Scheduled for release in May, SSH Risk Assessor (SRA) is a free tool from SSH Communications Security, that will enable auditors and security teams to collect and report on SSH-related access compliance issues. The company, which invented the widely-used secure shell and SFTP protocols for data-in-transit security, said the unmanaged proliferation of SSH user keys has emerged as a major cybersecurity risk, leaving organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA.
The tool allows organizations to quantify the risk they are facing, Tatu Ylonen, CEO and founder of the Helsinki, Finland -based company. “Most organizations are not forward-looking enough to invest in security until something happens… [but a] loss of defence in depth can be catastrophic in terms of cyber warfare.”
Companies with current encryption initiatives involving enterprise key management have found that the combined difference in costs avoided plus costs saved provided an advantage of nearly $100 per end user per year over those that did not. The percentage of overall IT security spending dedicated to encryption has also increased, almost doubling from 10% to 18%.
The SRA report highlights known vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of best current practices. “With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives,” stated Ylonen.
The company has more than 3,000 customers globally, but there are more than 10,000 companies with more than 10,000 staff. All of them need encryption and encryption management, but that will require a lot of education, said the Ylonen.
The SRA tool features include:
-Access Compliance identifies organization-specific compliance status with relevant standards;
-Access Governance assesses actions needed to achieve compliance; and,
-SSH Key Discovery provides problem-scope capabilities to provide an understanding of the current state of the secure shell environment.