News

OpenSSH Supporter Positive on Microsoft's Contribution to the Protocol

• By Kurt Mackie
• 07/09/2015

Microsoft has made waves in recent history by showing support for OpenSSH, the open source protocol, which adds security around remote server access and file transfers.

Microsoft has its own proprietary Remote Desktop Protocol (RDP), but that hasn't stopped the company from embracing OpenSSH. For instance, last month, Microsoft was accepted as a contributor to the OpenSSH community, meaning that it will contribute code and integrate OpenSSH into its Windows client and server operating systems, enabling PowerShell to work with OpenSSH. And this week, The OpenBSD Foundation, the Canadian nonprofit that steers OpenSSH development, acknowledged that Microsoft is now its "first-ever Gold contributor." Microsoft gave between $25,000 and $50,000 to the foundation as a Gold contributor. Facebook, Google and 2Keys Security Solutions are Silver contributors to The OpenBSD Foundation, with contributions ranging between $10,000 and $25,000.

One of the companies with a lot to say about OpenSSH is SSH Communications Security, which now celebrates its 20th anniversary. The company's founder, Tatu Ylönen, pioneered the OpenSSH protocol, but ever since then, SSH Communications Security has specialized in products that support using SSH protocols, adding management, security and compliance controls.

Helsinki, Finland-based SSH Communications Security has its own enterprise-grade SSH product, called "Tectia SSH," for Windows, Unix and Linux systems. It also has a Universal SSH Key Manager product for maintaining control over keys. Its CryptoAuditor product lets IT pros look inside a remote session to help stem data breaches. There's also a Tectia MobileID product that's embedded in CryptoAuditor, which adds two-factor authentication. MobileID is one of the only solutions that can wrap around Microsoft's RDP, the company claims.

I spoke this week with Matthew McKenna, chief commercial officer at SSH Communications Security, to get the basics about OpenSSH, and to hear what Microsoft's embrace of it might mean. What follows is an edited Q&A.

Microsoft is now contributing to the SSH protocol, but company officials have said this was its third try. Why is Microsoft now accepted as a contributor?
McKenna: Probably the one word answer would be that culture and leadership at Microsoft has changed in terms of openness to things outside, and in the open source community. Also, open source is so prevalent in today's IT community. For Microsoft, as one of the grand players in this space, it makes sense for them to embrace it to some degree. SSH Communications Security has our own commercial version of SSH for Windows on servers and clients, but we totally welcome this interest of Microsoft. It's giving the recognition that SSH is a widely used protocol across enterprises and having it natively supported on Windows will only serve to make customer lives a little easier. It doesn't change the fact that some enterprises still have a non-open source type of policy inside their environments, and that still leaves market space and areas for SSH Communications Security's commercial version of SSH to play.

It's been possible to use OpenSSH with Windows before, so what's different now with Microsoft as a contributor?
I think an OpenSSH variant of Windows will ease that interconnectivity on the midrange between Windows and Linux. There are commercial tools out there for this interconnectivity and customers now will, over the long term, have that natively embedded.

Microsoft's support for OpenSSH seems to be partly to support using PowerShell with Linux servers -- is that kind of the idea?
If you think about it, SSH is an administrator's tool. It's quick. It allows you to do things in a command-line way. And RDP is a graphical type of interface, which is a different type of user experience. And if you talk with Unix administrators, they primarily work through command-line tools and scripting. So, to be able to do those same types of things that you do on Linux environments with SSH, if you are able do that in a native way on the Windows side, I think that will be a welcome thing for administrators and add interoperability between the platforms of Windows and Linux.

How widely is SSH used?
Every single Unix and Linux box out there comes preinstalled with SSH. It is one of the three most widely used protocols in the world. It's not as well known as SSL, but it is probably right after SSL the most widely used protocol in the world, especially in terms of on-premises and machine-to-machine connectivity. It's sitting in the majority of network devices out there. Sitting in the majority of motherboards of most computers is SSH. It sits on 50 percent of the world's Web servers. It's considered plumbing for most organizations -- it's just there -- but at the same time organizations have kind of neglected the management of the access around it.

What sort of scenarios are we seeing for using SSH?
What we actually see in our deployments out there with our customers, especially in the large financial and government sectors, is that about 80 percent of the access out there is machine-to-machine connectivity. And that's only increasing as we move through this transformation into the cloud-based environment and the whole world of IoT [Internet of Things].

So OpenSSH creates private and public keys, but the issues are around the management of those keys?
The challenge isn't in the protocol itself. The issues are around the access of the protocol. If you think of a pipe from the client side to the server side, you have key-based authentication being used, whether that's for an interactive session or a machine-to-machine session. And the challenge in the enterprise space is they don't have visibility and they don't usually keep inventories of the keys that are out there in the environment. They don't monitor how these keys are being used. They don't lock these keys down encrypted into a special location. And they don't usually have a standardized set of policy and practice about how keys are being set up in terms of what kind of encryption is being used, what kind of force commands may be used with the key, and even basic things like IP share restrictions from one machine to another machine. So we've been helping our customers get all of those challenges under control.

Has SSH Communications Security mostly built its products to help with the management aspects of using the SSH protocol?
[The inventor of OpenSSH] created this protocol to gain remote access from the outside to his computer at the university as well as to be able to have the ability to send files securely across. So that's the two basic principles of the SSH protocol: secure remote access management and secure file transfer. How we've evolved over the last few years is, in discussion with our customers, we've noted that the challenges related to SSH are primarily twofold. How do I manage the access around SSH from the perspective of the individual user who's using this for remote access management? [And] How do I also manage the access for that key-based authentication for machine-to-key connectivity where I may be pushing files between machines? The other challenge that we've seen now coming up with the likes of all of the funny stuff that's happened with Snowden and whatnot in the past is how do I actually manage what happens in an encrypted context, and how do I gain some control, monitoring and auditing capabilities of the encrypted channel? And so these have been kind of the key areas where SSH Communications Security has been helping its customers over the last couple of years and how we've evolved as an organization.

Reports citing documents leaked by Edward Snowden have claimed that the National Security Agency has broken SSH encryption. What's the view on that?
It's hard to know what the NSA has access to. I think it goes to the one side of concerns potentially of open source protocols like SSH and SSL is that the code base can be contributed to through multiple parties potentially. And, of course, that gives risk that these can have inherent weaknesses. I actually haven't heard that SSH has been cracked by NSA, so I wasn't familiar with that directly, but you never know. If you ask the question directly, "Has SSH been cracked," then the answer is, "No, it has not been cracked."

Do the tools offered by SSH Communications Security compete somewhat with Microsoft's Remote Desktop Protocol (RDP) and Azure Active Directory?
We've opened ourselves to the open source community and much of what we do is we help our customers manage access around their OpenSSH environments. So we're agnostic about the variations of SSH out there, whether it's OpenSSH, Tectia SSH, Attachmate, Centrify, Quest -- all of these different variations. We want to manage the access challenges around SSH for key-based authentication and encrypted sessions. So, actually, with some of our solutions, we have the capability to manage and control and monitor and audit those remote administrative sessions that are coming through RDP now. So we've actually extended our protocol reach outside of SSH and into the likes of RDP, as well as SSL now, to give ourselves a wider hold on the access management space.

So, SSH Communications Security solutions can be used with Microsoft's RDP then?
Yes, our CryptoAuditor solution to monitor, control and audit encrypted sessions can be used to monitor, control and audit RDP as well.

Are the tools of SSH Communications Security cloud enabled?
We're trying to bring a trifecta of access management together. So you have privileged access management as a Gartner quadrant, you have identity access management as a Gartner quadrant and you have cloud access security brokerage as a Gartner quadrant. And basically, SSH is trying to bring these concepts together in terms of SSH access management. So our tools are basically already enabled to manage access from on-premises through the cloud and horizontally across the cloud. We've actually just launched our CryptoAuditor solution on Amazon Web Services. With CryptoAuditor, we have the capability to monitor, control and audit SSH, RDP and SSL sessions that are coming to and from the cloud and between clouds, and we can do that as an Amazon instance.

Can you use SSH Communications Security products for all kinds of identity and access management?
We're a subset of the identity and access management space. If you go look at traditional analyst coverage of this, SSH key management is now just coming into the privileged access space as a channel that should be addressed. So, we're not a full-blown IAM player, but we've partnered with the IAM players to enhance their solutions to add ownership of IAM authentication in the environment for interactive users and machine-to-machine connections.