Welcome!

Related Topics: Cloud Security, Java IoT, Microservices Expo, Linux Containers, @CloudExpo, @BigDataExpo

Cloud Security: Article

Protecting the Network with Proactive Encryption Monitoring

Encryption technology is everywhere: in applications, data centers and other foundation infrastructure

Encryption is a key element of a complete security strategy. The 2013 Global Encryption Trends Study shows a steady increase in the use of encryption solutions over the past nine years. Thirty-five percent of organizations now have an encryption strategy applied consistently across the entire enterprise, up from 29 percent in 2012. The study showed that, for the first time, the main goal for most organizations in deploying encryption is mitigating the effects of data breaches. There is good reason for this shift: the latest Ponemon Institute research reveals that the cost of a data breach is $3.5 million, up 15 percent from last year.

On the surface, the 35 percent figure seems like good news, until one realizes that 65 percent of organizations do not have an enterprise-wide encryption strategy. In addition, even a consistently applied strategy can lack visibility, management controls or remediation processes. This gives hackers the green light to attack as soon as they spot a vulnerability.

While organizations are moving in the right direction when it comes to encryption, much more needs to be done - and quickly. Encryption has come to be viewed as a commodity: organizations deploy it and assume they've taken the steps they need to maintain security. If breaches occur, it's rarely the fault of the software or the encryption protocol. The fault lies rather in the fact that encryption management is left in the domain of IT system administrators and has never been properly managed with access controls, monitoring or proactive data loss prevention.

Too Many Keys Spoil the Security
While recent high-profile vulnerabilities have exposed the need to manage encrypted networks better, it's important to understand that administrators can cause vulnerabilities as well. In the Secure Shell (SSH) data-in-transit protocol, key-based authentication is one of the more common methods used to gain access to critical information. Keys are easy to create, and, at the most basic level, are simple text files that can be easily uploaded to the appropriate system. Associated with each key is an identity: either a person or machine that grants access to information assets and performs specific tasks, such as transferring a file or dropping a database, depending on the assigned authorizations. In the case of Secure Shell keys, those basic text files provide access to some of the most critical information within an organization.

A quick calculation will reveal that the number of keys assigned over the past decade to employees, contractors and applications can run up to a million or more for a single enterprise. In one example, a major bank with around 15,000 hosts had over 1.5 million keys circulating within its network environment. Around 10 percent of those keys - or 150,000 - provided high-level administrator access. This represents an astonishing number of open doors that no one was monitoring.

It may seem impossible that such a security lapse could happen, but consider that encryption is often perceived merely as a tool. Because nothing appeared on the surface to be out of place, no processes were shut down and the problem was undetected.

Safety Hazards
Forgetting to keep track of keys is one problem; failing to remove them is another. System administrators and application developers will often deploy keys in order to readily gain access to systems they are working on. These keys grant a fairly high level of privilege and are often used across multiple systems, creating a one-to-many relationship. In many cases, employees or contractors who are terminated - or even simply reassigned to other tasks that no longer require the same access - continue to carry access via Secure Shell keys; the assumption is that terminating the account is enough. Unfortunately, this is not the case when Secure Shell keys are involved; the keys must also be removed or the access remains in place.

SSH keys pose another threat as well: subverting privileged access management systems (PAMs). Many PAMs use a gateway or jump host that administrators log into to gain access to network assets. PAM solutions connect with user directories to assign privileges, monitor user actions and record which actions have taken place. While this appears like an airtight way to monitor administrators, it is incredibly easy for an administrator to log into the gateway, deploy a key and then log in using key authentication, thereby circumventing any PAM safeguards in place.

Too Clever for Their Own Good
Poorly monitored access is just one security hazard in encrypted environments. Conventional PAM solutions, which use gateways and focus on interactive users only, are designed to monitor administrator activities. Unfortunately, as mentioned earlier, they end up being fairly easy to work around. Additionally, encryption blinds attackers the same way it blinds security operations and forensics teams. For this reason, encrypted traffic is rarely monitored and is allowed to flow freely in and out of the network environment. This creates obvious risks and negates security intelligence capabilities to a large degree.

The Internet offers many articles on how to use Secure Shell to bypass corporate firewalls. This is actually a fairly common and clever workaround policy that unfortunately creates a huge security risk. In order to eliminate this risk, the organization must decrypt and inspect the traffic.

Traffic Safety
Decrypting Secure Shell traffic would require an organization to use an inline proxy with access to the private keys - essentially a friendly man-in-the-middle - to decrypt the traffic without interfering with the network. When successfully deployed, 100 percent of encrypted traffic for both interactive users and M2M identities can be monitored. Also, because this is done at the network level, it's not possible for malicious parties to execute a workaround. With this method, enterprises can proactively detect suspicious or out-of-policy traffic. This is called encrypted channel monitoring and represents the next generation in the evolution of PAM.

This kind of monitoring solves the issue of decrypting traffic at the perimeter and helps organizations move away from a gateway approach to PAM. At the same time, it prevents attackers from using the organization's own encryption technology against itself. In addition, an organization can use inline access controls and user profiling to control what activities a user can undertake. For example, policy controls can be enforced to forbid file transfers from certain critical systems. With the more advanced solutions, an organization can even block subchannels from running inside the encrypted tunnel, the preferred method of quickly exfiltrating data.

Encryption technologies are often set up without effective monitoring or proper access controls, which also blinds layered defenses. A major vulnerability could potentially compromise the entire server, which could in turn expose other areas of the network to subsequent attacks.

A Healthy Respect for Encryption
Encryption technology is everywhere: in applications, data centers and other foundation infrastructure. While it has been widely embraced, it has also often been abused, misused or neglected. Most organizations have not instituted centralized provisioning, encrypted channel monitoring and other best practices, even though the consequence of inadequate security can be severe. IT security staff may think conventional PAM is keeping their organizations safe, when commonly-known workarounds are instead putting their data in jeopardy.

No one understands better than IT administrators how critical network security is. This understanding should spur security professionals to do all in their power to make their organizations' data as safe as possible. Given all that can go awry, it's important to examine encrypted networks, enabling layered defenses and putting proactive monitoring in place if they have not yet done so. An all-inclusive encrypted channel monitoring strategy will go a long way toward securing the network.

More Stories By Jason Thompson

Jason Thompson is director of global marketing for SSH Communications Security. He brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, he worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
Aspose.Total for .NET is the most complete package of all file format APIs for .NET as offered by Aspose. It empowers developers to create, edit, render, print and convert between a wide range of popular document formats within any .NET, C#, ASP.NET and VB.NET applications. Aspose compiles all .NET APIs on a daily basis to ensure that it contains the most up to date versions of each of Aspose .NET APIs. If a new .NET API or a new version of existing APIs is released during the subscription peri...
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
To leverage Continuous Delivery, enterprises must consider impacts that span functional silos, as well as applications that touch older, slower moving components. Managing the many dependencies can cause slowdowns. See how to achieve continuous delivery in the enterprise.
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
SYS-CON Events announced today that eCube Systems, a leading provider of middleware modernization, integration, and management solutions, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. eCube Systems offers a family of middleware evolution products and services that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
SYS-CON Events announced today Telecom Reseller has been named “Media Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Ixia (Nasdaq: XXIA) has announced that NoviFlow Inc.has deployed IxNetwork® to validate the company’s designs and accelerate the delivery of its proven, reliable products. Based in Montréal, NoviFlow Inc. supports network carriers, hyperscale data center operators, and enterprises seeking greater network control and flexibility, network scalability, and the capacity to handle extremely large numbers of flows, while maintaining maximum network performance. To meet these requirements, NoviFlow in...
Enterprises have forever faced challenges surrounding the sharing of their intellectual property. Emerging cloud adoption has made it more compelling for enterprises to digitize their content, making them available over a wide variety of devices across the Internet. In his session at 19th Cloud Expo, Santosh Ahuja, Director of Architecture at Impiger Technologies, will introduce various mechanisms provided by cloud service providers today to manage and share digital content in a secure manner....
StarNet Communications Corp has announced the addition of three Secure Remote Desktop modules to its flagship X-Win32 PC X server. The new modules enable X-Win32 to safely tunnel the remote desktops from Linux and Unix servers to the user’s PC over encrypted SSH. Traditionally, users of PC X servers deploy the XDMCP protocol to display remote desktop environments such as the Gnome and KDE desktops on Linux servers and the CDE environment on Solaris Unix machines. XDMCP is used primarily on comp...
As the world moves toward more DevOps and Microservices, application deployment to the cloud ought to become a lot simpler. The Microservices architecture, which is the basis of many new age distributed systems such as OpenStack, NetFlix and so on, is at the heart of Cloud Foundry - a complete developer-oriented Platform as a Service (PaaS) that is IaaS agnostic and supports vCloud, OpenStack and AWS. Serverless computing is revolutionizing computing. In his session at 19th Cloud Expo, Raghav...
In today's uber-connected, consumer-centric, cloud-enabled, insights-driven, multi-device, global world, the focus of solutions has shifted from the product that is sold to the person who is buying the product or service. Enterprises have rebranded their business around the consumers of their products. The buyer is the person and the focus is not on the offering. The person is connected through multiple devices, wearables, at home, on the road, and in multiple locations, sometimes simultaneously...
Fact: storage performance problems have only gotten more complicated, as applications not only have become largely virtualized, but also have moved to cloud-based infrastructures. Storage performance in virtualized environments isn’t just about IOPS anymore. Instead, you need to guarantee performance for individual VMs, helping applications maintain performance as the number of VMs continues to go up in real time. In his session at Cloud Expo, Dhiraj Sehgal, Product and Marketing at Tintri, wil...
Pulzze Systems was happy to participate in such a premier event and thankful to be receiving the winning investment and global network support from G-Startup Worldwide. It is an exciting time for Pulzze to showcase the effectiveness of innovative technologies and enable them to make the world smarter and better. The reputable contest is held to identify promising startups around the globe that are assured to change the world through their innovative products and disruptive technologies. There w...