Organizations that make use of SSH keys for secure access to servers should be aware that they may need to make some changes soon when it comes to managing any of their networks related to payment-card processing, according to the CEO of SSH Communications security, Tatu Ylonen.
That’s because the next version of the Payment Card Industry (PC) standard to be published in early November, PCI v.3, is expected to include some new guidance on authentication and remote access to any network segment that processes or stores payment cards that could impact use of Secure Shell (SSH) cryptographic technology, Ylonen says.
“Key access clearly can be used in a PCI environment,” Ylonen notes. “But key access across from a boundary forces problems.” Any organization storing or processing payment cards must follow the PCI standard’s requirements for network security.
SSH keys are often used for automated machine to machine security and SSH keys grant access with a password, Ylonen notes. Boundaries for PCI networks define segments in which card storage or processing takes place — often called PCI network “scope” — and it must conform to PCI requirements as defined in the PCI Data Security Standard (DSS) published by the PCI Security Standards Council.
Ylonen says he is encouraging systems administrators — the individuals often responsible for setting up SSH key management for enterprise networks — to start discussions about the upcoming PCI DSS v.3 standard with those in their organization most involved in making sure there will be PCI compliance. These individuals might be chief security officers, CIOs or internal auditors, for example. From what he’s seen of the draft of the PCI v. 3 standard, Ylonen says, “the rules themselves are good but guidance is vague.”
TEST: Tectia 4.0 from SSH
Ylonen says any enterprise using SSH must be sure exactly how SSH has been deployed. In large organizations, use of SSH keys has sometimes not been managed sufficiently and has become sprawling, he acknowledges. Some large financial institutions, for example, have over 1.5 million authorized SSH keys but sometimes “80% to 90% are just forgotten,” he points out.
Ylonen has embarked in recent weeks on a vigorous campaign to convince the PCI Data Security Standards Council to tweak the upcoming PCI v. 3 standard to clarify the machine-to-machine use of SSH and the PCI boundary “scope” question related to SSH.
Ylonen has come out strong on this in the last few weeks in a last-minute push, says Troy Leach, CTO at the council.
Bob Russo, the council’s general manager, notes that Ylonen publicly discussed his concerns at the recent conference on PCI the council organized, and has also met privately with council members. The draft of the PCI v. 3 standard is still subject to change before its expected issuance on Nov. 7, Russo pointed out. Russo says the council is still “tweaking” the draft PCI v. 3 standard before it is issued. More input is expected over the next weeks from businesses and vendors in Europe and Asia as well.
Leach says as far as SSH is concerned, the PCI v.3 standard for card-processing environments is intended to “fix bad implementations of SSH.” The council wants to make sure SSH is used appropriately in a secure way. The issue of a password “was a big focal point” in discussions with Ylonen, who appears to want some changes in PCI v. 3 related to SSH and passwords that would give SSH Communications Security more leverage, Leach says, adding, “What he wants is for us to include more prescriptive language” about SSH that is technical in nature that would be relevant to the banking industry.
Russo and Leach point out that there is much more to the upcoming PCI v.3 standard than just guidance that might impact SSH.
A new requirement expected out in PCI. v. 3 relates to network segmentation for cardholder data environments and requires validation of that segment by a form of penetration testing, says Leach. There will also be more emphasis on secure development life cycle, as well as some “common sense requirements” how point-of-sale terminals are set up in shared areas. The overall PCI “guidance” that was previously more separate from the simple list of requirements will be woven into the standard as column explaining the intent of requirements.
Russo says once the final PCI v. 3 rule is published in November, it becomes effective on Jan. 1, 2014 but companies are allowed to continue using the PCI v. 2 standard for payment-card security until Dec. 31, 2014 at the latest.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org