[Info-vax] Variable declarations, was: Re: improving EDT

Thu Nov 24 04:21:40 EST 2016

Kerry Main wrote:
>> -----Original Message-----
>> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
>> Of Paul Sture via Info-vax
>> Sent: 23-Nov-16 5:49 PM
>> To: info-vax at rbnsn.com
>> Cc: Paul Sture <nospam at sture.ch>
>> Subject: Re: [Info-vax] Variable declarations, was: Re: improving
>> EDT
>>
>> On 2016-11-23, Kerry Main <kemain.nospam at gmail.com> wrote:
>>> Based on this conversation, this is a timely article from earlier
>>> today:
>>>
>>> How to Protect the Encryption Keys to Your Kingdom
>>> http://bit.ly/2g3fxw4
>>>
>>> "Tatu Ylönen, CEO and founder of SSH Communications
>> Security, was
>>> clearly frustrated as we talked over lunch. “Why can’t I get
>> through
>>> to them,” he asked, almost rhetorically. Ylönen was expressing
>> a level
>>> of dismay common in the security industry.
>>> Getting senior management to invest in security can be a
>> daunting
>>> task."
>>>
>>> Original will wrap:
>>> http://www.eweek.com/security/how-to-protect-the-
>> encryption-keys-
>>> to-your-kingdom.html
>> Heheh. I stumbled across a video by Tatu on this subject just last
>> week.
>>
>> A much more detailed account of the ssh key management
>> problem can be found here on Tatu Ylönen's company website:
>>
>> <https://www.ssh.com/iam/ssh-key-management/>
>>
>> --- start quote ---
>> We have worked with many companies, including several global
>> top-10 banks, leading retailers, and other large Fortune 500
>> companies. Based on our findings, most organizations:
>>
>>     Have extremely large numbers of SSH keys - even several
>> million -
>>     and their use is grossly underestimated Have no provisioning
>> and
>>     termination processes in place for key based access Have no
>> records
>>     of who provisioned each key and for what purpose Allow their
>> system
>>     administrators to self-provision permanent key-based access -
>>     without policies, processes, or oversight.
>>
>> In the case of one representative customer, we went through a
>> quarter of their IT environment as part of a major SSH key
>> management project. They had five million daily logins using SSH,
>> most of them using SSH keys for automation. We analyzed 500
>> business applications, 15000 servers, and found three million SSH
>> keys that granted access to live production servers. Of those, 90%
>> were no longer used. Root access was granted by 10% of the
>> keys.
>> --- end quote ---
>>
> 
> Which then begs the question .. "is SSH and associated key management a truly supportable security solution to a large scale problem?"
> 
> Support complexity and the ability to handle it is a critical consideration when deploying any new solution. 
> 
> Given the scenario described, one could argue that this is actually a very insecure solution because it provides a false sense of security.

Well, yes, most of today's "security" is a false sense of security.

When someone says "we're using SSL" the assumption is that everything is Ok. 
But is it?  Last I read, TLS V1.2 is the only version that hasn't had problems.

Now I'm sure that just about everyone wants a "solution" that they just use.  As 
the above shows, a solution is only as good as the usage of the solution.  Like 
it or not, it comes down to capable people closely managing whatever security.

But good people aren't cheap.  Too bad, as the Fram oil filter man says, you 
pays me now, or, you pays much more later.

Just the way things are.  Live (or die) with it.