Michael Thelander .jpg

SSH Keys: Security Asset or Liability?

Michael Thelander

Generating SSH keys is free, but poor SSH key practices expose businesses to costly risk. It takes just one SSH key for a cybercriminal to access an organization’s network and pivot to gain further access to the most sensitive systems and data.

SSH keys are often used for routine administrative tasks by system administrators but are also used for secure machine-to-machine automation of critical business functions. However, the SSH keys themselves are often left unprotected. Most organizations leave it up to their system administrators to get and manage their own SSH keys, resulting in an ad hoc process using inconsistent security practices. Many keys are left unused and unmonitored, and some walk out the door with prior employees—whether maliciously or innocently. With no expiration and a lack of lifecycle management, enterprises can wind up with literally millions of SSH keys and a broad attack surface.

Think of how much security you place around passwords and how often you rotate them. Now compare that to your SSH keys—the credentials that provide the most privileged access. Hear the common mistakes that almost all enterprises make around security, policy, and auditing practices when managing SSH keys, supported by current survey results. Discover the SSH key risks that are not addressed by IAM/PAM solutions and why they are probably some of the biggest risks in your environment. Then learn how to take SSH keys from an operational liability to a security asset.

Speakers Bio: Michael Thelander leads go-to-market strategies for Venafi, the industry leader in machine identity protection. Michael has a 20-year track record leading product management and marketing teams to bring enterprise-class software products to market.

Michael received CISSP training through SANS and has been in the cybersecurity space for over ten years: before Venafi he spent 7 years heading product management at Tripwire and three years leading go-to market efforts for authentication and fraud prevention company iovation. His articles and interviews have appeared in publications, such as SC Magazine, Cyber Defense Magazine, ITProfessional, SoftwareCEO.com, and he frequently speaks at industry events like Kuppinger Cole’s European Identity and Cloud Summit, Gartner’s IAM Summit, and RSA.