"There is giant hole in knowledge and practice around how to encrypt in cloud," says Venafi CEO Jeff Hudson. "Speaking with customers and prospects, the majority don’t understand how to encrypt and manage keys in the cloud."
Best practices regarding key management, generally regarded as the most problematic aspect of encryption, were a mixed bag. More than 70% of the organizations have key management policies and processes in place. Seven of 10 ensure separation of duties for administrative access to encryption keys, while only 15% who knew say they do not.
But only about a fifth of the respondents say they rotate Secure Shell (SSH) keys annually, while a quarter rotate them every two to five years. One in 10 organizations never rotate SSH keys. This indicates a real gap in privilege management.
"SSH keys are not being cycled, they’re not being tracked," says Hudson. "SSH is used to manage routers, servers, often in very sensitive environments, yet weak keys are used for outward-facing networks, and are often embedded in systems and can’t be changed without
disrupting production. Admins come and go with the same keys, which can be sitting on thumb drives anywhere, with anyone," he says.
"This keeps popping up; it’s sort of a dirty little secret," Hudson says.
See more on this topic by subscribing to Network Computing Pro Reports Database Defenses (subscription required).