Skip to main content
banner image
venafi logo

10 Steps to Successful SSH Machine Identity Management

10 Steps to Successful SSH Machine Identity Management

10-steps-to-ssh-machine-identity-management
October 27, 2021 | Scott Carter

Secure communications between machines are essential to the success of every enterprise. But how do you keep the identities of your machines safe when your administrators are adding machines and changing them every day? To build your own Secure Shell (SSH) machine identity management program, there are specific steps you need to take. These steps enable your organization to protect all the SSH machine identities you’re using today, and to keep up with the growing number of machines your enterprise will need moving forward.

Do You Know How Many SSH Certificates You Have? Find Out Now!
1. Discover All Your SSH Machine Identities

You need to control all SSH machine identities in your environment, including who they belong to and what they’re used for. But first you must find them. A mix of discovery mechanisms and flexible reporting capabilities helps make this task run as quickly and smoothly as needed to find SSH keys across the enterprise.

2. Map All Trust Relationships

By running solid discovery, creating an inventory, and mapping SSH keys pairs, you get a clear overview of all SSH keys and trusted relationships, including users, hosts, and configuration options. Automatically importing trust relationship data into an existing privilege access management system for review leverages existing processes and facilitates an accurate review and tracking of approvals for access granted through SSH keys.

3. Identify and Remove

Any Orphaned and Duplicate Private Keys Implement a continuous proactive approach that scans for orphaned keys, monitors for duplicate key usage, and frequently replaces keys. Mapping all trust relationships also helps you identify any orphaned, shared, or duplicate keys that need to be removed — ideally by using automation. This step can have a big effect on the overall security posture of your enterprise environment and prevent further damage.

4. Implement Clearly

Defined SSH Key Management Policies To prevent the compromise of a key used by an authorized user, you should configure access controls on identity keys to restrict access to the interactive user or to the automated process to which they’ve been assigned. For automated processes, policies should define guidelines for assigning access to administrative staff responsible for managing identity keys.

5. Assign Ownership and Monitor Usage

One of the best ways to prevent the misuse of SSH machine identities is to understand who’s using them. That’s why it’s important that you assign ownership of all access granting keys and monitor and analyze key-based access usage.

Specifically, your organization should conduct SSH audits for compliance violations, assessing risk, and increasing accountability for identity and access management.

6. Control SSH Identities

Because SSH provides remote access into systems, it’s critical that access be tracked and controlled. Many organizations don’t have centralized oversight and control of SSH, so the risk of unauthorized access is increasing.

7. Control SSH Configuration and Known Host Files to Prevent Any Tampering

If you aren’t properly controlling and hardening the configuration of your SSH environment, cyber criminals can use SSH to bypass security mechanisms. An otherwise useful administrative short cut, such as enabling port forwarding, can leave your organization vulnerable. Malicious insiders or cyber criminals can use these authorized connections to bypass firewalls.

8. Enforce Inventory and Remediation Policies

Be prepared to respond quickly when there’s an issue with your SSH environment — removing unauthorized keys, replacing old keys, or enforcing security controls that limit the accessibility and use of SSH keys. Ideally, your organization should automate these and pair them with your identification tools. Doing so helps ensure consistent policy enforcement of SSH key life cycle management.

9. Establish Continuous Monitoring and Audit Process

Just as any part of the IT infrastructure, usage of SSH machine identities should be continuously monitored and reported on —monthly, weekly, or even daily. Building a set of metrics and sharing them with your peers on risk and information security teams help create a mindset and perhaps an incentive to building out stronger SSH policies. It also creates a trackable record of all changes to your organization’s SSH assets.

10. Automate the Whole Process

Time and resources are precious commodities for security operations teams. Automated capabilities like “single-click” machine-assisted key rotation, scheduled bulk cleanup of out-of-policy keys, or self-service managed key generation for system admins should be put into place to improve efficiencies, tighten security, and reduce errors introduced by manual processes.
 

How Can I Get Started?

SSH Protect, a vital part of the Venafi Trust Protection Platform, is your centralized solution to all things machine identity management. Not only can you discover and manage all your SSH certificates and keys, take control of your TLS certificates, code signing, and more!

Related Posts

Take Control of Your Machine Identities Now With Venafi!
Like this blog? We think you will love this.
how ssh works
Featured Blog

How Secure Shell (SSH) Keys Work

How it works SSH is a type of network protocol that creates a cryptographically secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more