking a box that you set up a server; you need to harden everything that goes on that server. It may seem impossible to do this company-wide, but start with critical assets and then implement in phases.

However, do not do this manually. Remember the example of the Unix/Linux hosts mentioned above? The volume is simply too great. Bring in experts and automation to help you. And do this proactively. Don't wait for a breach or an audit - take action today.

Remember this critical equation that defines what constitutes "access."

Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

Download Show Prospectus ▸ Here

The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago.

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be!

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Track 1. Enterprise Cloud | Cloud-Native
Track 2.
Big Data | Analytics
Track 3. Internet of Things | IIoT | Smart Cities

Track 4. DevOps | Digital Transformation (DX)

Track 5. APIs | Cloud Security | Mobility

Track 6.
AI | ML | DL | Cognitive
Track 7.
Containers | Microservices | Serverless
Track 8. FinTech | InsurTech | Token Economy

Cloud Expo | @ThingsExpo 2017 Silicon Valley
(October 31 - November 2, 2017, Santa Clara Convention Center, CA)

Cloud Expo | @ThingsExpo 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

Download Show Prospectus ▸ Here

Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers.  

Companies are each developing their unique mix of cloud technologies and services, forming multi-cloud and hybrid cloud architectures and deployments across all major industries. Cloud-driven thinking has become the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, and the public sector.

Cloud Expo is the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of Cloud Expo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35-minute technical session
  • Online advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Editorial Coverage on Cloud Computing Journal.
  • Tweetup to over 75,000 plus followers
  • Press releases sent on major wire services to over 500 industry analysts.

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez by email at events (at) sys-con.com, or by phone 201 802-3021.

The World's Largest "Cloud Digital Transformation" Event

@CloudExpo | @ThingsExpo 2017 Silicon Valley
(Oct. 31 - Nov. 2, 2017, Santa Clara Convention Center, CA)

@CloudExpo | @ThingsExpo 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

Full Conference Registration Gold Pass and Exhibit Hall ▸ Here

Register For @CloudExpo ▸ Here via EventBrite

Register For @ThingsExpo ▸ Here via EventBrite

Register For @DevOpsSummit ▸ Here via EventBrite

Sponsorship Opportunities

Sponsors of Cloud Expo | @ThingsExpo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35 minute technical session
  • Online targeted advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage
  • Unprecedented Marketing Coverage: Editorial Coverage on ITweetup to over 100,000 plus followers, press releases sent on major wire services to over 500 industry analysts

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez (@GonzalezCarmen) today by email at events (at) sys-con.com, or by phone 201 802-3021.

Secrets of Sponsors and Exhibitors ▸ Here
Secrets of Cloud Expo Speakers ▸ Here

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo@ThingsExpo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-4, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Delegates to Cloud Expo | @ThingsExpo will be able to attend 8 simultaneous, information-packed education tracks.

There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content.

Join Cloud Expo | @ThingsExpo conference chair Roger Strukhoff (@IoT2040), October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, for three days of intense Enterprise Cloud and 'Digital Transformation' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and (IIoT) Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) Digital Transformation in Vertical Markets.

Financial Technology - or FinTech - Is Now Part of the @CloudExpo Program!

Accordingly, attendees at the upcoming 21st Cloud Expo | @ThingsExpo October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, will find fresh new content in a new track called FinTech, which will incorporate machine learning, artificial intelligence, deep learning, and blockchain into one track.

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. @CloudExpo is pleased to bring you the latest FinTech developments as an integral part of our program, starting at the 21st International Cloud Expo October 31 - November 2, 2017 in Silicon Valley, and June 12-14, 2018, in New York City.

@CloudExpo is accepting submissions for this new track, so please visit www.CloudComputingExpo.com for the latest information.

Speaking Opportunities

The upcoming 21st International @CloudExpo@ThingsExpo, October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY announces that its Call For Papers for speaking opportunities is open.

Submit your speaking proposal today! ▸ Here

About SYS-CON Media & Events
SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE).

Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company.

More Stories By Fouad Khalil

Fouad Khalil is VP of Compliance at SSH Communication Security with extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. He has come up the technology ladder his entire career from network, system and database administration, software programming, system, software and GUI design, project and product development, solution implementation and much more.

He has been an active member in ISACA, IIA and Infragard for over ten (10) years and an active contributor to ISSA and ISC2 regionally and nationwide. He is CISA and ITIL Foundations certified.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.