Encrypted channel monitoring: The evolution of privileged access management
The Javelin Strategy & Research’s 2014 Identity Fraud Study revealed that 13.1 million Americans became victims of identity theft last year. This startling statistic underscores the determination of malicious actors to access sensitive data. Despite the rise in exploits, vital aspects of security -- such as encryption -- has tended to slip through the cracks.
Commercial encryption has been available for about 20 years. It meets a serious need and has been widely embraced. However, as a technology “ages,” costs go down and the technology begins to be viewed as a commodity. As such, encryption security is rarely if ever top of mind for IT managers and government administrators. However, the rising rate of hacks and data theft is a reminder of just how critical encryption really is.
It is news to no one that software can be breached. For the record, though, it’s not typically the software itself or the encryption protocol that is the problem. In many cases, it’s that federal agencies leave encryption management largely in the domain of IT application developers or system administrators without proper access control management, monitoring and proactive data loss prevention protocols in place.
Where is the Keymaster
The Secure Shell (SSH) data-in-transit protocol is designed to secure network communications while being relatively simple and inexpensive to implement. In Secure Shell networks, key-based authentication is a common method used to gain access to critical information. Keys are simple to create and can be easily uploaded to the appropriate system. Associated with each key is an identity -- either a person or machine -- that grants access to information assets and performs specific tasks depending on the assigned authorizations. In the case of Secure Shell keys, those basic text files provide access to some of the most critical information within an organization.
A quick calculation, taking into account the many contractors, employees and applications that have been assigned keys over the past decade or more, there are potentially over a million keys present in any single major organization. In one example, a large bank with around 15,000 hosts had over 1.5 million keys circulating within its network environment. Around 10 percent of those keys -- or 150,000 -- provided high-level administrator access. This represents a tremendous number of open doors that no one was monitoring.
Despite occurring at a bank, this level of serious mismanagement happens within government networks as well. It occurs because encryption is often perceived as a tool, and because nothing seemed amiss on the surface, no processes were shut down and no one was alerted to the problem.
Multiple risks of key mismanagement
It’s human nature to default to the path of least resistance and unfortunately, that goes for IT staff as well. System administrators and application developers will often deploy keys in order to readily gain access to systems they are working on. These keys grant a fairly high level of privilege and are often used across multiple systems, creating a one-to-many relationship. In many cases, government employees or contractors who are terminated -- or even simply reassigned to other tasks that no longer require the same access -- continue to carry access via Secure Shell keys; the assumption is that terminating the account is enough. Unfortunately, this is not the case when Secure Shell keys are involved; the keys must also be removed or the access remains in place.
Poorly managed Secure Shell keys expose federal agencies to multiple risks. Another of them is the use of these keys to subvert privileged access management systems (PAMs). Many PAM systems utilize a gateway or jump host that administrators log into to gain access to network assets. PAM solutions connect with user directories to assign privileges, monitor user actions and record which actions have taken place. Sounds like an airtight way to monitor administrators, right? It is, until one realizes how easy it is for an administrator to log into the gateway, deploy a key and then log in using key authentication, a clever way to work around any PAM safeguards in place.
Ignoring PAM and bypassing firewalls
Secure Shell key mismanagement is a serious problem, but it is not the only one in encrypted environments. Conventional PAM solutions, which utilize gateways and focus on interactive users only, are designed to monitor administrator activities. Unfortunately, as mentioned above, they end up being fairly easy to work around. Additionally, encryption blinds attackers the same way that it blinds security operations and forensics teams. For this reason, encrypted traffic is rarely monitored and is allowed to flow freely in and out of the network environment. This creates obvious risks and negates security intelligence capabilities to a large degree.
Encrypted traffic often flows through the perimeter, unhindered by IT security staff. If one searches for “SSH firewall” the result is a number of highly instructive articles on how to use Secure Shell to bypass corporate firewalls. This is actually a pretty common and clever workaround policy that unfortunately creates a huge security risk. In order to eliminate this risk, the organization must decrypt and inspect the traffic.
Decrypt and monitor
The equivalent of a friendly man-in-the-middle could be used to decrypt Secure Shell traffic without interfering with the network. When successfully deployed, 100 percent of encrypted traffic for both interactive users and M2M identities can be monitored. Also, because this is done at the network level, it’s not possible for malicious parties to execute a workaround. With this method, government agencies can proactively detect suspicious, or out-of-policy traffic. This is called encrypted channel monitoring and represents the next generation in the evolution of PAM.
There are multiple advantages to encrypted channel monitoring. It assists government agencies with moving away from a gateway approach to PAM, enables traffic decryption at the perimeter and prevents attackers from using the agency’s own encryption technology against itself. In addition, an agency can use inline access controls and user profiling to control what activities a user can undertake. For example, policy controls can be enforced to forbid file transfers from certain critical systems. With the more advanced solutions, an agency can even block subchannels from running inside the encrypted tunnel, the preferred method of quickly exfiltrating data.
However, layered defenses are blinded when encryption technologies are implemented without proper access controls or effective monitoring. Network vulnerabilities potentially compromise the entire server, which could in turn expose other areas of the network to subsequent attacks.
A proactive approach
Though IT professionals value and use encryption widely, this technology has been installed and forgotten to a large extent. The majority of government agencies have not established centralized provisioning, encrypted channel monitoring and other best-in-class procedures for managing encrypted networks. IT pros assume that PAM is working just fine to meet their needs, even when multiple workarounds easily bypass and defeat it.
As the incidence rate of identity theft continues to surge, network security must be re-examined to ensure that security measures are robust enough to withstand today’s advanced attacks. Agencies should closely examine their encrypted networks for vulnerabilities, including workarounds and blind spots, and make sure that layered defenses are enabled and that they are proactively monitoring encrypted traffic. Such a strategy can go a long way toward protecting government data and user identities.
Jason Thompson is director of Global Marketing for SSH Communications Security. Thompson brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, Thompson worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Thompson holds a BA from Colorado State University and an MA from the University of North Carolina at Wilmington.