Page 76 - Cyber Defense eMagazine - October 2017
P. 76
Below is a list of best practices recommended in the white paper to manage SSH keys
and mitigate risk:
• Create usage procedures: Implement periodic access reviews, document and
disseminate security policies and standards, and implement required IT controls.
• Configuration management: Create and implement hardening configuration,
and periodically review the configuration. Consider automated tools to manage
the configuration and apply integrity control checks and monitoring over critical
files.
• Ownership and accountability: Who owns SSH key management? Define roles
and responsibilities.
• Deployment: Automation is critical for the success of SSH key deployments.
Standardization is required, and access restrictions are key.
• Provisioning: Inventory of keys and usage tracking as part of the overall
provisioning of users and accounts.
Removing Risk
Given the pervasiveness and type of access granted by SSH, all audit professionals
need to consider ISACA’s warning: “Attesting to the state of access compliance is
potentially incomplete without incorporating SSH keys. Ramifications of poorly managed
SSH key environments may lead to audit infractions and possibly a security breach.” By
applying the best practices listed above, organizations can take control of their SSH key
management and avoid these unnecessary risks.
About the Author
Fouad Khalil has extensive experience in the
technology space with more than 25 years spanning
disciplines in software development, IT support,
program and project management and most recently
IT security and compliance management. Key areas
of focus include: information technology, internal
controls over financial reporting, Sarbanes-Oxley, PCI
DSS, and HIPAA/HITECH compliance. Experienced
in security training and awareness as part of
corporate governance and regulatory compliance.
ISACA member & CISA Certified.
76 Cyber Defense eMagazine – October 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
