SSH Communications Security, the company that invented the Secure Shell (SSH) protocol for data in transit, announced on Tuesday that it will be making its SSH Risk Assessor (SRA) tool freely available via download from their Web site. This tool acts as a discovery and reporting tool, taking a snapshot of an SSH environment to identify where possible mismanaged keys exist.
“Widespread mismanagement of Secure Shell keys – including lack of centralized creation, rotation and removal – has left organizations vulnerable to attack and in violation of current and emerging compliance mandates,” the official press release said. “The SRA tool gives security auditors and administrators valuable decision support with respect to identity and access governance in SSH environments. The tool report highlights known vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of best current practices.”
Matthew McKenna, executive vice president and chief operating officer of SSH Communications Security, said in the official press release the tool will help companies determine what keys are living in their environment that could potentially provide access to those who shouldn’t have it.
“Our customers are some of the biggest banks and organizations in the world. When we surveyed them, none had any idea that their network environments were home to over 100,000 lost Secure Shell keys providing root access to their most sensitive data. They had no way to discover how many lost keys they had, no way to find where they were, and no way to know how much risk they were taking on as a result,” said McKenna.
“With the release of the free SRA tool, we are making it quick and easy for major enterprises, governments, and financial institutions to get a clear snapshot of the level of risk in their Secure Shell environments, giving them the first step toward remediation,” he added.
Jason Thompson, director of global marketing for SSH Communications Security, tells Security Management this tool provides for a critical step in the process of identity access management, which can help companies secure their networks against potential insider threats and the loss of sensitive corporate information.
“The first step in the process is first determine if you have an issue, so first we want [companies] to have this free tool they can deploy,” he said, “and then they look at the report, and they say, 'okay, here’s a snapshot of our environment, here’s the issues that we have, here are some compliance issues and security issues.'”
Thompson emphasizes that SSH Communications Security has made deploying the Risk Assessor tool a streamlined process, one that doesn’t put a strain on a company’s existing IT infrastructure. “Other tools require deployment of an agent. You can imagine the size of an SSH environment and the number of different people who have ownership over different parts of that environment,” Thompson explains. “Getting that together can be a major project, versus just throwing something out there, getting a quick snapshot, pulling the same information in the environment–but obviously without having to put together an entire project team.”
Other tools from the company are available for a price, such as the SSH Universal Key Manager and the CryptoAuditor.