Venafi Study: 81 Percent of Retail Organizations Lack Comprehensive Management of SSH Keys

Posted Feb 28, 2018

SALT LAKE CITY, UT – February 28, 2018: Venafi®, the leading provider of machine identity protection, today announced the results of a study of how retail organizations manage and implement Secure Shell (SSH). Over one hundred IT security professionals from the retail industry participated in the study, which reveals a widespread lack of SSH security controls.

According to Venafi’s research, even though SSH keys provide the highest levels of administrative access, they are routinely untracked, unmanaged and poorly secured. For example, eighty-one percent of respondents acknowledge they do not have a complete and accurate inventory of all SSH keys. If retailers do not know where and how they are managing their SSH keys, they cannot determine if any have been stolen, misused or should not be trusted.

“Retail companies rely on an assortment of connected machines that most other industries don’t use,” said Nick Hunter, senior digital trust researcher for Venafi. “These machines house lucrative financial information, which makes retailers, and their transactions, prime targets for cyber criminals. Simply put, retailers face unique and significant machine identity threats. To protect their customers and their critical business data, retailers need a strong SSH governance program that provides them with complete visibility of all their SSH keys.”

Key findings of the study include:

* Over a third (thirty-five percent) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to critical and sensitive systems.

* Just thirty-five percent of respondents rotate SSH keys at least quarterly; Thirty-seven percent said they don’t rotate these keys at all or only do so occasionally. Attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.

* Thirty-eight percent of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems. Access to unrestrained assets and control leaves retailers without a clear view of SSH keys and no insight into the trust relationships established by SSH keys.

* Thirty-two percent of respondents said they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to bypass the firewalls between systems, a cyber criminal with SSH access can pivot rapidly across network segments.

* Thirty-five percent of respondents said SSH entitlements are not part of their Privileged Access Management (PAM) policies and are rarely audited. Without proper auditing and effective SSH security policies, SSH key weaknesses can go undetected, leaving retailers vulnerable to a wide range of cyber security attacks.

The study was conducted by Dimensional Research in November 2017. It analyzed responses from 101 IT and security professionals in the retail sector. Respondents have in-depth knowledge of SSH and are located in the U.S., U.K. and Germany.

Additional Resources:

eBook: How Safe Are Your SSH Keys?

Retail Industry: 2017 SSH Study - Executive Brief

Blog: SSH Study: Are Retailers Doing Enough to Protect Their SSH Keys?

Solution Brief: Manage and Secure SSH Keys

About Venafi

Venafi is the cyber security market leader in machine identity protection, securing all connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise —on premises, mobile, virtual, cloud and IoT — at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the world's most demanding, security-conscious Global 5000 organizations, including the top five U.S. health insurers, the top five U.S. airlines, four of the top five U.S., U.K. and South African banks, and four of the top five U.S. retailers. For more information, visit: