Best Practices for Multi-Cloud SSH Key Management

The SSH protocol and keys have become a critical security component of digital transformation. Organizations are increasingly migrating IT infrastructure to the cloud and developing apps and services using DevOps methodologies.

Digital strategies were accelerated during 2020 as a response to the challenges introduced by the coronavirus pandemic. As Gartner points out in its recently published Hype Cycle for Identity and Access Management Technologies 2020, “For many enterprises, the global pandemic has compressed years-long strategic change into months, even weeks. For others, it has forced them to adopt approaches that they’d previously been cautious about.”

SSH key management is becoming more complex

Systems administrators use SSH keys as trusted machine identities, which are critical to the success of digital business initiatives. The number of SSH keys owned by businesses has skyrocketed following the increase in the number of machines that must be managed and protected—including mobile devices, virtual machines, APIs, algorithms and containers. However, the increase of SSH machine identities has created new challenges, since SSH keys are difficult to manage and secure because they never expire and are rarely removed.

These business developments together with the adoption of multiple cloud platforms underline the importance of effective SSH key management in the cloud. However, each cloud provider treats these SSH keys differently, increasing the complexity in managing the keys, which is more evident when businesses adopt multi-cloud environments. For example, cloud service providers allow users to either generate new keys or use an existing key pair, while SSH access is configured and managed differently in each cloud environment. As a result, while SSH keys are easy to generate, it is becoming harder to keep an updated inventory of keys and their trust relationships.

Businesses fail to protect their SSH keys in the cloud

The overarching principle in cloud security is the Shared Responsibility principle. Although some security responsibilities, especially those of protecting the underlying infrastructure, have shifted from the customer to the cloud service provider, it is always the customer’s responsibility to manage, maintain and protect their data, the encryption keys and the SSH keys. To do so, businesses need to ensure consistency of control, policies and visibility across multiple cloud platforms.

Despite their importance, a Venafi study highlighted that CIOs do not understand the scale or potential impact of the security risks connected with their SSH keys:

• 68% of CIOs admit that managing SSH will only become more difficult as digital transformation accelerates.
• Although 96% of CIOs have developed policies that require the removal of SSH keys when employees are terminated or transferred, 40% of them don’t have automated ways to remove unused keys.
• Enterprises have an average of more than 3,000 SSH shared private keys, which is a clear deviation from established best practices.
• Enterprises have an average of more than 10,000 root access orphan keys that can act as backdoors for malicious actors to penetrate the corporate networks and spread SSH malware.

Lack of SSH keys governance

The key point highlighted in the Venafi survey of 550 CIOs is that there is a growing disconnect between policy and practice. This disconnection is evident from the number of duplicate shared keys, as well as the volume of SSH root access and root access orphan keys on the corporate networks.

The biggest challenge organizations are facing to make their SSH machine identity management programs effective is the lack of required capabilities.

• Lack of visibility. The lack of visibility into the entire SSH keys ecosystem results in failure to acquire the continuous intelligence necessary to understand and mitigate SSH keys risks, monitor and detect anomalies, or achieve and sustain compliance with security and privacy regulations and frameworks.
• Lack of automation. Organizations tend to rely on manual, error prone and time-consuming procedures instead of leveraging automated solutions to streamline and secure SSH key lifecycles and respond quickly to imminent threat events that may impact business-critical assets.

The impact of these gaps in SSH key lifecycle management will become even more essential as organizations migrate more workloads to multiple clouds and utilize more SSH keys to automate routine tasks.

Best practices for multi-cloud SSH key management

Organizations need to take back control of their SSH keys and below are industry-recommended best practices to help organizations. As you will notice, the secret to these best practices is “automation.”

• Discover all SSH machine identities in the environment. Make this discovery a continuous process to ensure complete SSH inventory by using an automation solution.
• Determine the ownership and use cases for every SSH key leveraging automation.
• Automate the mapping of all trust relationships to users and machines to identify and remove any orphaned, shared or duplicate keys.
• Control and manage SSH identities and authorized keys with the help of automation.
• Control SSH configuration files and known hosts files using automated processes to prevent any tampering.
• Automate the enforcement of clearly defined SSH key management policies and audit against them.

The effective establishment of these best practices require a comprehensive SSH machine identity management solution that provides full visibility and leverages automation to manage and enforce policies. Venafi’s SSH Protect discovers where SSH keys are in your environments, as well as the strengths or weaknesses of their configurations. Automated SSH key lifecycle management empowers you to secure and streamline your SSH keys and the connections they enable.
 

Related posts

• Venafi Study: CIOs Massively Underestimate SSH Risks [Do You?]
• 5 Common SSH Weaknesses Revealed by SSH Risk Assessments
• Lemon_Duck and FritzFrog: The Latest Cryptominers Using SSH to Target Servers in the Cloud
• Attacks on Linux Servers in the Cloud—The Rise of SSH-Abusing Malware