A Privileged Access Controls White Paper

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments
Making enterprise privileged access convenient, cost effective and secure

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

TABLE OF CONTENTS: Abstract and Executive Summary......................................................1 The Challenges of Privileged User Access..........................................2 A Minimally Invasive Approach to Privileged Access Management........3 Cost....................................................................................................3 Risk..........................................................................4 Compliance.........................................................................................6 Conclusion.....................................................................................7

About SSH Communications Security:

Founded in 1995, SSH Communications Security is the company that invented the SSH protocol - the gold standard protocol for data-in-transit security solutions. Today, over 3,000 customers across the globe, including 7 of the Fortune 10, trust our Information Assurance Platform to secure the path to their information assets. Our platform enables businesses of all types and sizes to protect their information assets by providing the gold standard data-in-transit security solutions that prevents data loss in both internal and external environments, hardened perimeter security through our multi-channel two-factor authentication and internal security control management solutions that enables organizations to more easily manage user keys and monitor administrator traffic across your networks

2012 SSH Communications Security

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

Abstract:
With the rapid pace at which business is done today, the issue from where, how quickly, and how easily access to applications and data can be managed remains a key element to maintaining competitive advantage. The outsourcing of business critical applications, the virtualization of environments into private and public data centers, and the simple growth in remote administration due to the global nature of businesses has led to numerous challenges and complexity in terms of how we audit, control and monitor privileged user access. Moreover, we are accessing applications and data today through more end points than ever before including but not limited to remote desktop terminals, web browsers and mobile devices. To simply this one step further, in its most basic form, critical applications and data are accessed through three primary channels: internal administration to internal resources, internal administration to external resources, and external administration to internal resources. The challenge lies therein how to manage this access securely, however doing so in a way which minimizes the workflow impact as to how the applications and data are accessed. The majority of solutions we see today focus on the forensic aspects of data loss prevention, however few are able to look inside encrypted connections and take proactive measures to eliminating the problem before it happens. This whitepaper will focus on the relationship between privileged user access and how organizations can effectively balance the challenges of cost, risk and compliance. It will demonstrate approaches how privileged access can be made minimally invasive, scale to enterprise requirements, and most importantly stop the data loss before it happens.

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

The Challenges of Privileged User Access in Terms of Cost, Risk, and Compliance
The challenges of privileged user access are many and far reaching and touch into numerous aspects of network structuring and topology. However, when viewing these at a macro level, they touch upon three issues: 1. How do we make privileged user access a cost effective endeavor? Although changing of process can improve cost effectiveness, it often comes at the cost of changing the tools through which administrators work. Working through jump hosts or gateway type of solutions often decrease the productivity and time it takes administrators to access the application or data they require and solve the problem at hand. 2. How do we mitigate risk of privileged user access? Although every server creates logs of its events, the logging system itself is also often under the control of the system administration. As a result, it is often quite easy to disable the logging, and if there is no centralized logging capabilities in place, even delete the log entries. 3. How do we address the paradox of PCI-DSS compliance that require the encryption of data in transit, but simultaneously full auditing of privileged users activities and proving the individual accountability? The overall matrix below outlines the challenges enterprises face related to privileged user access and how each of these issues affect multiple facets of cost, risk and compliance.

Challenge
How to meet regulations and security standards (e.g. PCI-DSS) that require encryption of data in transit, but also full auditing of privileged users activities and proving the individual accountability? No centralized overall visibility for encrypted remote system access, and users activities and data transfers No real time information, alerts, intrusion or data loss prevention capabilities for encrypted connections (crucial especially for external connections) No means to reliably audit the administrators (internal/ external) who have the biggest operational power over the IT infrastructure and systems, and are able to modify the logs, shutdown the auditing services and erase or hide their actions and activities? Complex, time consuming and error prone processes for reacting to problems and security issues, troubleshooting and forensics, enabling audited access for external users etc. Complex and time consuming deployment of auditing solutions and changes on user experience and current ways of working Complex and cumbersome processes and tools increase the amount of grey IT, workarounds and other unofficial/unauthorized means

Cost
X

Risk
X

Compliance
X

X X X

X X X

X X

X X

X X

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

A Minimally Invasive Approach to Privileged Access Management:

CryptoAuditor, a module of the SSH Information Assurance Platform, is a centrally managed inline appliance or virtual appliance which has the ability to capture and audit encrypted data flows without having to deploy agents and without changing end user experience. Based on this philosophy CryptoAuditor has the ability to effectively address the key issues of cost, risk and compliance when managing privileged user access of internal and external administrators.

Cost:
The concept of privileged user access is not often approached from the perspective of how do we operationally improve the way the remote administrator works to save time and money, and how do we ensure that the deployment of whatever tool we may be using to monitor privileged user access scales cost effectively and is quick to deploy. Most points which address costing are affected in the architecture of the solution. The proper architectural approach has the possibility to streamline the way the remote administrator works. Centralized architecture and transparent implementation CryptoAuditor can be deployed as a transparent inline network solution eliminating the cost and trouble of deploying and maintaining any agents or other applications affecting the performance of the production environment. Transparent network approach makes CryptoAuditor completely application independent enabling enterprises and end users to continue using their existing applications, processes and daily operations exactly as before. Via a centralized management console and centralized audit trail vault, audit trails are gathered, indexed in real-time and stored centrally enterprise-wide, which saves times in forensic searches and gives an enterprise-wide view to all remote system access connections. Indexing includes also the content of the encrypted connections, enabling content based searches and real time alerting to provide proactive security measures. The solution comes as a virtual and hardware appliance. With central management (Vault) and distributed data capture (Hound), the architecture permits enterprise to simply place appliances in locations where data needs to be captured without changes to network topology and then gather all the information into a central location. Multiple high availability and fault tolerance levels Seeing uptime with the highest priority, CryptoAuditor provides 4 different levels of fault tolerance and high availability ranging from active/passive setups to active/active. In the highest level of fault tolerance and high availability Hound connections are continuously balanced between two nodes. In case of failure, connections through the failing node are gracefully shifted to use the intact node. Connections through the intact node stay up and new connections can use the intact node immediately. The Vault connections continuously balanced

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

Figure 1: CryptoAuditor deployed in a highly distributed network architecture

between two nodes. Audit trails are continuously mirrored between two nodes. If a disk fails, no audit trails are lost.

Risk:
Addressing the concerns on how to mitigate risk around privileged user access before, during and after remote sessions are the key concerns of most enterprises. In particular, how do we ensure that the right person accesses the right data or application at the right time, and if something happens accidentally how do we ensure that proper escalation takes place and that the issue is captured at the point of incident. Role based management and access control CryptoAuditor provides role based access control providing the ability to granularly control what actions the administrators of CryptoAuditor may or may not manage or view in terms of audit trails, connection rules and logs, channel management, host groups, alerting and reporting settings. In terms of the audit trail access themselves, there are multiple zones for audit trails and each zone may be defined to have different privileges of what audit trails may be accessed or viewed. Furthermore, a top-down connection policy rule engine provides the guidance for connection capture and auditing rules, as well as full control capabilities over the sub-channels. For example, protocol level management can be set to allow or deny tunneling, X-11 forwarding, etcas well as define which of the channels are audited and indexed. Session playback and searches CyrptoAuditor can playback in a video stream format both terminal and graphical sessions. Utilizing OCR, it possible to do free text drill down searches into the audit trail themselves

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

to identify commands utilized or other keywords which should be identified. There are no requirements for additional applications to view the audit trails whereas the video stream can be viewed directly through a web-browser. Real-time auditing capabilities with proactive alerting Pre-defined ongoing searches can be set so that if discrepencies are found from the pre-set rules, automatic notifications can be send via email and syslog. Based on this integration with SIEM tools can be managed with little or no effort, providing management visibility with real-time alerts. Ensuring the integrity of audit trails Audit trails are stored encrypted into separate files, and do not use a database. Encryption is AES-128 and the encryption key is trail-specific, encrypted with 2048-bit RSA private key. The private key is zone-specific. There can be several audit zones for storing the trails, each with its own private key. By default, there is one zone and its key is encrypted with a default (unset) passphrase. That passphrase can be changed after installation and other zones with different passphrases can be created. If the user has sufficient access rights to the Auditor UI and knows the passphrase of the zone, he can play back the trails stored in that zone. Alternatively, if he has access to the UI, but does not know the passphrase, he can only see that a session has

Figure 2 & 3 : Privileged user session replay displayed within the CryptoAuditor solution

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

taken place, but he cannot play it back. The index is stored in a database, encrypted in the same way as the audit trails (one index database per zone).

Compliance:
With a primary focus on PCI-DSS, CryptoAuditor is well equipped to support the compliance requirements of the largest enterprises. The below table depicts the primary points related to controlling, monitoring and auditing privileged user access. Although CryptoAuditor touches upon numerous sections of PCI-DSS, for the purpose of this white paper we will only focus only on section 10; Track and monitor all access to network resources and cardholder data.

PCI-DSS Requirement
10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. 10. 2 Implement automated audit trails for all system components to reconstruct the following events. 10.2.2 All actions taken by an any individual with root or administrative privileges 10.2.4 Invalid logical access attempts 10.2 5 Use of identification and authentication mechanisms 10.2.7 Creation and deletion of system level objects

CyrptoAuditor Solution:
Automatically deny certain usernames (e.g., root) from accessing protected servers. Control who can use a specific username to access the server.

Controls and audits the remote access actions of administrators on destination servers. Every action of the administrator is visible in the audit trail and sent to the central vault. Automatically process and index the contents of the audit trails, create reports of the results, and create customized reports based on selected keywords or other conditions. Audit trails stored can be accessed only by users who have required rights. Downloading of audit trails visible in the system logs. Encrypt audit trails with multiple encryption keys. Automatic logging of all denied attempts to access remote servers or specific protocol channels Logging of type of authentication used

10.3 Record at least the following audit trail entries for all system components for each event: 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource

Records all these data and other metadata (e.g., type of authentication, etc.) as well about users accessing the protected servers using the supported protocols. Authenticate using normal usernames, making it possible to tie the connections that use general (e.g, Administrator) usernames to real accounts

How to Catch Data Loss In Encrypted Secure Shell, RDP and SFTP Environments

PCI-DSS Requirement
10.5 Secure audit trails so they cannot be altered 10.5.1 Limit viewing of audit trails to those with a job-related need 10.5.2 Protect audit trail files from unauthorized modifications 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN.

CyrptoAuditor Solution:
Audit trails are , encrypted using strong encryption methods.Audit trails are stored a central vaulted appliance physically independent of the audited servers. Audit trails can only be downloaded by users who have the required privileges. Downloaded audit trails can be viewed only if the user has the required encryption key or encryption keys. The upstream traffic of the communication (the part that may contain passwords or other sensitive information) can be encrypted separately, and is displayed only if the additional encryption key is available. Supports both legacy BSD-syslog and the latest IETF-syslog protocols, and can send the log messages to the log server via mutually authenticated and TLS-encrypted connections. Automatically index the contents of the recorded audit trails and create custom reports. Content of audited traffic can be forwarded to an external IDS/DLP system Database storing the metadata about audit trails remains available even after the actual audit trails have been archived.

10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).

Conclusion
Cost, risk and compliance form the perfect storm of requirements for managing strong authentication, control, and auditing of privileged user access and other operational data streams. To satisfactorily manage these in the past has often led to unpleasant tradeoffs related to changes in administrator workflows and tools used in their daily work, changes to network topology which cost time and money as well as how compliance initiatives related to PCI-DSS, SOX, HIPPA and others are met in a timely manner. CryptoAuditor enables packet inspection for both SSH and RDP encrypted traffic, It is a powerful tool for auditing and troubleshooting secured connections, enabling effective preventative security and forensics while ensuring accountability throughout your critical business environment. It enables the possibility to reach strict compliance goals, while cost-effectively raising and maintaining the security level of your operational environment. For more information on CyrptoAuditor, please visit www.ssh.com

www.ssh.com