The Hidden Danger Threatening Your Compliance Profile

Featured article by Fouad Khalil, Director of Compliance, SSH Communications Security

It seems like a simple enough question, but it’s one that rarely has a satisfactory answer: Who is accountable for SSH-related, key-based access in your organization? Not knowing the answer leaves organizations open to potentially serious security and compliance issues. Without clear ownership and consistent policies for SSH key management, organizations make assumptions that can lead to disaster.

This article will focus on the challenge of SSH user key-based access from the perspective of compliance. It’s ultimately all about access control. All the regulations, laws and frameworks exist to ensure, at a minimum, that protected data (PII, ePHI, credit card data, etc.) has authorized access. It doesn’t matter whether that access is being requested by a machine, admin or business user. Here are the facts:

– Many organizations have no established system of oversight and control of SSH user key-based access

– No one in these organizations has taken or been assigned ownership of the access being provided or clear policies for key-based access

– They do not have visibility into SSH user key-based trusts or monitoring capabilities

– They lack processes for provisioning ownership, revocation and rotation of keys

Let’s look at a specific example of the implications of the above facts. In some 10,000 Unix/Linux hosts, lack of strong SSH key management equates to 1.5 million application keys granting access and 70,000 keys each for database administrators and system admins. There can be up to one billion authentications per year granting access. The majority of the access available via these keys is obsolete, having been assigned to employees or third parties who no longer work with or for the organization.

Non-compliers, Beware

Obsolete access is like a tidal wave that just keeps building – and once it crests, there’s no stopping it. SSH keys are a critical component of logical, privileged and third-party access; their misuse can have repercussions across all critical frameworks. Regulatory bodies won’t be easing up any time soon – instead, they are levying seven-figure fines, incarceration and reputation-damaging publicity.

Again, let’s give this a practical, real-world application by considering HIPAA HITECH, administered by the Office of Civil Rights (OCR). It is the only government agency conducting security-related audits. Key focus areas are segregation of duties, access authorization and transmission security (encryption protocol). The healthcare industry has struggled to keep up with compliance mandates and audit activities.  These “distractions” slowed their progress to compliance maturity and increased the risk to breaches and/or audit violations. The good news is that earlier in 2016 the OCR/HHS began the effort to map HIPAA specifications to the NIST Cybersecurity framework. That’s a positive development – because how can you sign off on an attestation when you’re ignoring a huge access gap of production?

Consequences for non-compliance comes in many forms; one of them is shame. The OCR regularly publishes a web page that is referred to as the “wall of shame” that lists all organizations that have had breaches affecting 500 or more individuals. There are hefty fines for non-compliance, of course. These fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000. In other words, if your organization knew there was an access issue but you did nothing, you’re going to pay for it – literally.

That’s just one regulatory requirement. There are many others, including SOX, whose violations carry potential fines and jail time. PCI violations pack their own punch. In addition to stiff fines, PCI can take away your payment processing privileges. This happened to a national chain, rendering the chain incapable of processing card transactions for several weeks. That’s a financially devastating outcome, one that has the potential to destroy a business.

Vital SSH Key Questions

Auditors in the financial industry conduct annual IT General Controls audits for all in-scope IT systems. They continuously assess the effectiveness of their logical access, privileged access and segregation of duties controls. Now, have they considered SSH keys? Once they learn what those keys are and what they entail, they must consider that the assumption that someone’s managing them is often wrong. This is the “dark side of compliance.” CEOs and CFOs of publically traded financial organizations are required by law to attest the state of their internal controls annually. Access control is a key component of these attestations, so how accurate are they if SSH key-based access (elevated in nature) is not part of the assessment?

When the seriousness of the situation is put in these terms, people realize that they must take action on SSH-related, key-based access. Then these logical three questions follow:

1. Where are your keys and how many do you have (inventory)?

2. Are the SSH keys managed as part of your provisioning or governance processes? If so, who managed them?

3. Do you know who and what connects to your production environment?  Is the access authorized?

Immediate action is necessary if any of these questions cannot be clearly and quickly answered.

Be Proactive

It can sometimes be a long road to establish the ownership and policies that will enable you to gain control of SSH user key-based access, but it can be done. The more security controls you implement as a standard business practice, the more likely you are to be compliant out of the box. Adopt the mindset of continuous compliance. It’s not a matter of checking a box that you set up a server; you need to harden everything that goes on that server. It may seem impossible to do this company-wide, but start with critical assets and then implement in phases.

Because there are likely thousands of keys or more in need of wrangling, don’t attempt to do it manually. To create greater security and compliance, bring in experts as needed and use automation to find, revoke and rotate keys. And do it now – before an audit or a breach happens. Keep in mind this important equation:

About the author:

Fouad Khalil is the Director of Compliance at SSH Communication Security with extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. Mr. Khalil has come up the technology ladder his entire career from network, system and database administration, software programming, system, software and GUI design, project and product development, solution implementation and much more.

Switched focus for the past 17 years on data security, security investigations, security training and awareness and most of all Security Compliance. His function was the one stop shop for all Information Technology audit and compliance. Key areas of focus include: Information Technology, National Institute of Standards and Technology, Internal Controls over financial reporting, Sarbanes-Oxley, PCI DSS, HIPAA and HITECH and the Monetary Authority of Singapore compliance to name a few.  Experienced in security training and awareness as part of corporate governance and regulatory compliance.

Active member in ISACA, IIA and Infragard for over ten (10) years. Active contributor to ISSA and ISC2 regionally and nationwide. CISA and ITIL Foundations certified.