Professional Documents
Culture Documents
Forrester Gaps in SSH Security Create An Open Door For Attackers
Forrester Gaps in SSH Security Create An Open Door For Attackers
Adoption Profile
Commissioned By Venafi
July 2014
FIGURE 1
IT Security Professionals Consider Data Security
A Critical Priority
FIGURE 2
IT Security Acknowledges Responsibility For SSH
Keys
High priority
Critical priority
39%
56%
Data security
Managing vulnerabilities
and threats
Application security
Business continuity/
disaster recovery
Cutting costs and/or
increasing efficiency
Regulatory compliance
User security training
and awareness
Aligning IT security
with the business
Identity and access
management
47%
Network
operations
6%
48%
50%
36%
50%
35%
51%
33%
41%
Unix/Linux
system
administrators
7%
IT operations
22%
IT security
66%
42%
55%
52%
50%
26%
29%
30%
Vulnerability To Attack
The consequence of lax policy enforcement and infrequent
scanning for unauthorized access around SSH keys is a
major vulnerability. IT security professionals are indeed
aware of these consequences they associate a variety of
vulnerabilities with SSH and SSH management. In our
survey, the top five concerns range from weak passwords
on Internet-facing servers and sharing of SSH host keys to
lack of visibility into what SSH keys are being used for (see
Figure 4). Ultimately, IT security professionals do not feel
they have complete control.
FIGURE 3
Nearly Three-Quarters Of IT Security Professionals Rotate SSH Keys More Often Than Once Per Year
How often do you perform the system scan to make sure no unauthorized keys have been added?
Every 12 hours
Every 24 hours
9%
Every week
26%
Every month
21%
9%
36%
About every
12 months
About every
24 months
No set rotation
schedule
27%
41%
Only when a
compromise
is detected
13%
Dont know
2% 2%
15%
FIGURE 4
Top Five Vulnerabilities Associated With SSH And
SSH Management
FIGURE 5
Over-Reliance On System Administrators Is Most
Common Method To Rogue SSH Key Detection
If a r o g u e S S H k e y i s i n s e r t e d i n t o y o u r n e t w o r k ,
i n c l u d i n g t h e c l o u d , o n a n S S H s e r v e r,
h o w w o u ld it b e d etec ted ?
System administrator
responsible for the SSH
server would detect it
39%
35%
22%
31%
30%
26%
34%
40%
11%
1%
Methodology
This Technology Adoption Profile was commissioned by Venafi. To create this profile, Forrester leveraged its Forrsights
Security Survey, Q2 2013. Forrester Consulting supplemented this data with custom survey questions asked of US, UK, and
Australian IT security decision-makers who are aware of their companys SSH (Secure Shell) policies and practices. The
auxiliary custom survey was conducted in May 2014. For more information on Forresters data panel and Tech Industry
Consulting services, visit www.forrester.com.
Endnotes
1
Source: Elaine Barker and Quynh Dang, Recommendation For Key Management: Part 3: Application-Specific Key
Management Guidance, Draft NIST Special Publication 800-57 Part 3 Revision 1, National Institute of Standards and
Technology, May 2014 (http://csrc.nist.gov/publications/drafts/800-57pt3_r1/sp800_57_pt3_r1_draft.pdf).
2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources.
Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic
Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to
www.forrester.com. 1-PZ5KEG