March 5, 2015 | Regulations, Audit & Compliance | John Worrall
The National Institute of Standards and Technology (NIST) recently issued guidelines for the use of Secure Shell (SSH) in automated access management. Frequently used by system administrators, SSH is a protocol used to enable secure access of privileged accounts to remote systems.
While the SSH protocol itself provides a secure communications channel, unmanaged SSH keys can introduce several vulnerabilities into an otherwise secure system. According to a recent report by the Ponemon Institute, the majority of organizations today are neither securing nor managing SSH keys. Worse, as a result, fifty-one percent of organizations surveyed in the report have already experienced an SSH key-related compromise.
NIST encourages organizations to start treating SSH keys like the privileged credentials they truly are by focusing on the following control areas:
- Account Management – Proactively secure, manage and monitor the use of SSH keys.
- Access Enforcement – Create and enforce approval policies for SSH key-based access to all enterprise systems, whether they are servers, virtual machines, operating systems, databases or applications.
- Least Privilege – Limit privileges and access rights only to those required for a user’s role or function.
- Auditing and Monitoring – Track the use of SSH keys, including who used the private key and what target system was accessed with that key.
- Risk Assessment – Assess your environments, look for unnecessary relationships between systems and take steps to better segregate your environment.
- Identity and Authentication – Ensure that each user has a unique SSH key and that the SSH key cannot be shared with other users, in order to easily identify who is doing what.
By following these guidelines organizations can bring SSH key security and management into their broader security plans, getting a head start on becoming compliant, mitigating the risk of unauthorized access to critical systems and better securing their sensitive data.
Read this CyberArk white paper to find out more about what the NIST guidelines for SSH mean for your organization and how CyberArk solutions can help organizations implement these security controls.