Who is Managing Your SSH Keys?

Andrew Gabel
by Andrew Gabel 16 Jan, 2023
When IT staff leave your organization, do they keep their administrative access? You better hope not. 

An SSH key is an access/authentication credential in the SSH protocol (Secure Socket Shell network protocol). Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators or those assigned higher levels of user access. 

According to recent research from Venafi, however, even though SSH keys provide a high level of administrative access, they are routinely "untracked, unmanaged and poorly secured". Venafi's data revealed that eighty-one percent of respondents acknowledge they do not have a complete and accurate inventory of all SSH keys. If retailers do not know where and how they are managing their SSH keys, the report suggests that they cannot determine if any have been stolen, misused or should not be trusted. And that, of course, is a problem - particuarly as personal and financial information is in jeopardy. Some other key findings from the study include: 

+ Over a third (thirty-five percent) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to critical and sensitive systems.

+ Just thirty-five percent of respondents rotate SSH keys at least quarterly; Thirty-seven percent said they don't rotate these keys at all or only do so occasionally. Attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.

+ Thirty-eight percent of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems. Access to unrestrained assets and control leaves retailers without a clear view of SSH keys and no insight into the trust relationships established by SSH keys.

"Retail companies rely on an assortment of connected machines that most other industries don't use," said Nick Hunter, senior digital trust researcher for Venafi. "These machines house lucrative financial information, which makes retailers, and their transactions, prime targets for cyber criminals. Simply put, retailers face unique and significant machine identity threats. To protect their customers and their critical business data, retailers need a strong SSH governance program that provides them with complete visibility of all their SSH keys."