Auditors get guidance on SSH key management

A new guide for auditors says SSH key management should be on their checklist because the proliferation of unmanaged keys for the ubiquitous encryption protocol means IT networks can't be guaranteed as secure.
(Getty Images)

A new guide for auditors says SSH key management should be on their checklist because the proliferation of unmanaged keys for the ubiquitous encryption protocol means IT networks can’t be guaranteed as secure.

The guidance, “SSH: Practitioner Considerations,” was published Tuesday by the nonprofit global membership association, ISACA, previously known as the Information Systems Audit and Control Association. The guidance includes an appendix listing controls that companies can use to ensure proper management of SSH keys.

Secure Shell or SSH is an open-source cryptographic protocol used to enable secure, encrypted access by individual users to servers and other computer assets across the networks of a distributed enterprise. It also facilitates automated machine-to-machine communications in the same secure fashion. But without careful management, the digital keys that enable that communication can proliferate and end up stored in insecure, easily found locations on the network.

“When auditors sign off on accounts …. when [a publicly traded] company management makes their attestation on their financial statements, they are asserting a state of control over the IT systems that produce all that [financial data],” explained SSH Communications Security VP of Compliance Fouad Khalil. “If they don’t recognize the risk [from poorly managed SSH keys], measure it, mitigate it …. If that risk is under the radar … They are putting themselves in a risky position.”


If keys are stolen by an attacker with a toe-hold in the system, he or she can use them to move freely throughout the whole enterprise. That’s a problem because, since it’s invention in 1995 by Finnish engineer Tatu Ylonen, SSH has become pretty much ubiquitous in enterprise IT networks, especially ones based on Unix, where it is generally shipped as part of the initial setup.

“SSH is one of those rare technologies that is in frequent use in almost every type of organization around the world,” said ISACA Chief Innovation Officer Frank Schettini.

The guidance, he continued “examines the specific steps audit practitioners should take to ensure that they are not ignoring SSH usage and the access it provides, and gives general guidance on appropriate controls to assess and manage SSH keys.”

“This is not a marketing document,” said Khalil, “It has a technical appendix but it’s not a technical document either. It’s a best practices guide for practitioners.”

Next January, he added, the company planned stage a webinar with an expert panel. “There will be lots of questions to be answered” he predicted.


Khalil said that ISACA was also producing an “Audit Program Guide” — essentially a list of questions every auditor needed to ask to make sure they understood the way SSH keys were used in the organization they were auditing and the risk that presented.

Ylonen came out of retirement five years ago to start warning about that risk — saying poorly managed SSH keys could be a boon for hackers. The company he founded, SSH Communications Security offers consulting and services to companies to help them manage their SSH communications and ensure old keys aren’t left accessible.

He’s been banging that drum for five years, but Khalil says the risks are not widely perceived. “It’s still not out there, it’s still not properly understood,” he said.

In one large financial institution where the company was engaged for several years, staff went through “about 25 percent of the their server environment, approximately 15,000 servers; 500 of their most critical applications,” Ylonen told CyberScoop earlier this year.

They found more than 3 million keys, but Ylonen says that is typical. “In most enterprises, 90 percent or more of the keys we find are no longer used at all.”


More worryingly, on average about 10 percent of them are configured to grant root access — the highest level of administrative access. “With root access you can install malware, you can grant access to anyone, you can tamper with or destroy data,” said Ylonen, “You can do whatever you want.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts