This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SSH inventor proposes best practice guidance in face of poor deployment and management of keys

Share this article:
The new skeleton key: changing the locks in your network environment
The new skeleton key: changing the locks in your network environment

Management of secure shell (SSH) keys has become such a problem for businesses, that some spend ten per cent of their working time on remediation of them.

Speaking to SC Magazine, Tatu Ylönen, CEO and founder of SSH Communications Security, said that within some customer cases, he had found up to two million keys unaccounted for where there is 20 times as many keys as passwords, where they are granted as freely as passwords.

He said: “Nobody has worked out a deployment of keys that grant access to servers as they are often distributed to privileged users. If you are adding keys for ten years, then often there is no control and you grant access on a ‘need' basis and terminate on a need basis also, and often don't realise the problem.

“You cannot keep pretending that 80 per cent of your credentials do not exist. Some are more convenient ways of doing things or sometimes the keys are installed by hackers to form a permanent backdoor to a server.”

SSH keys, which Ylönen said are used wherever there is a Linux/Unix deployment, are used in machine-to-machine secure communications, for remote access and for logging into hypervisors remotely.

The problem has led to Ylönen, along with the National Institute of Standards and Technology (NIST), to launch a draft document on deployment and management of SSH keys, to offer best practice and guidelines for this.

Ylönen said: “Companies cannot change or remove keys as they do not know what they are used for, yet one customer spends ten per cent of their time on SSH key management.

“No one has full visibility into this as it is too fragmented. Instead of spending ten per cent of time, a company can better control it and more thoroughly audit it.

“This is a big project that organisations need to go through and there needs to be continuous monitoring to find the backdoors and hackers' keys, to enforce key rotation and if they are not being used, revoke them and deploy new keys.”

Ylönen also said that there needs to be best practice guidelines as none have been delivered in the past, particularly on how the keys should be managed, primarily on who has access to keys and who controls them. This is currently open for comment, with a second draft of guidelines published in the summer and a final publication set for October.

“There is no good guidance on this; we have contacted people we know about this and are helping bring attention to the topic,” he said.

“We have worked with the banks and auditors as there is no public guidance on how to manage it, as there is nothing to say ‘this is the scope of the problem', as there needs to be education to do the project and deal with it.” 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.