Page 74 - Cyber Defense eMagazine - October 2017
P. 74

Closing the Access Gap

               By Fouad Khalil, vice president of compliance, SSH Communications Security


               Security,  audit,  risk  and  compliance  professionals  engaged  in  the  business-as-usual
               daily  events  struggle  to  maintain  control  and  oversight  of  their  entire  network
               environment.  These  professionals  understand  the  serious  need  for  effective  risk
               management,  control  and  governance  processes  in  their  organizations.  As  additional
               layers  are  added  to  this  environment,  ongoing  compliance  becomes  even  more
               challenging.

               However, there is an ongoing hidden challenge to network security and compliance that
               creates a huge access gap – and it has been residing within the environment for over
               20 years. This tool, known as the Secure Shell (SSH) protocol, grants privileged access
               to all types of production environments.

               Hindering Compliance


               Lack  of  awareness  at  the  management  level  propagates  the  problem.  The  network,
               system  and  database  administrators  are  aware  of  the  SSH  key  access  in  terms  of
               granting them access to do their jobs. Unfortunately, it’s an elevated access that is not
               being managed and governed and has no management visibility.

               So, as organizations attest to compliance and indicate that they have effective access
               controls and can attest to authorized access at all times to production, they are totally
               missing the boat in terms of attesting to SSH keys access.

               If  you  look  at  the  critical  applications  and  the  way  you  grant  access  to  vendors  and
               administrators, that privileged access going into production with SSH keys is not being
               controlled by any means of logging, auditing or review.

               The  point  of  privileged  access  is  to  obtain  approval  to  elevate  your  access  to  do  a
               certain function, to audit and check your work, and then sever the session and review it
               after the fact. Unfortunately, those steps and the control of privileged access fail when
               you don’t have true governance over SSH keys.

               Awareness  of  this  unknown  access  gap  has  been  on  the  rise  primarily  through
               practitioner guidance and industry events discussing the protocol and, unfortunately, by
               means  of  large  security  breaches  (such  as  the  SONY  breach)  stemming  from  poorly
               managed SSH key environments.








                    74   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   69   70   71   72   73   74   75   76   77   78   79