Why is effective SSH machine identity management so critical now? Machines across your organization are using SSH keys to identify themselves to one another and ensure secure communications, particularly in the cloud. Many digital transformation initiatives involve migrating to the cloud, and many cloud servers rely on SSH for protection. However, SSH is notoriously difficult to manage because SSH machine identities, unlike SSL/TLS machine identities, never expire and are rarely removed.
This difficulty has resulted in an epidemic of unmanaged keys across most large enterprises. According to Venafi Risk Assessments, enterprises have, on average, one root access orphan key per every server and one shared SSH private key for every two servers. Shared private keys—where users share a given SSH key with other users—are an ideal cover for malicious intent. Edward Snowden purportedly stole and leaked classified NSA files leveraging shared private keys.
Root access orphan keys are even more dangerous. Because they have root access and are untraceable without the help of specialized technologies, root access orphan keys serve as backdoors for all types of nefarious conduct. Specialized (and often commoditized) SSH malware like TrickBot, Kobalos, Hildegard and Pro-Ocean are taking advantage of these many backdoors to steal data and turn servers into botnets, among other risks. And the risks posed by malware that abuses SSH machine identities is growing in tandem with the exponential growth of SSH across the enterprise.
Find out why organizations may be underestimating the substantial risk that SSH keys pose and how auditors can help reduce it at ISACA Conference Europe 2021 | Virtual. On Wednesday, October 20 at 3:25 Helsinki time, Angela Morris, senior product marketing manager for SSH at Venafi, and Nikita Reznik, SSH global architect at Venafi will present on why audits can be the most effective way to measure the impact of SSH key management programs. In their session entitled, How Can Auditors Help Organizations with SSH Key Risk?, Morris and Reznik will explore the role audits can play in demonstrating SSH risk to organizations and how auditors can help organizations improve their security.
The number of SSH keys across most large organizations numbers in the millions, with no sign of slowing as organizations move more and more workloads to the cloud. And although some organizations have SSH policies and key management programs in place, many still don’t. As a result, many organizations underestimate the number of SSH keys they have in their network—often by as much as 100% or more. According to Reznik, organizations rarely have a handle on their total SSH key population because most of them lack complete visibility into their inventories.
Much of that is due to the difficulty in managing so many keys without specialized technologies to support them. Organizations lack the proper tools that can provide them with visibility into their entire SSH key population to see the risks posed by orphaned or misused keys, let alone the automation capabilities to enforce key governance policies. For example, an organization may have a policy in place that calls for immediate revocation and removal of SSH keys associated with terminated or reassigned employees, but they won’t be able to consistently enforce this policy unless they can automate the actions that support such a policy.
Arguably, the most effective way of getting organizations to establish and improve their SSH machine identity management program is regulations that require them to have effective governance, including clear and enforceable policies in place. PCI-DSS, HIPAA/HITRUST and FISMA are just a few of the many standards bodies that require companies to perform regular audits of their SSH key management program to prove compliance. When organizations in highly regulated industries, including financial services, healthcare and government, fail to adhere to policies they risk fines and penalties that could imperil their livelihoods.
Attend the Venafi SSH session at ISACA Conference EMEA on Wednesday, October 20 at 3:25 Helsinki time, to learn why audits can help your organization measure the effectiveness of your SSH key management programs.