Specialized IT Services focused on Data Management | Speak with Us 877-634-9222
New NIST Best Practices for Managing SSH
Security breaches are a top-of-mind concern throughout enterprises, which is why adopting best practices for technology use and implementations is increasingly important.
To this end, the US National Institute of Standards and Technology issued a draft of its best practices recommendations for Secure Shell or SSH, a cryptographic network protocol used to secure services between two networked computers. Most often, these communications are between systems or accounts with high privilege levels, such as connections made between a database application and an Oracle account.
may use SSH for various automated processes such as file transfers, backups, patch management, and database updates. Managing the secure shell keys properly is also a factor for many companies and organizations required to comply with various data management regulations such as the Sarbanes-Oxley Act of 2002, which dictates how publically-held companies store electronic records.
The problem is not trivial. As Network World’s Ellen Messmer explains:
SSH Key Security
In addition to network vulnerabilities created by improper SSH implementations, mismanaged and stolen keys can create unacceptable security risks. One problem occurs when keys are not properly or rigorously audited. This gives unscrupulous, unauthorized users the opportunity to create backdoors that enable the network to be breached, often repeatedly, without detection.
Tatu Ylönen, lead author of the report as well as the creator of the protocol, told Security Week:
SSH Password Authentication
Among those recommendations are several suggestions on how to implement password authentication. SSH has two different types of password authentication mechanisms: basic password authentication and keyboard-interactive authentication. The guidance states that passwords used for automated access should be rotated frequently to prevent security breaches and advises against using host-based authentication for automated access.
Jonathan Lewis, director of product marketing for SSH Communications Security,whose chief executive officer created the protocol, observed:
SSH Key Management
One problem is that once SSH is deployed the system is neglected or forgotten. Key management is critical. Karen Scarfone, another of the protocol authors, told BankInfo Security that organizations have to institute best practices for securing and tracking keys before they are issued.
It’s a lot harder to secure SSH keys after you’ve already got deployments out there. Unfortunately, we’ve heard of organizations that now have hundreds of thousands of SSH keys — and now we’re asking them now to go audit and review these hundreds of thousands of keys.
The draft document—Security of Automated Access Management Using Secure Shell — is available for download. No timeline for finalization has been provided.
Image by maxkabakov/123RF.