by MATT GALLAGHER, Red Herring
Everyone has that little voice inside them that wonders in the middle of the night whether or not the front door is locked. Do you get up to check or stay in bed as the worries seep into bad dreams?
When it comes to SSH keys, however, most companies don’t even realize that up to 10,000 unlocked back doors may be open in the middle of the night, but that is exactly the case, at least according to SSH Communications Security. SSH keys, otherwise known as secure shell keys, are a cryptographic network protocol that automates commands between two or more networked computers. When it comes to large banks or logistic companies with 20,000 to 100,000 servers, there can literally be hundreds of thousands of keys. One of the company’s clients has 10,000 hosts with over a million keys, 10 percent of which provided the highest possible administrative access.
Most companies, however, don’t even realize these SSH keys are a lurking security issue that provide an open backdoor into their security systems, warns Tatu Ylönen, CEO of SSH. . The keys can be set up by the IT staff and forgotten about, providing an unlocked entrance that can circumvent the encryption system to enable theft, corruption, or unauthorized data modification. “Such a break could be devastating,” Ylönen said. “Imagine if a hacker gets into one server, they could use these key based trust relationships to move from one server to another, and do anything they wanted to the system.”
The trouble is most companies don’t know how many SSH keys they even have, or which are still important, and have no idea where to begin when it comes to making sure every door is locked. If a large bank were to remove an essential SSH key, for example, an entire branch could be shut down for days, Ylönen explained.
Makers of a secure shell protocol, SSH Communications Security recently announced new services to help companies secure and maintain their encrypted networks. Last September, the company signed a $2.5 million deal with a one of the world’s top 10 banks to identify all keys, eliminate those that are outdated, and set up a secure process to create new keys to ensure that every key created is authorized by the system.
The company counts as customers two of the top 10 banks in the US, one of the top three retailers, and one of the top three largest logistic companies in the US.
The company uses software to first identify all the SSH keys in a client’s system, and then checks to see which SSH keys are used over a three month period, eliminating any unused keys under the assumption they are nonessential. It then sets up each remaining key to a new location only accessible through a key manager, eliminating the possibility of unauthorized key setups. Every key then becomes documented. The company provides an API script for integration into the enterprise change management system for easy set up with little effort on the part of the client. A typical bank project takes up two years to set up.
By not relying on IT staff to set up and manage each key, Ylönen estimates these new automated services can save enterprises $2 to 3 million per year, essentially paying for the company’s services within two years.
With a number of patents filed a year ago, Ylönen expects that his company is about 12 months ahead of the competition. He estimates the company faces a market worth hundreds of millions of dollars.