SSH Key Management

How Joyous keeps SSH keys secure for transferring people data via SFTP

This document is only relevant for organisations who send Joyous a CSV people data file via SFTP. If your people data is transferred via a system integration such as Microsoft Azure Active Directory, the transfer is secured by the Microsoft Azure API.

A number of internationally recognised standards exist for the management of keys for SSH-based access management to ensure security. This article summarises key recommendations from the following standards from the National Institute of Standards and Technology (NISTR), and notes how Joyous adheres to each:

  • NISTR 7966
    Security of Interactive and Automated Access Management Using Secure Shell (SSH)
  • NISTR SP 800-131A
    Transitioning the Use of Cryptographic Algorithms and Key Lengths
  • NISTR SP 800-57
    Recommendation for Key Management: Part 1 – General

1. AWS Security and Compliance

Joyous SFTP servers are managed by Amazon Web Servers (AWS), including the management of the SFTP host key. According to AWS Security & Compliance documentation:

  • AWS Transfer Family is compliant with PCI-DSS, GDPR, FedRAMP, and SOC 1, 2, and 3. The service is also HIPPA eligible
  • AWS Transfer Family is FISMA compliant

AWS Transfer Family supports the following clients:

  • OpenSSH (macOS and Linux)
  • WinSCP (Microsoft Windows only)
  • Cyberduck (Windows, macOS, and Linux)
  • FileZilla (Windows, macOS, and Linux)

2. Secure SSH Implementation

NISTR 7966 makes a number of recommendations regarding secure SSH implementations, including the following:

a. Disable SSH v1 protocol

AWS enforces this practice on all infrastructure used by Joyous.

b. Disable unapproved authentication methods

Joyous uses the TransferSecurityPolicy-2018-11 for the transfer security policy. The policy explicitly specifies the allowed authentication methods and disables all other unapproved methods.

c. Prevent implicit access

SSH accessible accounts and groups (including root) are limited. All Joyous SFTP users assume a role which is only able to perform the following set of actions:

  • PutObject
  • GetObject
  • DeleteObjectVersion
  • DeleteObject
  • GetObjectVersion

d. Use approved ciphers.

AWS maintains a list of approved ciphers for the SFTP server.

e. Enforce SSH inactivity timeouts.

AWS enforces SSH inactivity timeouts when connected to the SFTP server.

f. Use least privileged access model.

Joyous SFTP users are bound to their home directory.

3. SSH key properties

Joyous recommends and communicates to all its clients that keys and passphrases should be generated in accordance with the recommendations of industry standards including NISTR 7966.

In addition, Joyous adheres to the following:

a. No environment crossing

NISTR 7966 recommends that the same keys are not uses in different environments. Compromise in one environment should not result in compromise in another environment.

Joyous does not use the same customer keys between different environments.

b. Key cycling

Joyous supports replacement of keys on client request.

4. Continuous monitoring and auditing

a. Keep a baseline of authorized keys and periodically match actual keys against expected

Joyous keep a log of customers using our SFTP servers. When a customer no longer uses our SFTP server Joyous will go through a process of terminating the SSH key.

b. Usage logging

NISTR 7966 recommends logging key fingerprints based on activity on the SSH server.

Joyous logs the user when logging SFTP activity, which allows Joyous to track the SSH key used.

Joyous does not currently use IP whitelisting, but adheres to the other recommended practices of NISTIR 7966.

c. SSH key lifecycle

NISTR 7966 recommends keys which have had no activity for prolonged amount of time should be revoked. Keys should be used from approved locations.

Joyous regularly reviews and reauthorizes SSH keys. Keys that are no longer in use are terminated.

Joyous logs all SFTP server activity. Joyous periodically check customers data integration. If no integration has been done after a period of time, Joyous will enquire whether the customer is still using the SFTP server.

5.  SFTP access control

Only Security Administrators have access to the SFTP server where public keys are loaded against user accounts.

In addition, Joyous follows a structured process to add new users to the Joyous SFTP server.

6. Automate processes

NISTR 7966 recommends with many SSH keys to have a system to automate removal and addition of SSH keys. This is due to it becoming increasingly difficult to ensure that the inventory of the keys is correct.

Joyous currently have a manageable number of SSH keys. Joyous can easily revoke/change customer SSH keys when required to do so.

7.  Educate executive management

NISTR 7966 recommends that management and engineering teams understand the importance of SSH keys.

The Joyous team that manages SSH keys are made aware of the importance of SSH keys and the severity if there were to be exploited. Joyous ensures to educate whoever becomes involved in the handling of SSH keys.

Joyous also ensures that only a set number of team members have access to the SSH keys.