Adding to the lack o understanding around this risk, many large organizations don’t have a view of all of their SSH keys, who has access to them and how the processes they secure are connected throughout the IT infrastructure. “A few banks are interested in this area, and they go and pull a report [on all of their keys]. They find they have 1.5 million keys, and a lot of different people with access to those keys,” Thompson reports. “They have to map out: what is this app doing? And who does it talk to? One secure shell key could tunnel through multiple networks and applications.”
The study found that only 34% of the organizations involved that use SSH keys can generate reports on how many SSH keys they have in their server environment and what those keys are used for.
Working to map out all of the keys, centralizing management of access to the keys and putting monitoring in place to detect malware is a project that can take years, Thompson warns. But banks that are already keeping track of access to their SSH keys can significantly cut down the time on such a project, he adds.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio