Your browser does not allow storing cookies. We recommend enabling them.

SSH Key Proliferation

SSH Is Everywhere

Every company in the Fortune 500 uses the SSH (Secure Shell) protocol in their corporate IT infrastructure. The SSH protocol provides secure, trusted access to routers, firewalls, database hosts, application servers, and other networked resources within the corporate infrastructure - both on-premise and in the cloud.

SSH keys are a powerful feature of the SSH protocol that allow administrators, application owners, and developers to securely access these resources remotely. SSH keys also enable secure automated file transfers, remote command execution, and secure the countless automated operations and machine-to-machine transactions that are necessary in large scale corporate network environments.

Millions of SSH Keys Found In Enterprises

The popularity of SSH has lead to a proliferation of SSH keys in corporate networks. We have run thorough scans of customer networks, including large multi-national enterprises, governmental agencies and technology companies. Our research has shown that the number of automated, scripted, or other non-interactive SSH identities typically outnumber human users by a factor of ten. Consequently, the number of deployed SSH keys in vast multi-national networks can be staggering.

In large enterprise networks with 10,000 plus servers we have encountered from one million to over three million SSH keys in circulation. These SSH keys have usually been provisioned over many years, with their ownership and purpose now unknown, yet in many cases they still provide access to whomever was in possession of the corresponding private key.

A situation like this is of course not compliant with common sense, corporate security policy, or regulatory compliance mandates. The issue of unmanaged SSH keys is common, and has become so widespread that it has been identified as “a gaping hole in Identity & Access Management” by IDC.


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now