Unmanaged Secure Shell (SSH) keys can leave a door open for authorized access by both malicious insiders and external threats, and these can be left undiscovered for years if ever.
Over the past decade, very little attention has been paid over to the worsening situation because it is technical and deep within systems, said Tatu Ylonen, CEO and founder of SSH Communications Security, in an interview.
Ylonen was also the author behind the Secure Shell protocol back in 1995, which is now used widely in the industry for business critical functions, automating administrative scripts, day to day file transfer, server authentication and machine-to-machine (M2M) communications.
The mess has come about because most organizations do not have a system of tracking what keys have been made and for what purpose. This leaves an untidy accumulation of keys that continue to provide access even after the user has left the organization.
"The keys can be used for hiding backdoors; and that will create a danger. Such keys can remain undiscovered for years, and even after being discovered, it may be difficult for the organisation to determine whether the key was originally created for a business purpose or for some malicious activity--if there has been no management or control over the keys," Ylonen said.
While the problem is a ticking time bomb globally, it's potentially worse in Asia, Ylonnen pointed out. That's because cultural barriers in the region can make communications to top level decision makers more difficult especially since it is a "low level technical problem".
A bank was recently found to have several million keys, with 1.5 million unauthorized ones created in the last year and a half alone, said Ylonen, describing the extent of some cases.
The good news is that companies have been starting to wake up especially in the past six months partly due to better understanding of the security problem, said Ylonen. This has partly been helped with discussions at conferences raising awareness over the issue and regulators taking the lead, he explained.
Establishing policies is first step to better security
To remedy the SSH key management problem, organizations should set up policies as a start, said the protocol's founder. Specific steps can include moving keys to protected locations, rotating keys on a regular basis, and removing keys that no longer service a valid purpose. Tools are available to help weed out unnecessary keys in bulk, by setting parameters such as inactivity in the past six months, Ylonen pointed out.
The gravity of the situation has also been reflected in the new standards for the payment cards industry, PCI 3.0, released earlier this month which takes effect on January 1, 2014. They included more guidance on the industry's management of SSH keys, with regard to authentication and remote access to any network segment that processes or stores payment cards.
"I am happy with the rules themselves. The rules are clear--the organisations need to control the access to systems," said Ylonen. This supported his view that encryption alone was not enough if there was no control over who could gain access to files or the encryption keys, he added.
However, Ylonen noted there was still scope for the guidance to be more explicit to prompt auditors to ask the right questions from their customers. "There are many cases where the financial institution's contact point for the PCI audit might not know to what extent they are using SSH and SSH keys. We have found that in many organizations even the head of Unix engineering does not know how much SSH-based authentication is in use, and organizations have been stunned when discovering the extent of that usage."