The commencement of Shanghai-Hong Kong Stock Connect represents not only increasing cross-border trading, but also continuously growing data exchange between financial institutions such as stock exchange authorities, banks, and brokerage firms.
The machine-to-machine (M2M) transactions that power the automation of critical business operations and data transfers are typically protected with some form of data-in-transit encryption.
The Secure Shell protocol is a commonly used encryption method in M2M processes within financial sectors – and has been for nearly two decades. The protocol is an IETF standard, has been subject to extensive scrutiny over the years, and is widely deployed and accepted as a recommended security technology for critical and sensitive data transfers. However, the lack of effective management and carefully controlled deployment, provisioning, access control, monitoring and auditing of encrypted networks can lead to compliance violations with industry and government mandates – as well as to costly breaches.
Hong Kong Monetary Authority (HKMA) published General Principles for Technology Risk Management [TM-G-1] (version V.1 – 24.06.03) to guide financial institutions in managing technology-related risks. While the guidelines are quite high-level and technology-agnostic, they contain several sections which have impact on the way that access controls, privileged users and SSH keys are managed.
As an example, TM-G-1 section 2.2.2 states: “Proper segregation of duties within and among various IT functions is crucial for ensuring an effective IT control environment.” A single individual (e.g. systems administrator) should not have the authority to execute all security functions of an IT system. Administration of access control to servers, and the auditing of operations performed on the servers, should be segregated from the privileges of the administrators who perform administration duties on the same servers. In practice, administrators should not have the capability to deploy access-granting Secure Shell public keys to servers they operate on, without oversight. Similarly, the administrator should not have access to the audit logs or recordings that enforce the accountability of administrator actions.
SSH Communications Security offers two solutions that help to enforce this principle:
(1) Universal SSH Key Manager provides the platform for centralized governance of Secure Shell key-based access.
(2) CryptoAuditor provides independent and transparent auditing and control of encrypted channels, such as Secure Shell and Windows RDP – that is fully segregated from the administrators and hosts that are being monitored.
It’s highly recommended for CISOs, IT security, compliance and audit experts to read our white paper and attend our webinar to understand more about the guidelines and the best practices on securing the encrypted connections.
Read the White Paper: Achieving Effective Compliance – Hong Kong Monetary Authority’s General Principles for Technology Risk Management
Register for the Webinar: How to Comply with HKMA’s General Principles for Technology Risk Management (Tuesday, December 9, 2014 4:00PM – 4:30PM HKT)