The SSH protocol and keys have become a critical security component of digital transformation. Organizations are increasingly migrating IT infrastructure to the cloud and developing apps and services using DevOps methodologies.
Digital strategies were accelerated during 2020 as a response to the challenges introduced by the coronavirus pandemic. As Gartner points out in its recently published Hype Cycle for Identity and Access Management Technologies 2020, “For many enterprises, the global pandemic has compressed years-long strategic change into months, even weeks. For others, it has forced them to adopt approaches that they’d previously been cautious about.”
Systems administrators use SSH keys as trusted machine identities, which are critical to the success of digital business initiatives. The number of SSH keys owned by businesses has skyrocketed following the increase in the number of machines that must be managed and protected—including mobile devices, virtual machines, APIs, algorithms and containers. However, the increase of SSH machine identities has created new challenges, since SSH keys are difficult to manage and secure because they never expire and are rarely removed.
These business developments together with the adoption of multiple cloud platforms underline the importance of effective SSH key management in the cloud. However, each cloud provider treats these SSH keys differently, increasing the complexity in managing the keys, which is more evident when businesses adopt multi-cloud environments. For example, cloud service providers allow users to either generate new keys or use an existing key pair, while SSH access is configured and managed differently in each cloud environment. As a result, while SSH keys are easy to generate, it is becoming harder to keep an updated inventory of keys and their trust relationships.
The overarching principle in cloud security is the Shared Responsibility principle. Although some security responsibilities, especially those of protecting the underlying infrastructure, have shifted from the customer to the cloud service provider, it is always the customer’s responsibility to manage, maintain and protect their data, the encryption keys and the SSH keys. To do so, businesses need to ensure consistency of control, policies and visibility across multiple cloud platforms.
Despite their importance, a Venafi study highlighted that CIOs do not understand the scale or potential impact of the security risks connected with their SSH keys:
The key point highlighted in the Venafi survey of 550 CIOs is that there is a growing disconnect between policy and practice. This disconnection is evident from the number of duplicate shared keys, as well as the volume of SSH root access and root access orphan keys on the corporate networks.
The biggest challenge organizations are facing to make their SSH machine identity management programs effective is the lack of required capabilities.
The impact of these gaps in SSH key lifecycle management will become even more essential as organizations migrate more workloads to multiple clouds and utilize more SSH keys to automate routine tasks.
Organizations need to take back control of their SSH keys and below are industry-recommended best practices to help organizations. As you will notice, the secret to these best practices is “automation.”
The effective establishment of these best practices require a comprehensive SSH machine identity management solution that provides full visibility and leverages automation to manage and enforce policies. Venafi’s SSH Protect discovers where SSH keys are in your environments, as well as the strengths or weaknesses of their configurations. Automated SSH key lifecycle management empowers you to secure and streamline your SSH keys and the connections they enable.