Secure Shell is a cryptographic network protocol that provides a secure way of connecting to a device/system over an insecure network. One of the widely used applications of SSH is remote login, where SSH provides strong authentication and secure communication between the client and the server. Secure Shell was developed by SSH Communications Security Ltd., as a replacement for Telnet and other unsecured network protocols like Berkeley rlogin, rsh and rexec protocols. Unlike these protocols which transfer data over the network in plain text, SSH adopts an encryption mechanism which ensures confidentiality and integrity of data transferred, however insecure the network might be.
Though SSH promises data integrity, effective management of SSH keys is very crucial to overcome cyber security risks. In most of the organizations, SSH keys are created without any process and are left unmonitored. They remain invisible within the network, granting access to whoever finds them and what's worse, they never expire. Chances are that, they can possibly remain in wrong hands perpetually and grant access to root accounts. SSH keys are often introduced into the environment with very little awareness of how they can be misused. To avoid such security risks, SSH keys should be effectively monitored and managed - centralized creation and deletion of keys, periodic key rotation, clear association maps displaying user-key relationship are some of the techniques that might prove useful.
The following steps will give you a brief idea of what SSH key management is all about and how to implement it.
The first step towards managing SSH keys is initially discovering all the keys in your network. Most often, the SSH keys are created and distributed randomly across the network with no one to track which keys are used by whom, how often etc. So, you have to initially gain complete visibility over your SSH environment.
After discovery, all the keys need to be securely stored in a repository to which only authorized users and administrators are allowed access. This would demand administators' authorization for every key based authentication performed within your company and will definitely prove to be an additional layer of security.
The next step is carefully tracing user-key relationship. After discovering all the keys in your network, you need to know which key is associated to which user in order to get a greater visibility and also to facilitate a smoother management when there are a large number of users involved. In such cases, maps or diagrams depicting key to user relationship and vice-versa could be of great help.
Best practices recommend that the SSH keys are rotated periodically to ensure better security. This means removing the key associated with every user in the organization and replacing new keys in their place. This is a highly cumbersome process and so administrators are constantly on the look out for an effective system that can automatically rotate keys as per a periodic schedule.
Finally, all the key based actions should be recorded and audits should be available for administrators' examination. Also, instant audit reports on all actions carried out will help administrators raise alerts immediately and rectify what has gone wrong without putting the organization's security at stake.
SSH key management is incomplete without all these steps and so is your company's security. Unfortunately, for large organizations carrying out all these operations with accuracy is no cakewalk. Manually working on it will only devour all your time with no useful results obtained. The best solution for this problem is adopting a system which can perform all these tasks automatically without manual intervention.
Try Key Manager Plus, a web-based key management solution that helps you consolidate, control, manage, monitor, and audit the entire life cycle of SSH keys. It provides complete visibility into the SSH environment and helps administrators take total control of the keys to preempt breaches and compliance issues.
Go ahead, and give the trial version of Key Manager Plus a shot and write to us for any assistance to keymanagerplus-support@manageengine.com. Click here to download Key Manager Plus.