3 challenges in user key management

Singapore, as an international city and the regional business and financial hub of Asia Pacific, has been inextricably in line with international standards of excellence.

While the adoption of the PCI-DSS and Sarbanes-Oxley Act (SOX) SOX standards began among North American organizations, multinational companies with global presence are adopting the standards and compliance efforts centred on them are increasing. For example, companies that need to be compliant with PCI-DSS also require their partners that exchange and co-process credit card data, to maintain the compliance.

Early before the development of the compliance requirements, global enterprises have adopted Secure Shell (SSH), a network protocol invented in 1995 for securing data communication. Today over 3000 global organisations use the SSH data-in-transit solution for moving information, including 7 of the Fortune 10 and trends have shown that there is an increase of SSH usage in the financial industry to meet compliance in recent years.

For these enterprises, the most critical enterprise data and applications are often transported and housed on SSH and OpenSSH servers. In order to access the data, user authentication is required. However, in today’s complex enterprise environments, it is nearly impossible to map the trust relationships between individual users, system accounts and application ID’s to their respective targeted destination SSH servers.

Enterprises typically have one or more IMS (Identity Management System) for their users, which usually does not encompass access to all systems and accounts across the enterprise and provides no visibility into user keys keys that provide access to the organizations most sensitive information.

Traditional manual approaches to managing user keys are not only time consuming and expensive; but also easily trigger manual errors in key setups. This not only poses a major security and compliance risk, but has also proven to be cost ineffective.

Challenges in managing keys

1. Compliance
Today the compliance standards are higher and even more specific on user key management. For instance, PCI DSS requires enterprises to “Protect encryption keys issued for encryption of cardholder data against disclosure and misuse.” and “Fully document and implement all key management processes and procedures”.

In addition, the ISO 27001-1 also specifies requirements for key management. Organizations need to expend more effort to comply with the more stringent requirements.

2. High cost
Setting up new keys and trust-relationships in traditionally manual way is complex. It is even more complex to rotate and remove the keys. The more dynamic the environments are, the more key operations are required. The widespread cloud and grid computing adoption has increased the burden of IT departments of many of institutions.

3. Growing risk
According to the IBM X-Force 2011 Trend and Risk Report, there were a large number of automated password guessing attempts directed at secure shell servers in the latter half of 2011.

In addition, the top 10 threat actions types by number of breaches within larger organizations, “Use of stolen login credentials” ranked no. 1, according to 2012 Data Breach Investigations Report by Verizon. The present situation calls for enterprises to seek ways to eliminate complex manual work, reduce risk of unauthorized access, improve visibility and meet compliance.

A logical three phased approach of user keys management The best practice of user keys management to overcome these challenges should include three phrases: discovery, monitoring and management.

First, the legacy environment of existing deployed private and public SSH keys and their associated users are discovered and manual errors and mismanagement in the past are then identified.

Thereafter, this environment is locked down and monitored, and the authorized users are linked to the respective servers via user and group information, as well as the defined access policies.

Finally, the environment is brought under automatic management, and user keys are automatically deployed, revoked, recertified and rotated according to changes in the operational environment and user repositories.