SSH: Your Lowest Cost, Highest Risk Tool - Securing SSH Keys in Today’s Enterprise

Tuesday, May 15, 2018 - 11:30am

Generating SSH keys is free, but poor SSH key practices expose businesses to costly risk. It takes just one SSH key for a cybercriminal to access an organization’s network and pivot to gain further access to the most sensitive systems and data.

SSH keys are often used for routine administrative tasks by system administrators, but are also used for secure machine-to-machine automation of critical business functions. However, the SSH keys themselves are often left unprotected. Most organizations leave it up to their system administrators to get and manage their own SSH keys, resulting in an ad hoc process using inconsistent security practices. Many keys are left unused and unmonitored, and some walk out the door with prior employees—whether maliciously or innocently.  With no expiration and a lack of lifecycle management, enterprises can wind up with literally millions of SSH keys and a broad attack surface.

Think of how much security you place around passwords and how often you rotate them. Now compare that to your SSH keys—the credentials that provide the most privileged access. Hear the common mistakes that almost all enterprises make around security, policy, and auditing practices when managing SSH keys, supported by current survey results. Discover the SSH key risks that are not addressed by IAM/PAM solutions and why they are probably some of the biggest risks in your environment. Then learn how to take SSH keys from an operational liability to a security asset.


Ivan Wallis, is a Senior Solutions Architect with Venafi. He brings over 20 years of systems engineering, key management, and security training experience towards enabling customers and partners to effectively architect and deliver data security solutions for enterprise customers. Past experience includes lead solutions architect role at Thales e-Security and SSH Communication Security, as well as solutions architect at Entrust. Based in the San Francisco Bay area, Ivan is an active member of the local ISSA and ISC2 security community. Ivan holds a Bachelor of Computer Science and Information Systems from Carleton University, in Ottawa, Canada.