Search This Blog
Showing posts with label private key. Show all posts
Showing posts with label private key. Show all posts

Wednesday, 22 October 2014

CyberArk positioned to lead Industry in SSH key management practice

CyberArk, best known for it's Privileged Password Vault, and recent IPO success story has just announced a new product set.  At the 2014 CyberArk Customer Event held in Boston this week, they announced their new SSH key manager. (October 21st 2014)



"The CyberArk SSH Key Manager is designed to securely store, rotate and control access to SSH keys to prevent unauthorized access to privileged accounts."
Extending their already successful Enterprise Vault Infrastructure, CyberArk protects SSH keys with the highest level of security and granular control. Keys in the vault are encrypted, and managed in a fashion not unlike their Password Management Infrastructure.  Integrating SSH keys into this platform creates a one-stop-shop for Privileged Access Management on both Windows and UNIX/Linux platforms.
In January of 2013, CyberArk added Privileged Session Management for UNIX and Linux systems to their growing arsenal of Privileged Management tools. This led me to blog about the requirement to Treat Your Key Pairs Like Passwords!  It looks like they were listening...

 Up until this week, there was only SSH.COM, with their Universal SSH Key Manager, and Venafi, with their Trust Authority SSH manager. 

 With the announcement of CyberArk's new SSH key manager, we now have an Enterprise holistic approach to Privileged User Account Management across the network.


References:
CyberArk: SSH Key Manager
Infosec Musings: Treat Your Key Pairs Like Passwords!
http://security-musings.blogspot.ca/2013/01/privileged-identity-management-make.html
http://www.cyberark.com/resource/isolation-control-monitoring-next-generation-jump-servers/
http://en.wikipedia.org/wiki/Privileged_Identity_Management
http://www.cyberark.com/esg-validating-privileged-account-security-while-validating-cyberark
IDC: A Gaping Hole in Your Identity and Access Management Strategy: Secure Shell Access Controls 
Networkworld: SSH key mismanagement and how to solve it 
Posted by at No comments:
Labels: , , , , , , ,
Location: Boston, MA, USA

Friday, 8 February 2013

Treat Your Key Pairs Like Passwords!

I just had this conversation with a friend, and decided to pull this old blog over to here to stir some discussion...


We have all been taught the Best Practices for Password Management.  There is no shortage of publications providing guidance on password management.

  1. Don't use Personally Identifiable Information (PII) in your password
  2. Don't use any word that can be found in the dictionary 
  3. Use a different password for online banking, social networking, and email
  4. Do not share your password with anyone.... ANYONE
  5. Create a complex password including one or more non-alphabetic characters
  6. Create passwords at with at least eight characters
  7. Change your critical passwords on a regular basis (although this theory is being challenged)
So why do we not have these same discussions around Certificate or Key Pair Management?
(This is not a trainer on cryptography, but rather a discussion on proper management) 

These provide similar functionality as a username/password.  They provide authority as to who you are, to the system you are communicating with. They also provide the user with a sense of security/confidentiality.

However, keypairs and certificates, like passwords, can be compromised!   Even the mighty RSA SecureID is not impervious to attack.

 Typically, ssh keys are used to automate authentication to a host. That said, according to ssh.com
 "About 10 percent of all SSH user keys provide root access, creating a major security and compliance issue"

Many administrators use the same keys across multiple hosts. Similar to using the same password, this could be an issue when that key is compromised.  These very people are also the ones who have sudo access to privileged resources. A compromised machine could be silently used for a man in the middle attack.


I suggest that we need to start managing keypairs and certificates in a similar fashion to passwords.


Keypair  best practices:
  1. Create a corporate policy for Keypairs and Certificates!
  2. Treat your passphrase as you would a regular password (rules above)
  3. Use different keypairs for critical systems, privileged access, and regular access
  4. Do not share your private key with anyone.... ANYONE
  5. Change your keypairs on a regular basis (maybe not as frequent as passwords, but...)
Beyond simply managing your current keypairs and certificates, you should do a discovery to see how many stagnant or unused keypairs are in your environment.   Both Venafi and SSH.Com have discovery tools that will assist in identifying how prevalent keys and certificates are within your environment.  They will scan your network, and catalog existing SSL certificates and assymetric keys, providing pertinent information regarding expiry, ownership, strength, etc...
There are many companies in the marketplace that provide x.509 / SSL Certificate discovery and management, but few have stepped up yet for managing those critical ssh/and pgp keypairs.  

Ok, I've started the discussion...  let's talk... 
Update:  IETF: Managing SSH Keys for Automated Access - Current Recommended Practice
   This document presents current recommended practice for managing SSH
   user keys for automated access.  It provides guidelines for
   discovering, remediating, and continuously managing SSH user keys and
   other authentication credentials.

 Resources:
Good Practices for using SSH
Private Key Management: Best Practice Tips From the Real World
Comodo SSL Certificate Discovery Tool
Digicert SSL Certificate Discovery Tool 
Verisign Certificate Management
SSH Auditing - New Detected Vulnerabilities and New Features for Nessus
SSH Key Management Gathering Intelligence About Your SSH Keys 
And Now for Something Completely Different! 

Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)