The Secure Shell protocol gets extremely wide use within enterprise organizations, but it's not without its administrative headaches. For one thing, the key pairs that are the foundation of the security offered by the protocol have proliferated in recent years, to the point where large organizations often have millions of keys in circulation. Because tracking them is a mounting concern, SSH Communications Security will release a free tool, SSH Risk Assessor, next week. Made available in conjunction with the Infosecurity Europe event in London, the tool provides administrators with a clear report on risk and compliance exposures in Secure Shell environments.
Tatu Ylönen, CEO and founder of SSH Communications Security, said in a phone interview that it's precisely because SSH "is used very widely in the data center and at all levels of machine-to-machine communication" that keys are proliferating wildly. Traditionally, one might have imagined one account using one key -- "that's what I always thought!" Ylönen said -- but administrators often find it quicker to issue a new key than to keep, track and control existing ones.
Ylönen said he is aware of a large financial institute that employs 200 administrators, "and they estimated that they spend 10% of their time on administration of SSH keys. Places like this can save millions of dollars a year by reducing the time they spend on this."
To use the SSH Risk Assessor (SRA)tool, organizations run a data collection script on each host. The results, aggregated and analyzed by a second component, show vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of best current practices. Ylönen is one of three co-authors of a draft Internet Engineering Task Force (IETF) recommended practice guidance document.
Ylönen said, "SRA provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment. With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives."