Skip to main content
banner image
venafi logo

Why Is SSH Key Management So Challenging?

Why Is SSH Key Management So Challenging?

why-is-ssh-key-management-challenging
August 4, 2021 | Scott Carter

Even though Secure Shell (SSH) is used for privileged access, most organizations have no inventory of the trust relationships enabled by these SSH machine identities. Many IT organizations haven’t changed or rotated SSH keys because they’re wary of inadvertently increasing the risk of taking down an application if machine-to-machine connections fail.

This concern is largely due to the fact that SSH works through tightly coupled private and public keys. If you update a private key but don’t update all the corresponding authorized public keys, you may cause a critical automated process to stop working. It only takes one of those management meltdowns for IT teams to decide that they never change or touch SSH keys.

Are Your SSH Machine Identities Secured? Find Out Now!
Defining the management challenges

Here are some of the main challenges you may face when you attempt to strengthen your SSH machine identity management program:

  • Difficulty of monitoring SSH usage
    SSH is a valuable security asset because it allows strong encryption. However, once data is encrypted, it becomes expensive for security operations teams to monitor the data inside the encrypted channel. Some security administrators have given up on monitoring SSH completely, and it’s not uncommon to hear comments such as “If it’s encrypted, it must be good.”

     
  • Setting up key life cycle isn’t an IT priority
    Generally speaking, security operations teams aren’t big fans of elaborate approval processes. SSH is no exception. Unfortunately, that includes SSH key life cycles, including obtaining change approvals, assigning, auditing, approving, and rotating SSH keys. Without automated processes, all these life cycle functions can easily become part of an arduous workflow.

     
  • Vendor misconfigurations
    It’s not only your own IT teams that can create SSH vulnerabilities. Many vendors can inadvertently do it by leaving identical manufacturing root keys on the device to be installed. These keys are easy to get to by just opening a new box but can also be found on the internet.

     
  • Rapid adoption of DevOps and cloud
    Development operations (DevOps) teams favor SSH access to enable rapid, frequent, and highly automated build and release processes. To accommodate this, cloud service providers offer fast and easy deployment of application services in cloud environments, but this rapid implementation opens more space for errors and misconfigurations by their users.

    According to a recent report by Unit42, 32 percent of exposed hosts in public clouds have open SSH services, and 47 percent of the SSH servers on Azure virtual machines had password authentication enabled—making them potentially vulnerable to brute- force attacks.
Seeing the consequences of poor management

Management of SSH keys is most often left in the hands of IT administrators who manually manage them for the systems they control, skipping security best practices or using inconsistent policies. Despite the never expiring and sweeping access they grant, SSH keys are left untracked, unmanaged, and unmonitored by most organizations. A continuously growing set of SSH machine identities creates several risks.

  • SSH key sprawl
    A lack of governance in creation and management of SSH keys can lead to the reckless proliferation of keys, which can, in turn, lead to unauthorized access that’s difficult to detect. For instance, SSH keys delivering privileged access can get duplicated or shared between users, making the connections less private and more prone to attacks.

     
  • Lost or stolen SSH keys
    SSH credentials can be stolen or compromised in many ways, such as administrators getting tricked by a phishing attack or a malware using one-day vulnerability, which is slowly extracting data. SSH keys are defined in a file, easy to recognize, and stored on both sides of a connection. As a result, malware or malicious insiders can easily misappropriate keys, opening the door for an intruder to start a privileged SSH administrative session. After an SSH key has left your organization, you’re challenged to limit the exposure, and responding can quickly become expensive.

     
  • Slow incident response processes
    When a security incident occurs, responders need to take action and remove all potential access paths available to the intruder. A dense and uncontrolled mesh of SSH machine identities with hundreds of thousands—if not millions—of keys can be hard to clean up and consumes costly resources, which allows cybercriminals extra time to leverage the privileged access they’ve acquired.

     
  • Understanding the SSH machine identity management challenges
    That is just one of many reasons SSH machine identity management is such a hurdle for organizations. Several factors drive the increased usage of SSH machine identities and the corresponding escalation of management challenges. When these factors aren’t addressed, you may face severe consequences. Understanding these factors on a deeper level will help you overcome them in your own business!

Related Posts

Like this blog? We think you will love this.
all-about-ssh-key-management
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more