Security in the world of machine-to-machine (M2M) communications is a mess, according to Tatu Ylönen, founder and CEO of SSH Communications Security in Helsinki, Finland.
Ylönen told me as we met over breakfast near Washington, D.C., that few IT managers and even fewer C-level managers really have an inkling of the security risks posed by M2M communications, which run constantly in their businesses every day.
Ylönen, who is the inventor of the Secure Shell security protocol, said the vast majority of communications between servers, virtual machines and even within virtualized environments use authentication that takes advantage of Secure Shell public keys and the SSH protocol.
He explained that nearly all communications controlled by applications to retrieve or process data, exchange data with other applications or even communicate between different parts of applications use SSH authentication. Likewise, the devices in the Internet of things authenticate their presence on the Web using SSH.
Now, Ylönen's company has received the results of a study by Forrester Consulting that examines the state of penetration of M2M communications in companies. The study found that virtually all companies use M2M communications in some way, and well over half, 62 percent, expect that to increase.
In addition, more than half of all financial institutions use M2M for billing in some way, while more than half of all companies use it for logistics and customer service.
The problem, according to Ylönen and to the survey is that only a few companies realize that M2M communications has a critical role in security, even in those companies that say data security is a top priority.
What they don't realize, he said, is that the keys to secure communications used by M2M processes can provide unfettered access to the servers or other devices with which they connect. In other words, you can gain access to your data systems using an SSH key at the same level as you could with an administrator password.
"Managers aren't paying attention," he said. Ylönen said he thinks that part of the problem is that many businesses base their security on what's required to pass an audit, and not necessarily what's required to keep information secure. "They have to fill out a checklist," he said.
Furthermore, most auditors have no idea how to determine what sort of access is granted by SSH communications, he said. Unlike names and passwords, which are relatively easy to manage and audit, auditors in general seem to have no appreciation or understanding of the access available to M2M communications using SSH keys.