In mid May, SSH Communications Security participated to the Cyber Security Summit, organized by the Hong Kong Applied Science and Technology Research Institute and the Hong Kong Police Force. During the summit, I held a presentation on the topic of “The Coming Evolution of Key and Certificate Management”. I also met with senior executives and industry leaders of critical infrastructure, banking practitioners, and government officials. We had interesting and insightful discussions on the cyber threat landscape and privileged access control.
The situation in Hong Kong is quite similar to the other Asia-Pacific countries. Managing privileged access tokens (such as Secure Shell (SSH) keys and SSL certificates) has gained attention lately but the focus of investments is still in managing interactive identities such as passwords. However, in reality the majority of access within organizations is done machine-to-machine and authenticated with SSH keys or certificates.
The SSH and SSL protocols are widely used to ensure secure communications between critical systems and applications. Unfortunately, there are rarely any effective means in place to ensure proper access control and regulatory compliance for these deployments. In the worst case, these security protocols may become attack vectors into the organizations. A misplaced SSH key or certificate is a nugget of gold for an attacker.
When I talked with the visitors at the summit, only a few were able to answer the questions below:
- How many SSH keys exist in your network?
- When, why, and by whom are the SSH keys provisioned?
- Are you able to monitor the SSH key creation and get notification for suspicious activities?
- Is there any chance that obsolete or missing keys are still being used?
- Does your organization have a policy for SSH key-based access?
As SSH is being used by nearly every enterprise, managing SSH keys and the access they provide requires special attention. At SSH Communications Security, we continue to educate the market on the importance of proper SSH key and certificate management. We follow the trends of regulations and compliance, and have authored many white papers how organizations can achieve compliance with SSH solutions.
I urge the IT security, compliance, and audit experts of Hong Kong to take a look at our HKMA white paper.