Matthew brings over 10 years of high technology sales, marketing and management experience to SSH Communications Security and is responsible for all revenue-generating operations. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader. Prior to joining the company, Matthew served as a member of the executive management team of Automaster Oyj which was successfully acquired by ADP Dealer Services Nordic. Before this, Matthew played professional soccer in Germany and Finland. Matthew holds a BA in German from the University of South Carolina and an MBA from the Helsinki School of Economics and Business Administration.
We’ve all been there: standing outside your home, you put your hand in your pocket, only to discover your house key is gone.
Panic sets in.
Where is it? Did I leave it at work? Did it fall out? Did someone steal it? What am I going to do?
You can turn fatalistic, cry your bad luck and wait for the problem to take care of itself.
You can determine another way to open the door. Call you wife, disrupt her work, make her drive home and let you in. Or maybe your neighbor or landlord has a copy.
Call the locksmith – except you bought that special lock – no go there.
Break down the door. Crash the window.
Regardless of which choice you make, the big question remains: where is the lost key? Who has it? So what will you do?
You can go out and make a copy. That’s quick, simple and inexpensive. But someone still has your original key and maybe they’re just waiting for the opportunity to come in and steal that precious 72” TV you just bought.
So is it obvious yet what to do?
You change the lock – not the key.
Now let’s transpose this across our worlds to IT. With the increasing number of end points and transformation to on-premise and cloud-based environments, things keep getting more complex. There are potentially hundreds of thousands of end points, but the number of servers in our environment is usually less. In a discussion with one major financial it was indicated that server/end point –ratio was 1/15, as they had an estimated 225,000 clients in their environment and 15,000 servers. Does it make more sense to try and control 15,000 servers or 225,000 clients?
We often find customers setting their targets for SSH user key remediation as getting control of all the private keys. This initially seems like a logical idea, if you see the key as a kind of password. And historically they’ve been told it is critical to protect the private key.
Reality, however, is a bit different. The primary function of security professionals remains to continuously decrease risk to the critical assets of the company, without sacrificing fluent access.
Where it gets blurry is how to protect that access. We usually begin with focusing on the people side of the equation. But let’s be honest: controlling people may be the hardest thing in the world. People are unpredictable. People are forgetful. People are the variable in the equation.
Doesn’t it make more sense that the most efficient part of the trust equation is the lock, or public key, side of things?
Consider a breach where the private keys of the organization have been compromised. What needs to be done to feel safe and whole again?
First, you need to understand which keys open which locks. You need to have full transparency of the trusts that have existed in the environment. Not just where and what servers people are accessing, but also what machines may be connecting with other machines by using key based authentication.
Next you need to able to watch and monitor how these keys are used, from what IP source they originate and what destination they are authenticating to. This provides intelligence to the validity of the connection and how often it is being used.
Finally, once you can pinpoint which locks the keys have access to, you can rotate, remove and install new locks. And assuming the two first points are in place, you now have the capability to alert if a key has been shared and is originating from a new IP address.
Now you can keep track of the locks and their corresponding keys.
As our Chief Customer Advocate so eloquently puts it:
“You can place a dam at the top of the river and be in a position to control the reservoir at the source, but what about all the water downstream?
You need to be able to control, divert, collect, route and manage all the way to the destination. This includes the rain runoff and sewage being washed into the river along the way. And that is probably the majority scenario – instead of the pristine stuff coming above the dam.”