Tatu Ylonen
组织,让使用安全访问SSH密钥对服务器应该知道,他们可能需要很快做出一些改变,当它涉及到管理与其相关的任何支付卡处理网络,根据SSH通信安全,大肚的CEOYlonen。
That’s because the next version of the Payment Card Industry (PC) standard to be published in early November, PCI v.3, is expected to include some new guidance on authentication and remote access to any network segment that processes or stores payment cards that could impact use of Secure Shell (SSH) cryptographic technology,Ylonen说。
“键访问显然可以在PCI环境中使用,” Ylonen笔记。“但是,从对面的边界部队的问题键访问”。任何组织存储或处理支付卡必须遵循PCI标准的网络安全需求。
SSH keys are often used for automated machine to machine security and SSH keys grant access with a password, Ylonen notes. Boundaries for PCI networks define segments in which card storage or processing takes place — often called PCI network “scope” — and it must conform to PCI requirements as defined in the PCI Data Security Standard (DSS) published by the PCI Security Standards Council.
Ylonen says he is encouraging systems administrators — the individuals often responsible for setting up SSH key management for enterprise networks — to start discussions about the upcoming PCI DSS v.3 standard with those in their organization most involved in making sure there will be PCI compliance. These individuals might be chief security officers, CIOs or internal auditors, for example. From what he’s seen of the draft of the PCI v. 3 standard, Ylonen says, “the rules themselves are good but guidance is vague.”
SSH key mismanagement and how to solve it
TEST:Tectia 4.0 from SSH
Ylonen says any enterprise using SSH must be sure exactly how SSH has been deployed. In large organizations, use of SSH keys has sometimes not been managed sufficiently and has become sprawling, he acknowledges. Some large financial institutions, for example, have over 1.5 million authorized SSH keys but sometimes “80% to 90% are just forgotten,” he points out.
Ylonen已经开始在最近几周在轰轰烈烈运动,说服PCI数据安全标准委员会来调整即将到来的PCI诉3标准来澄清机器到机器使用SSH和SSH相关PCI边界“范围”的问题。
Ylonen has come out strong on this in the last few weeks in a last-minute push, says Troy Leach, CTO at the council.
Bob Russo, the council’s general manager, notes that Ylonen publicly discussed his concerns at the recent conference on PCI the council organized, and has also met privately with council members. The draft of the PCI v. 3 standard is still subject to change before its expected issuance on Nov. 7, Russo pointed out. Russo says the council is still “tweaking” the draft PCI v. 3 standard before it is issued. More input is expected over the next weeks from businesses and vendors in Europe and Asia as well.
利奇就SSH而言,卡片处理环境的PCI 3.0版标准的目的是说“SSH的修正错误的实现。”该委员会希望确保SSH是一种安全的方式适当地使用。密码的问题“是一个很大的焦点”与Ylonen,讨论谁似乎想在PCI v某些改变。3相关SSH和密码,将给予SSH Communications Security所更多的杠杆作用,利奇补充说,“什么他希望是我们包括更多的指令性的语言”关于SSH是技术性质,将是有关银行业。
鲁索和利奇指出,是更比可能影响SSH只是指导即将到来的PCI V.3标准存在。
A new requirement expected out in PCI. v. 3 relates to network segmentation for cardholder data environments and requires validation of that segment by a form of penetration testing, says Leach. There will also be more emphasis on secure development life cycle, as well as some “common sense requirements” how point-of-sale terminals are set up in shared areas. The overall PCI “guidance” that was previously more separate from the simple list of requirements will be woven into the standard as column explaining the intent of requirements.
Russo says once the final PCI v. 3 rule is published in November, it becomes effective on Jan. 1, 2014 but companies are allowed to continue using the PCI v. 2 standard for payment-card security until Dec. 31, 2014 at the latest.
艾伦斯默is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:emessmer@nww.com