Request demo
Request demo
Request demo
November 25, 2025

A conversation with SC Media: A Wake-Up Call on SSH Keys and Machine Identities 

Written by: Barbara Hoffman

In today’s dynamic, cloud-first environments, machine identities—or non-human identities—now outnumber human identities by an exponential amount in many organizations. While identity governance has traditionally focused on users, an expanding blind spot is growing in the form of SSH keys and automated credentials quietly enabling access to critical infrastructure.

Recently, our experts had the opportunity to speak with SC Media and unpack the hidden risk of unmanaged SSH keys to share how organizations can regain visibility and control in a fragmented, high-speed world. 

The Machine Identity Problem

While most organizations have robust processes for managing access for users, or human identities - machine, or non-human identities often operate outside standard IAM policies. To put this into better context, every automation tool, container, API client, or vulnerability scanner uses credentials to access resources—typically through SSH keys.

The problem? These keys often never expire, are rarely tracked, and can be easily copied or shared, becoming a serious vulnerability for lateral movement by attackers. 

Our experts emphasized that SSH keys were originally built as a convenience for admins. But in modern DevOps environments, for example, they've evolved into automation enablers. This has unfortunately led to widespread SSH key sprawl, with some organizations holding millions of keys—many that remain orphaned, reused, or improperly stored. 

Security Implications: The Quiet Threat 

SSH key misuse is not hypothetical.  Malware currently exists that actively hunts for SSH keys and tokens on developer and admin endpoints. Once compromised, these credentials allow attackers to move undetected across infrastructure, bypassing traditional PAM tools and circumventing MFA.

One case study our experts shared involved a bank experiencing a costly 12-minute outage after mistakenly revoking a key without full visibility into its dependencies—resulting in a $1.2M trading loss. 

Audits frequently expose the issue. Many organizations come to SSH only after they fail an internal or external audit due to a lack of key inventory or discover they can only account for a fraction of real access paths.

The risk isn't just operational—it’s also regulatory. PCI DSS, SOX, HIPAA, and cyber insurance mandates increasingly require demonstrable controls over machine access. Companies are wise to proactively address these risks to avoid the costly ramifications of a major disruption or failed audit.  

Rethinking SSH Key Management 

Our experts outlined a pragmatic response to this challenge: 

  • Start with Discovery: Visibility is the foundation. Tools like PrivX Insights can scan hybrid environments and map out existing SSH key usage, even when identities aren’t registered in CMDBs. 
  • Understand Context: Not all keys are equal. The goal is to tie keys back to purpose, origin, and associated systems. 
  • Transition to Ephemeral Credentials: SSH keys should be replaced by short-lived certificates. Unlike keys, certificates include metadata that defines scope, origin, and duration—essential for zero trust enforcement. 
  • Enforce Policy with Zero Trust Principles: Eliminate implicit trust by verifying each connection at the time of use. Context-aware access control ensures that credentials are only valid for defined systems, time periods, and workloads. 
  • Prioritize Risk and Compliance: Organizations should monitor metrics like number of unmanaged keys, key rotation time, and ratio of ephemeral to static credentials to measure progress. 

Mapping a New Approach 

What makes our approach unique is its alignment with Just-In-Time (JIT) and Zero Standing Privileges (ZSP) models. Instead of relying on vaults of long-lived secrets, ephemeral access ensures credentials disappear after use, dramatically reducing the attack surface. 

PrivX also introduces capabilities like device-aware certificate issuance, audit-ready telemetry, and AI-driven reporting that help identity and IT teams build a business case for machine identity governance—before audits or breaches force their hand. 

Final Thoughts 

Managing SSH keys and machine identities isn’t just a basic hygiene task—it needs to be a strategic imperative. As infrastructures grow more complex and attackers get smarter, ephemeral access and automated visibility are no longer “nice to have”—they're foundational to modern cybersecurity. 

For any organization still relying on static SSH keys, now is the time to rethink how access is granted, tracked, and revoked. The shift to passwordless, keyless, and ephemeral access isn’t the future—it’s how we need to secure ourselves in the present. 

Hear the full conversation here >>>

 

Tag(s): SSH Keys , Zero Trust

Barbara Hoffman

Product Marketing Manager, PrivX ZT Suite at SSH Communications Security

Other posts you might be interested in

secure communications
7 min read | July 8, 2025

#SecureCommunications: Is Strong Encryption Alone Enough?

Read More
secure communications
8 min read | April 1, 2025

Securing For-Your-Eyes-Only Digital Communications the Right Way 

Read More
secure communications
4 min read | January 20, 2025

Data Sovereignty: Why Our Company Adopted the Matrix Protocol for SalaX

Read More

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Stay on top of the latest in cybersecurity

Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form.

© Copyright SSH • 2025 • Legal