Zack Zando, IAM Consultant, SecureITsource, Inc.
Have you ever wondered what DJ Khaled is talking about when he says “I got them keys, keys, keys”? No doubt, he must be talking about “them” SSH Keys. I’m not going to explain SSH keys or how they work, so if that’s all you’re after, let me google that for you. You might think that asynchronous key pairs are more secure than passwords, and technically you would be right if you’re purely talking about password guessing or password cracking. In fact, AWS EC2 instances require SSH key pairs by default instead of passwords.
At a high level, an SSH Key is a cryptographic key used for Authentication. The pair is comprised of two parts – the private key and the public key. Using the private key, you can authenticate to various hosts over SSH without the need for a password, as long as the public key exists on the endpoint. The public key is stored on the server, while the private key is usually stored on someone’s desktop. We all know that desktops are incredibly secure because they’re not internet-facing, receive virus updates all the time, and are not susceptible to malware. Unfortunately, none of that is true, at least in the real world!
The inherent problem with key pairs is that the private key is typically sitting on disk. A stolen laptop or an infected PC can turn into an account compromise, and that private key could have access to dozens, hundreds, or thousands of endpoints within the environment.
Just to add to the list of features, any user can typically provision a key pair, and they never expire. A user that has temporary access to service accounts could, and often will create key pairs to gain access to accounts at any time. Then, in the off chance that the rest of the team needs access, they could send co-workers the private keys. There are now backdoors, floating all over the network. A user may transfer to another department, taking their laptop with them, and maintaining access to privileged accounts via SSH keys.
So what can we do about SSH Keys in an organization? First, you should embrace them, and realize that SSH keys are necessary for administrative functions and application access. However, securing and managing these precious keys should be a part of your long-term IAM and PAM strategy.
As a starting point, private keys can be stored in CyberArk’s Secure Digital Vault. Standard features of the CyberArk digital vault include reporting, auditing, version control, approval, and Multi-Factor authentication. This is a good starting point, but access control is still a problem when users decide to retrieve the keys from the vault and inevitably store them on their desktops.
As a more active approach, CyberArk’s SSH Key Manager can help by giving you a complete SSH Keys lifecycle management, from Detecting keys in your organization to removing SSH keys used by applications or scripts, and everything in between. The SSH Key Manager can generate a new random SSH Key pair, storing the public key on target machines and the new private key within the Secure Digital Vault. The best part is, all of this can be done with no human intervention, dramatically increasing security while reducing administrative overhead.
A favorite of UNIX sysadmins within the CyberArk product suite – CyberArk’s Privileged Session Manager Proxy (PSMP) allows users to launch their native SSH client to connect to endpoints without ever logging on to a web interface. Multi-factor authentication can be used to authenticate the user to the vault, allowing connection to the endpoint as if the private key was stored on the user’s desktop. Convenience is now restored to the user, while allowing centralized keystroke logging and video recording of the sessions.
The solution sounds simple, and it is, when deployed properly. Security is achieved, users/admins can conveniently access what they need without disruption or operational inefficiencies. While the software is great, the deployment is key (no pun intended) to reaching the long-term goal.
SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced consultants help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.
Visit our website at www.secureitsource.com