Skip to main content
banner image
venafi logo

SSH Study: Are Retailers Doing Enough to Protect Their SSH Keys?

SSH Study: Are Retailers Doing Enough to Protect Their SSH Keys?

retail ssh key security
February 27, 2018 | Emil Hanscom

Retail companies rely on an assortment of connected machines that most other industries don’t use. From credit card terminals to specialized e-commerce services, these machines require unique identities and security.

Secure Shell (SSH) keys are often used to authenticate retail machine identities and, in the process, provide the highest levels of administrative access within retail organizations. However, these powerful assets are routinely untracked, unmanaged and poorly secured. Unfortunately, this makes SSH keys popular targets for cyber criminals.

“Retail machines contain lucrative financial information,” said Nick Hunter, senior digital trust researcher for Venafi. “This makes retailers, and their transactions, prime targets for cyber criminals. Simply put, retailers face unique and significant machine identity threats.”

Venafi recently conducted a study that evaluated how retailers manage and implement SSH in their environments. With participation from 101 IT security professionals from the retail sector, the study reveals a widespread lack of SSH security controls.

For example, 81% of respondents acknowledge they do not have a complete and accurate inventory of all SSH keys. If retailers do not know where their

SSH keys are and how they are managing privileged access, it will be difficult to determine if any SSH keys have been stolen, misused or should not be trusted.

Additional highlights from the study:

  • Users have continuing access to critical assets.
    • Over a third (35%) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to sensitive systems.
  • SSH keys are rarely rotated, if at all.
    • Just 35% of respondents rotate SSH keys at least quarterly; 37% said they don’t rotate these keys at all or only do so occasionally. This means that attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.
  • Unlimited users can generate SSH keys across many systems.
    • 38% of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems.
  • No port forwarding controls can mean big trouble for retailers.
    • 32% say they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to effectively bypass the firewalls between systems, the lack of these controls can allow a cybercriminal with SSH access to rapidly pivot across network segments.
  • SSH keys are not audited.
    • Over a third (35%) say SSH entitlements are not featured in their Privileged Access Management (PAM) policies and are rarely audited. Without proper auditing and effective SSH security policies, SSH key weaknesses can go undetected, leaving retailers vulnerable to a wide range of cybersecurity attacks.

Ultimately, it’s crucial for retailers to secure their SSH assets. “To protect their customers and their critical business data, retailers need a strong SSH governance program that provides them with complete visibility of all their SSH keys,” concluded Hunter.

Are retailers doing enough to protect their SSH keys? 

Related blogs

Like this blog? We think you will love this.
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more