The unmanaged proliferation of SSH user keys has emerged a major cyber security risk for enterprises and government agencies of all types and sizes. Lack of proper key management – including centralized creation, rotation and removal – leaves organizations vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA.
SRA enables internal and external audit and security teams to quickly collect SSH key information across the environment and provides an assessment of risk exposure.
The tool report highlights known vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of best current practices. The SRA tool gives security auditors and administrators valuable decision support with respect to identity and access governance in SSH environments.
"Companies are being flagged for compliance violations under general guidelines relating to SSH access control," said Tatu Ylönen, CEO and founder of SSH Communications Security. "SRA provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment. With compliance authorities preparing to create specific requirements regarding access controls in SSH environments, SRA is a critical tool that will help auditors and security teams scope the size of the issue and create awareness with IT executives."
SSH Risk Assessor key facts:
Access compliance: Identifies organization-specific compliance status with relevant standards
Identity and access governance: Assesses actions needed to achieve compliance
SSH Risk Assessment: Industry-first key location and risk-assessment technology available for free
SSH key discovery: Provides broad problem-scope capabilities to provide an understanding of the current state of the Secure Shell environment .
SRA will be available in May 2013, you can request it here (registration required).
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.