For organizations tackling risks of data breach due to machine-to-machine (M2M) connections spawned by the Internet of Things, the widely used Secure Shell cryptographic network protocol offers a ready and reliable solution.
“As organizations across all sectors embrace the concept of the Internet of Things, enabling more objects and sensors to communicate to support new business models, the need to secure automated M2M connections is increasingly critical,” says Tatu Ylönen, CEO of SSH Communications Security and inventor of the Secure Shell protocol. “Misunderstandings regarding how best to secure M2M transactions – and whose responsibility it is to do so – have placed organizations under significant risk of data breach.”
Why Secure Shell matters
To mitigate data breaches and prevent payment cardholder data fraud, especially as more users transact and access cloud services from their mobile devices, four reasons explain why organizations should rely on Secure Shell.
It is an IETF standard that’s shipped with every Unix, Linux, and MacOS machine as well as on most routers, xDSL modems, and other network devices.
Ylönen points out that Secure Shell is also “reliable, encrypts all data traffic, and securely authenticates the server being contacted. “It can be used for tunneling without changing applications – very helpful for adding encryption to legacy payment processing applications – and Secure Shell can be used for transparent FTP-to-Secure FTP conversion to add encryption for file transfers.”
Thirdly, Secure Shell is widely known and understood by Unix/Linux/network system administrators, shaping best practice in secure file transfers (SFTP) and automation within large enterprises, among other areas.
And the protocol is used “under the hood” within many commercial and open source products such as systems management, cloud services, managed file transfers and privileged access management.
Don’t lose the keys
A recent Forrester Consulting study highlighted how organizations, especially financial institutions and hosting/cloud providers, depend on Secure Shell to secure M2M communications, but inadequate management may leave Secure Shell keys open to theft. Only 29% of financial institutions say they have no Secure Shell access control issues but 65% of government institutions say that their Secure Shell situation is fine.
“Secure Shell has relevance across all the PCI DSS requirement domains,” Ylönen says. “Secure Shell key management, in particular, has a critical impact on compliance with Requirement 8 for addition and modification of access credentials; revoking them after a user, application, or process is terminated; ensuring private keys are not shared between users and accounts; and ensuring that channels and credentials for database access are used only for the authorized operations.”
Ensuring separation of production environments from development or test environments with access controls also impacts key management. Monitoring and reporting tools reduce the work required to produce proof to auditors that the access controls are enforced.
“Centralized key management helps to streamline key management processes, reduce the number of users that can or need to set up keys, remedy error situations faster, and reduce work needed for audit rounds – all of which helps to reduce costs of identify and access management within an enterprise,” Ylönen suggests.
Ready to protect
In Singapore, PCI DSS 3.0, and the latest Monetary Authority of Singapore Technology Risk Guidelines present a good starting point for evaluating the readiness to protect personal data in the possession of an organization before Personal Data Protection Act (PDPA) comes into effect on July 2 this year.
“While the [PDPA] itself does not detail the type of security controls to be implemented, the same overall security principles outlined by the PCI Council to protect credit card data, and MAS to protect financial institutes, apply to protection of any sensitive personal data,” says Ylönen. “Of course, the specific requirements in each mandate need to be considered for applicability to the business processes and infrastructure of the organization in question.”