DevOps teams rely on Secure Shell (SSH) keys to access data while developing applications. While SSH keys are an integral part of the DevOps pipeline, they also represent a significant security risk. Storing and securing these keys is critical, and companies often fall short in this regard.
Even worse, the security mechanisms that many companies use to store keys ultimately expose them to the “secret zero” problem, a situation where all secrets are guarded by a single password, thereby increasing the risk of a breach significantly.
Here are four best practices for ensuring that your DevOps team’s SSH keys stay secure.
Rotate your keys regularly
Rotating keys is a fundamental practice. Most companies have credential rotation policies, but all too often, rotation frequency protocols are insufficiently stringent. Typically, companies rotate keys once a year, without assessing the business risk connected to their systems. Keys connected to sensitive systems must be rotated more frequently since the risk of a breach is higher compared to other systems.
Another common mistake security teams make is to rotate keys manually at periodic intervals. This method suits legacy systems but is ill-suited for modern DevOps workflows. The pace at which systems and data change in the pipeline makes it impossible for a manual process to ensure security at all times.
It’s best to leverage an automated solution like Akeyless to rotate keys and renew security certificates. The result is more time for security teams to monitor sensitive tasks and less time devoted to manual ones that take too much time.
One of the most common causes of a breach is poor expiration monitoring. Often, companies assign keys without an expiration date, giving malicious actors an easy way in to sensitive systems. Instead, it’s best to make sure all keys have expiration dates – and monitor their usage.
It’s best to use automation to create and assign keys, preventing your security team from becoming overburdened. Another critical process you must monitor is employee offboarding. Often, their access keys are stored in a server and do not expire. These situations are a goldmine for a malicious actor, since most security admins are unaware of these never-expiring keys connected to former employees.
Monitor key use
In addition to rotating keys, you must also monitor how those keys are being used. Monitoring is standard when implementing robust cybersecurity, and SSH keys are not an exception. Once again, manually monitoring key use is close to impossible in a modern environment.
This situation occurs because modern development pipelines use a wide range of machine IDs to access data. Modern apps rely on a complex web of cloud containers and microservices. Manually monitoring and validating access is impossible.
The solution is to use a tool that automatically validates, analyzes, and monitors key use. For instance, AWS Secrets Manager does a great job of alerting you to improper key usage. Another tool you can use is the open-source Knox, which executes much of the same functionality.
As with rotating keys, the goal here is to reduce the burden on your security team and give them more time to focus on critical issues.
Limit access
SSH keys are a form of digital identity verification and are essential to your overall security posture. Unfortunately, some organizations do not treat them this way and distribute them to people in the organization based on seniority.
For instance, an executive who rarely accesses sensitive data does not need access, despite their seniority. These access credentials and keys pose a significant threat to your security posture since malicious attackers routinely leverage them.
Instead, develop an access policy that classifies the risk associated with granting different roles access. Once done, enforce a Zero Trust agile security policy that uses time-based access to secure data. For instance, instead of granting a user unlimited access to a system, enforce time limits to ensure they have the time to retrieve the data they need before revoking access.
This limits the potential of an attacker leveraging an existing credential to infiltrate your system. Tools like Hashicorp Vault and Akeyless offer these features.
Assess key storage
A common mistake companies make is to store their keys on machines or servers. These choices leave you vulnerable to hacks and breaches. Instead, use a Hardware Security Module (HSM) or a cloud-based service to store your keys.
HSMs are a great option for physical storage. They store a wide range of keys like cryptographic, code signing, custom-managed, and signatures. Typically, they offer a high degree of protection and are tough to hack or compromise. The downside is they can be expensive to implement.
AWS’ CloudHSM service is an example of an HSM offering protection in an AWS environment. Other solutions include Azure Key Vault HSM, offering FIPS 140-2 Level 2 validated HSMs that integrate seamlessly with other Azure services.
HSMs suit most organizations’ needs and will offer you a good deal of protection when storing SSH keys.
Securing your keys is critical
Securing your SSH keys is critical in modern environments. The steps outlined in this article will help you design strong security policies that prevent breaches. Use the right tools to ensure your keys are safe, and your software supply chain’s security posture will dramatically improve.
Follow Techdee for more!
