How Joyous keeps SSH keys secure for transferring people data via SFTP
This document is only relevant for organisations who send Joyous a CSV people data file via SFTP. If your people data is transferred via a system integration such as Microsoft Entra ID, the transfer is secured by the Entra ID API.
A number of internationally recognised standards exist for the management of keys for SSH-based access management to ensure security. This article summarises key recommendations from the following standards from the National Institute of Standards and Technology (NISTR), and notes how Joyous adheres to each:
- NISTR 7966
Security of Interactive and Automated Access Management Using Secure Shell (SSH) - NISTR SP 800-131A
Transitioning the Use of Cryptographic Algorithms and Key Lengths - NISTR SP 800-57
Recommendation for Key Management: Part 1 – General
1. AWS Security and Compliance
Joyous SFTP servers are managed by Amazon Web Servers (AWS), including the management of the SFTP host key. According to AWS Security & Compliance documentation:
- AWS Transfer Family is compliant with PCI-DSS, GDPR, FedRAMP, and SOC 1, 2, and 3. The service is also HIPPA eligible
- AWS Transfer Family is FISMA compliant
AWS Transfer Family supports the following clients:
- OpenSSH (macOS and Linux)
- WinSCP (Microsoft Windows only)
- Cyberduck (Windows, macOS, and Linux)
- FileZilla (Windows, macOS, and Linux)
2. Secure SSH Implementation
NISTR 7966 makes a number of recommendations regarding secure SSH implementations, including the following:
a. Disable SSH v1 protocol
AWS enforces this practice on all infrastructure used by Joyous.
b. Disable unapproved authentication methods
Joyous uses the TransferSecurityPolicy-2018-11 for the transfer security policy. The policy explicitly specifies the allowed authentication methods and disables all other unapproved methods.
c. Prevent implicit access
SSH-accessible accounts and groups (including root) are limited. All Joyous SFTP users assume a role which is only able to perform the following set of actions:
- PutObject
- GetObject
- DeleteObjectVersion
- DeleteObject
- GetObjectVersion
d. Use approved ciphers.
AWS maintains a list of approved ciphers for the SFTP server.
e. Enforce SSH inactivity timeouts.
AWS enforces SSH inactivity timeouts when connected to the SFTP server.
f. Use the least privileged access model.
Joyous SFTP users are bound to their home directory.
3. SSH key properties
Joyous recommends and communicates to all its clients that keys and passphrases should be generated in accordance with industry standards, including NISTR 7966.
In addition, Joyous adheres to the following:
a. No environment crossing
NISTR 7966 recommends that the same keys are not used in different environments. Compromise in one environment should not result in compromise in another environment.
Joyous does not use the same customer keys between different environments.
b. Key cycling
Joyous supports the replacement of keys on client request.
4. Continuous monitoring and auditing
a. Keep a baseline of authorized keys and periodically match actual keys against expected
Joyous keeps a log of customers using our SFTP servers. When a customer no longer uses our SFTP server Joyous will go through a process of terminating the SSH key.
b. Usage logging
NISTR 7966 recommends logging key fingerprints based on activity on the SSH server.
Joyous logs the user when logging SFTP activity, which allows Joyous to track the SSH key used.
Joyous does not currently use IP whitelisting but adheres to the other recommended practices of NISTIR 7966.
c. SSH key lifecycle
NISTR 7966 recommends keys which have had no activity for a prolonged amount of time should be revoked. Keys should be used from approved locations.
Joyous regularly reviews and reauthorizes SSH keys. Keys that are no longer in use are terminated.
Joyous logs all SFTP server activity. Joyous periodically checks customers' data integration. If no integration has been done after some time, Joyous will enquire whether the customer is still using the SFTP server.
5. SFTP access control
Only Security Administrators have access to the SFTP server where public keys are loaded against user accounts.
In addition, Joyous follows a structured process to add new users to the Joyous SFTP server.
6. Automate processes
NISTR 7966 recommends that with many SSH keys, you should have a system to automate the removal and addition of SSH keys. This is due to it becoming increasingly difficult to ensure that the inventory of the keys is correct.
Joyous currently has a manageable number of SSH keys. Joyous can easily revoke/change customer SSH keys when required to do so.
7. Educate executive management
NISTR 7966 recommends that management and engineering teams understand the importance of SSH keys.
The Joyous team that manages SSH keys are made aware of the importance of SSH keys and the severity if they were to be exploited. Joyous ensures to educate whoever becomes involved in the handling of SSH keys.
Joyous also ensures that only a set number of team members have access to the SSH keys.