Financial Institutions Ignoring SSH Key Security Risks | GBAF

Financial Institutions Ignoring SSH Key Security Risks | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > Financial Organizations Are in Denial About SSH Keys

Financial Organizations Are in Denial About SSH Keys

Published by Gbaf News

Posted on April 17, 2019

6 min read

Last updated: January 21, 2026

Illustration of SSH keys highlighting security risks in financial organizations - Global Banking & Finance Review — An informative graphic showcasing the security vulnerabilities of unmanaged SSH keys in financial organizations, emphasizing the risks highlighted in the article about digital transformation challenges.

By Markku Rossi, CTO, SSH.COM

With the rise in system complexity and scale caused by digital transformation, a large financial institution can have as many as two million Secure Shell (SSH) keys in its network. These keys grant employees’ remote access to servers that house critical systems and data and create connections between machines for automated transactions. In a typical Fortune 500 finance company, most of these SSH keys are unmanaged at best, or major security vulnerabilities waiting to be exploited by hackers or insiders at worst.

Markku Rossi, CTO, SSH.COM

Markku Rossi, CTO, SSH.COM

In short, financial organizations are in denial about their SSH keys.

A study conducted at a large bank with more than a million keys found that at least 10 percent of these keys allowed for unlimited administrative (“root”) access to production servers. This was a clear violation of the company’s internal security policies and a PCI-DSS audit failure point. It is just one example of the risk facing the financial services industry regarding securing remote access to sensitive data in a highly regulated environment.

As financial institutions continue to digitally transform, the number of people, devices and machines connecting to the company network is growing exponentially. They must ensure their identity and access management plans do not neglect governance and management controls for their legacy SSH key environment or future M2M and human connections secured via SSH keys.

Keys in the Wrong Hands

Some financial organizations do have their SSH key environments under management, but those that don’t are typically in denial about the risk. In a sense, this is natural. Enterprise security teams have traditionally been focused on building the perimeter. While systems administrators and those responsible for internal access provisioning are aware that there might be tens of thousands of root access keys lost, orphaned or neglected on the company’s networks, the problem is not visible at the C-suite or board level.

Of course, breaches associated with Equifax, Lennon Ray Brown (Citibank), Edward Snowden and others highlight the importance of key management. Unmanaged SSH keys are a bonanza for hackers, a gift for disgruntled insiders and an unhappy accident waiting to happen.

Rogue SSH keys are often used as a secondary attack vector. A hacker might enter a network via a phishing scam, social engineering, malware or botnet. But once inside, when they find an unmanaged SSH key, they can move laterally within the network, access servers without detection and create headlines.

The Risk Behind the Scenes

The reality is that sysadmins, database admins (DBAs), maintenance techs and application developers create keys on the fly, keep a few keys listed on a spreadsheet, neglect keys passed to subcontractors and configure keys just enough to get the job done.

This is neither compliant nor safe. Failure to address the issue preserves unacceptable large-scale risk exposure, as revealed in scans of SSH key environment. For instance, a medium-sized international bank with significant digital assets might have 10,000 servers under management.

With 10,000 Unix/Linux hosts, the bank might have 1.5 million keys in circulation granting various levels of access and more than 75,000 keys owned by each system admin or DBA. There can be up to one billion authentications per year granting privileged access to critical systems and data.

SSH key environment scans typically find that up to 90 percent of keys in circulation are obsolete and should be immediately removed, as they were created for ex-employees, former subcontractors or redundant processes.

Compliance Concerns

Regulatory bodies won’t be easing up any time soon – instead, they are issuing seven-figure fines, jail time and reputation-damaging publicity. For instance, potential fines and jail time await SOX [i] violators, and PCI [ii] violations pack their own punch.

In addition to stiff fines, PCI can take away payment processing privileges. This happened to a national chain, rendering the chain incapable of processing card transactions for several weeks.

Financial institutions are exposed to increased compliance and security risk if they do not address the following factors:

Visibility into SSH key-based trust relationships and monitoring capabilities
Processes for provisioning ownership, remediation, revocation and rotation of keys
Policies for SSH key-based access
Secure Shell governance and reporting

To begin the conversation and learn about the risk from unmanaged SSH keys in your organization, here are some key questions to start with:

Where in our organization, including for subcontractors, consultants and remote machines, do we use SSH keys?
Do we track and monitor the creation and use of SSH keys?
Do our current IT policies cover SSH keys?
Are our current practices with SSH keys policy-compliant and regulations-compliant?
Is the risk from SSH key-related incidents involving malicious externals, disgruntled insiders, or accidents involving internals or subcontractors in our risk profile?
Do we have a named owner for SSH access or Secure Shell governance?

Best Practices

Best practices for SSH key management begin with comprehensively managing SSH keys and their lifecycle with best-of-breed software. With the right tools, major financial organizations can:

Get vast key environments under management
Reduce the administrative work related to manually provisioning and troubleshooting key-based access
Minimize their threat surface
Become and remain compliant
Avoid financial penalties from non-compliance
Decrease the risk of business disruption
Avoid financial loss from data exfiltration, IP theft and reputation loss

Audit associations, such as ISACA and IIA, offer specific guides on best practices for SSH-related risk mitigation and compliance. ISACA’s SSH: Practitioner Considerations [iii] is the first port of call for those in ops, compliance, risk or C-suite looking to further their knowledge.

NIST, the U.S. body responsible for cybersecurity standards and guidelines for federal government agencies provides a mandate for agencies and concrete guidance for enterprises in the NIST 7966 Interagency Report[iv], co-authored by the inventor of the SSH protocol, Tatu Ylönen.

Secure Your Keys

To be ready for your next IT audit and protect your company and your customers, review the information above and start the conversation with the specialists in your organization. You will face some denial, but you will learn the scale of the challenge with SSH keys in your company. Then, you can get the assistance of experts to help you prioritize and walk you through the process of discovery, management and automation without compromising your core business.