NIST Guidelines for Secure Shell and What They Mean for Your Organization

Transcription

1 NIST Guidelines for Secure Shell and What They Mean for Your Organization

2 Table of Contents Introduction 3 SSH: A refresher 3 A secure yet vulnerable control 3 A widespread risk throughout the enterprise 3 Security controls help to reduce risk 4 NIST Control Area: Account Management 4 NIST Control Area: Access Enforcement 5 NIST Control Area: Least Privilege 5 NIST Control Area: Auditing and Monitoring 6 NIST Control Area: Risk Assessment 7 NIST Control Area: Identity and Authentication 7 Bringing a new level of security to the enterprise 8 About CyberArk 9 About NISTIR Cyber-Ark Software Ltd. cyberark.com 2

3 Introduction As part of an ongoing effort to help organizations strengthen security, the National Institute of Standards and Technology (NIST) recently issued an internal report on the use of Secure Shell (SSH) in interactive and automated access management. This report is intended to help organizations better understand SSH, and it offers a series of recommendations regarding SSH key management, access control, session monitoring, auditing and more to help organizations better secure remote access that is established using SSH. SSH: A refresher SSH is a protocol used to enable secure access to remote systems. SSH relies on a pair of cryptographic keys to authenticate users and applications to root, administrative and other system accounts. Thanks to its ease of use and reliability, SSH has become frequently used by system administrators to access privileged accounts on remote machines, and it is commonly used in automated IT processes to secure application-to-application communications, such as file transfers and automated backups. A secure yet vulnerable control While the SSH protocol itself provides a secure communications channel, unmanaged SSH keys can introduce several vulnerabilities into an otherwise secure system. The greatest challenge associated with the SSH protocol is that there is no inherent way to see or manage the keys used for authentication. As a result, SSH keys can easily be created and distributed, but they are difficult to track and control. Worse, due to this inherent lack of control, SSH keys can be intentionally created and used to circumvent privileged account management solutions. To compound this risk, the keys, which are completely out of the view and control of IT, never expire. Consequently, SSH keys can provide backdoor access for authorized and unauthorized users to critical systems, and IT security teams may never know. A widespread risk throughout the enterprise In a typical enterprise environment, there could be hundreds or even thousands of unsecured, unmanaged SSH keys used to authenticate to privileged administrative and root accounts. However, unlike privileged passwords, these keys are not typically part of any IT security plan. There is no way to monitor who has access to what, or even where the keys exist across an organization. As a result, basic security measures, such as the termination of unused accounts or the automatic rotation of account credentials, are not typically applied to SSH keys. Therefore, unhappy employees or malicious attackers can exploit these unsecured privileged credentials to gain widespread access to a multitude of systems and the sensitive data on these systems without ever being detected. According to a recent report by the Ponemon Institute, the majority of organizations today are neither securing nor managing SSH keys. Worse, as a result, fifty-one percent of organizations surveyed in the report have already experienced an SSH key-related compromise. 1 1 Ponemon 2014 SSH Security Vulnerability Report. Ponemon Institute. Cyber-Ark Software Ltd. cyberark.com 3

4 Security controls help to reduce risk As noted in the NIST recommendations for SSH, the effective management of SSH-based access requires proper provisioning, termination and monitoring processes. In its report, NIST has provided very specific guidelines on security controls for SSHbased access management. Some of the key areas that require controls include: Account management Access enforcement Least privilege Risk assessment Identification and authentication Auditing and monitoring Through its recommendations, NIST has begun encouraging organizations to start treating SSH keys like the privileged credentials they truly are. These proposed controls recognize the sensitivity of SSH keys and compel organizations to better secure and manage these keys. By following the NIST recommendations, organizations can get a head start on becoming compliant, mitigate the risk of unauthorized access to critical systems and better secure their sensitive data. The sections below look at each of the above categories and highlight how CyberArk solutions can help organizations implement these security controls. NIST Control Area: Account Management AC-2 CONTROLS #D, #G, #J, #K CyberArk SSH Key Manager CyberArk Discovery and Audit To prevent unauthorized users from accessing sensitive or regulated information, NIST recommends that organizations proactively secure, manage and monitor the use of SSH keys that provide access to privileged accounts. Recommendations related to account management include: Ensure that users only have access to the SSH keys needed for their role. Track the usage of keys to gain an audit trail of who accessed what and when. Rotate shared SSH keys as soon as a user leaves the authorized group. Continuously ensure that SSH keys are compliant with organizational policy. With CyberArk solutions, organizations can set policies to grant users access to SSH keys based on their existing role and access rights. Security teams can then track and audit the usage of the SSH keys to see exactly who accessed what and when. To ensure that these credentials do not remain static, policies can be configured to rotate SSH key pairs according to a master schedule or when needed, on-demand. The CyberArk Discovery and Audit tool, which finds and locates SSH keys across the IT environment, can be run to locate SSH keys and easily pinpoint which keys are compliant with organizational policy and which require attention. Cyber-Ark Software Ltd. cyberark.com 4

5 NIST Control Area: Access Enforcement AC-3, AC-3 CONTROL ENHANCEMENT #3, AC-17 CyberArk SSH Key Manager CyberArk Application Identity Manager A critical security measure is the control of access to enterprise systems, whether they are servers, virtual machines, operating systems, databases or applications. Any compromise at any level could result in serious consequences. As a result, the NIST recommended best practices in this area include: Create and enforce approval policies for SSH key-based access. Prevent users from propagating access rights by installing new private keys. Lock down authorized keys files so that users are unable to install their public keys on unauthorized target systems. CyberArk SSH Key Manager allows security personnel to grant access to SSH keys based on role. Organizations can define which credentials each user or user group is permitted to view or access. Organizations are then able to protect access to these credentials, as well as hide all unauthorized credentials from a user s view. Automated workflows can be configured to allow users to request one-time access to SSH keys with elevated privileges as needed for specific business reasons. Additionally, CyberArk Application Identity Manager enables organizations to remove locally stored SSH keys from applications and application servers and instead store them securely in a digital vault, thus preventing unauthorized users from compromising these keys and using them to propagate access across the environment. When used together, CyberArk SSH Key Manager and CyberArk Application Identity Manager can significantly reduce the risk of unauthorized access to private SSH keys. By securely storing private user and application SSH keys, organizations can control access to these keys, strengthen their security posture and become compliant with NIST recommendations. NIST Control Area: Least Privilege AC-6, AC-6 CONTROL ENHANCEMENTS #2, #3, #4, #5, #7, #10 CyberArk Discovery and Audit CyberArk SSH Key Manager CyberArk On-Demand Privileges Manager Privileged accounts are at the heart of most data breaches, so it s important to control SSH keys based on what type of access each user is granted. Privileges and access rights should be limited to only those required for a user s role or function to provide the highest degree of security. Therefore, in this area, NIST recommends the following: Continuously monitor the SSH key inventory and trust relationships between keys. Restrict what commands may be run with each SSH key. Only grant privileged SSH access if a task cannot be done using a non-privileged account. Prevent unauthorized users from accessing private keys that grant access to privileged accounts. Cyber-Ark Software Ltd. cyberark.com 5

6 Remove private SSH keys from local machines and frequently rotate key pairs. Lockdown the authorized keys files to prevent users from adding their own public keys without approval. CyberArk Discovery and Audit enables organizations to inventory SSH keys, trust relationships and orphan keys; for maximum effectiveness, the tool can be run at regular intervals to monitor the key inventory over time. Once discovered, the keys can be removed from local machines and centrally stored in the digital vault. SSH Key Manager enables organizations to restrict privileges at the key level and granularly control who has access to what keys, thus enforcing least privilege. Automated key rotation and distribution helps organizations streamline security processes, comply with requirements and improve their security postures, all without burdening the IT team. Additionally, CyberArk On-Demand Privileges Manager enables organizations to limit privileges at the individual account level while still allowing users to escalate privileges for specified business purposes in accordance with policy. NIST Control Area: Auditing and Monitoring AU-3 CONTROL ENHANCEMENT #1, CA-7, CM-5, SI-4 CyberArk SSH Key Manager CyberArk Discovery and Audit CyberArk Privileged Session Manager Continuous auditing of privileged account access helps organizations ensure that the processes for provisioning, lifecycle management and key termination are being followed and enforced. Similarly, ongoing monitoring of privileged user activity helps organizations detect unauthorized activities, commands or changes to critical systems. To effectively monitor and audit the use of both SSH keys and SSH session activity, NIST recommends that organizations: Track the use of SSH keys, including who used the private key and what target system was accessed with that key. Regularly analyze SSH-based access and trusts to detect unauthorized keys. Proactively prevent systems administrators from modifying SSH keys and files. Monitor user activity to detect unauthorized changes to SSH keys or SSH configuration files. CyberArk Discovery and Audit enables organizations to locate SSH keys throughout the environment and clearly understand trust relationships between systems. Using this tool, organizations can identify unauthorized SSH keys and trusts and take steps to remediate unauthorized keys. CyberArk SSH Key Manager works with CyberArk Privileged Session Manager to track the use of SSH keys and monitor user activity during SSH sessions. With these tools for monitoring and auditing, organizations can detect unauthorized SSH access, unauthorized changes to SSH key files and other unauthorized configuration changes. Combined, CyberArk technology provides visibility into the SSH key inventory, a complete audit trail of SSH access and searchable session audit logs that can accelerate forensics investigations. Cyber-Ark Software Ltd. cyberark.com 6

7 NIST Control Area: Risk Assessment CA-3, RA-3 CyberArk Discovery and Audit Security and risk assessments help organizations identify vulnerabilities and weaknesses that employees or attackers could exploit. Environments that use SSH keys for authentication often have several linked systems that can all subsequently be compromised if an attacker were to compromise a single private key. To address this vulnerability, organizations should assess their environments, look for unnecessary relationships between systems, and take steps to better segregate their environment and reduce the risk an SSH key compromise. To effectively understand an SSH environment and make a plan to mitigate risks, NIST recommends: Assess the entire IT environment to locate all SSH keys. Understand trust relationships between systems, and map how lateral movement could occur using compromised SSH keys. Determine which users, systems or applications have access to which keys. Make an actionable plan to remove unnecessary keys from users and systems. CyberArk Discovery and Audit enables organizations to locate privileged accounts and SSH keys throughout the IT environment, gain insight into trust relationships between users and systems, and map which systems can be exploited by attackers to move laterally through the organization. Using this information, organizations can fully understand their privileged account vulnerabilities and create a clear plan to remediate risks and remove unnecessary access. NIST Control Area: Identity and Authentication CyberArk SSH Key Manager IA-2, IA-5, IA-5 CONTROL ENHANCEMENT #7, IA-8, PS-4 CyberArk Application Identity Manager CyberArk Enterprise Password Vault To easily identify who is doing what, it s important to ensure that each user has a unique SSH key and that the SSH key cannot be shared with other users. In situations when it is not possible to distribute individual keys, organizations must limit which users have access to shared keys, control access to those keys, and monitor who is accessing the keys. Organizations must also be sure to rotate shared key pairs as soon as a user within an authorized user group leaves. Regardless of whether key pairs are used by individuals or shared within groups, it is important that organizations do not rely on static SSH keys for authentication. Instead, organizations should proactively rotate all key pairs to limit the risk of unauthorized access using SSH keys. Further, to ensure that organizations are cognizant of all the credentials used within their environments, NIST also highlights the importance of finding and removing hard-coded passwords used within applications and scripts, as these credentials can easily be accessed and used to propagate unauthorized access. Cyber-Ark Software Ltd. cyberark.com 7

8 To support the above goals, NIST recommends the following: Assign SSH keys on an individual user or system basis, and enforce policies that prohibit the sharing, copying, or moving of private keys. Ensure that shared SSH key pairs are rotated as soon as a user leaves the group. Proactively rotate all key pairs on a regular basis to eliminate static keys. Prohibit automated access that relies on hard-coded passwords. CyberArk SSH Key Manager can tie both shared and non-shared SSH keys to individual user identities, allowing for the controlled management of private key information within the context of a corporate identity policy. It is designed to securely store, rotate, and control access to SSH keys to prevent unauthorized access to privileged accounts. In addition, it can limit the lifetime of a key by automatically managing key rotation. This solution also integrates with Active Directory and other identity and access management solutions to ensure that keys are appropriately decommissioned in the event of an employee s termination. On the hard-coded credential side, CyberArk Application Identity Manager can remove embedded passwords and locally stored SSH keys that are used to facilitate automated application processes and securely store these privileged credentials in a digital vault. Using CyberArk Enterprise Password Vault or SSH Key Manager, organizations can secure, manage and rotate these credentials from a single platform in accordance with organizational policy. Bringing a new level of security to the enterprise By following the carefully detailed NIST guidelines and using CyberArk solutions, companies can now bring SSH key security and management into their broader enterprise security plans. With these measures in place, no longer will unprotected SSH keys pose an underlying threat to critical systems and data. With CyberArk solutions, companies can discover and identify the thousands of SSH keys within their organizations, and then proactively secure, manage and control access to them. Monitoring and auditing, along with continual assessments, help to identify new vulnerabilities as they develop and ensure ongoing security. Using CyberArk solutions, organizations can build a comprehensive privileged account security strategy that equally secures, manages, and monitors privileged passwords and SSH keys all from a single, unified platform. By using an integrated platform to secure all privileged accounts and credentials, organizations can address compliance requirements and strengthen their security postures while streamlining IT security process. Cyber-Ark Software Ltd. cyberark.com 8

9 About CyberArk CyberArk is the trusted expert in privileged account security because of its track record of innovation and security expertise. CyberArk s Privileged Account Security solutions have been organically developed from the ground up, designed to meet the needs of even the largest, most complex organizations. CyberArk provides a comprehensive, tightly integrated, end-to-end solution that protects all privileged accounts, whether they are on-premises or in the cloud. In addition, the entire CyberArk suite of products is built on a single integrated platform, providing organizations with a high degree of flexibility, scalability, and usability. Companies can deploy a single infrastructure and expand the solution cost effectively as budgeting and funds allow. With CyberArk solutions, organizations can secure, manage, monitor and control access to all their privileged credentials, including both passwords and SSH keys, as well as gain the reporting capabilities necessary to prove compliance with audit requirements. CyberArk solutions enable organizations to strengthen their security postures while confidently addressing NIST guidelines for secure automated access. To learn more about CyberArk, visit About NISTIR 7966 To read the brief and recommendations in full, download NISTIR 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH) directly from the NIST website at Cyber-Ark Software Ltd. cyberark.com 9

10 All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd. Copyright by Cyber-Ark Software Ltd. All rights reserved.