Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

SSH KEYS: THE HIDDEN COMPLIANCE THREAT

DM 03242016 1525 - Global Banking | Finance

By Fouad Khalil, VP of Compliance, SSH Communications Security

Fouad Khalil

Fouad Khalil

Because the financial industry is one of the most heavily regulated, possible compliance issues lurk around almost every corner. SSH user key-based access is not typically included as one of those issues. But it should be. In many financial institutions, accountability for these keys is unclear, opening the door to compliance violations.

At the heart of the issue is access control. It’s all about protecting the data (PII, credit card data, etc.)and making sure it has authorized access. It doesn’t matter whether access is being requested by a machine, admin or business user. The fact is that:

  • Many financial institutions do not have visibility into SSH user key-based trusts or monitoring capabilities
  • There are no processes for provisioning ownership, revocation and rotation of keys
  • There are no clear policies for key-based access and no ownership of the access being provided
  • Oversight and control are non-existent

For example, in some 10,000 Unix/Linux hosts, lack of strong SSH key management equates to 1.5 million application keys granting access and 70,000 keys each for database administrators and system admins. There can be up to one billion authentications per year granting access. The majority of the access available via these keys is obsolete, having been assigned to employees or third parties who no longer work with or for the financial institution.

A Ticking Compliance Bomb

In other words, it’s only a matter of time before this compliance bomb explodes. SSH keys are a critical component of logical, privileged and third-party access; their misuse can have repercussions across all critical frameworks.Regulatory bodies won’t be easing up any time soon – instead, they are issuing seven-figure fines, jail time and reputation-damaging publicity.

For instance, potential fines and jail time await SOX violators, and PCI violations pack their own punch. In addition to stiff fines, PCI can take away your payment processing privileges. This happened to a national chain, rendering the chain incapable of processing card transactions for several weeks. That’s a financially devastating outcome, one that has the potential to destroy a business.

Getting to the Heart ofAccess

Let’s examine the access issue by supposing that you are an auditor in the financial industry. You conduct annual IT General Controls audits for all your in-scope IT systems.You continuously assess the effectiveness of your logical access, privileged access and segregation of duties controls. Now, have you considered SSH keys? Once you learn what those keys are and what they entail, consider that the assumption that someone’s managing them is often wrong.This is the “dark side of compliance.”CEOs and CFOs of publically traded financial institutions are required by law to attest the state of their internal controls annually. Access control is a key component of these attestations, so how accurate are they if SSH key-based access (elevated in nature) is not part of the assessment?

When put into these terms, those responsible for compliance realize that they must take action on SSH-related, key-based access. Then the logical three questions follow:

  1. Do you manage SSH keys as part of your provisioning or governance processes? If so, who managed them?
  2. Do you know where your keys are?How many do you have?
  3. Do you know who and what connects to your production environment?  Is the access authorized?

A vague answer, or no answer at all, to any one or more of these questions means you need to take action immediately.

Proactive Control

Clearly, it can be difficult to take control of SSH user key-based access, but it is possible – and critical. The more security controls you implement as a standard business practice, the more likely you are to be compliant out of the box. Adopt the mindset of continuous compliance. It’s not a matter of checking a box that you set up a server; you need to harden everything that goes on that server. It may seem impossible to do this company-wide, but start with critical assets and then implement in phases.

This work must be started immediately to ensure compliance and satisfy the auditors. It must not be done manually, though, in light of the fact that hundreds of thousands of key pairs may be lurking in your infrastructure. Get the assistance of experts who can help walk you through the process in a systematic way, and implement automation. Start today, before a breach or audit occurs. And don’t forget this crucial equation:

image1

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post