CIOs massively underestimate SSH risks

Venafi Risk Assessment team study finds that enterprises average one root access orphan key on every enterprise server, which can act as permanent back doors.

SALT LAKE CITY — January 28, 2020 —  Venafi^®, the inventor and leading provider of machine identity management, today released a new report offering insights into the security risks that poorly protected Secure Shell (SSH) machine identities pose to enterprises. The report compares findings from a survey of 550 CIOs from the United States, United Kingdom, France, Germany and Australia, with unique data and insights from aggregate SSH risk assessments conducted by Venafi SSH security experts.

SSH machine identities are critical to digital transformation strategies, as they authenticate privileged access between machines and are ubiquitous across enterprise networks. While CIOs say they are concerned about the security risks SSH machine identities pose, Venafi data indicates they seriously underestimate the scope of these risks. To better understand the scale of this problem, Venafi surveyed over 550 global CIOs and then compared the survey data with aggregate SSH risk assessments conducted over a two-year time period. The Venafi Risk Assessment team analyzed more than 14 million SSH client keys and 3.3 million SSH host keys and found serious SSH security risks.

Key findings from the report:

• 80 percent of CIOs say they are concerned about the security risks connected with SSH keys. 68 percent recognize managing SSH will only become more difficult as organizations move to modern, cloud-native environments.

• Enterprises average 2.5 root access keys per server analyzed. Root access keys provide the highest levels of access to machines; if a threat actor gains access to root privileges, they can access anything on a remote server, or on multiple servers if the server has been cloned.

• 96 percent of CIOs say their policies require the removal of keys when employees are terminated or transferred, but 40 percent admit they don’t have automated tools to remove unused keys.

• Enterprises have, on average, more than 7,000 root access orphan keys, or at least one root access orphan per every server analyzed. Root access orphan keys bring great security risks for organizations because they can create persistent back doors into networks that can last for months or years.

• Enterprises average 2 duplicate private keys and one shared private key per each server analyzed.A large number of duplicate private keys stems from ineffective or nonexistent enforcement of policies governing the duplication of private keys and limitations on where they are stored.

“SSH keys are extremely powerful assets that require careful protection,” said Kevin Jacque, global security architect for Venafi. “It’s not surprising to find so many severe security risks because we know that most organizations do not use any automation to manage them. Unfortunately, we should expect these gaps in SSH key management to continue to grow as organizations move more workloads to the cloud where SSH keys are used for nearly everything. The only way to address these risks is to put in place a comprehensive SSH machine identity management solution that provides continuous visibility and leverages automation to enforce policies.”

About Venafi

Venafi is the cybersecurity market leader in and the inventor of machine identity management, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, SSH, code signing, mobile and IoT. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With more than 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations and government agencies. For more information, visit: www.venafi.com.