Use of misused or stolen credentials is the number one cause of data breaches. Using
Password123 is worthy of a good laugh, but there are other passwords that are used everyday: SSH keys and other tokens used to access critical infrastructure.
Teleport recently commissioned a survey of 1000 IT, DevOps and Security professionals and found that passwords are the number one way of managing access to infrastructure.
This is a problem. As our CTO wrote in a blog post recently titled “It’s Time to Get Rid of Passwords in Our Infrastructure”, a password is “any text that can be copied and passed ‘as is’ from a client to a service on the wire for authentication.”
The problem with passwords is that they can be guessed or brute-forced. They can also be stolen or intercepted by hackers before any breach is detected.
SSH keys are really just passwords, because like
password123, they can be copied and pasted to access a Linux server and by right of having it, you are granted access.
Most people I talk to agree that using SSH keys exactly like passwords is a security problem. But they will suggest that they are not so susceptible to attack because they are using a “secure vault” to protect their SSH keys and other shared credentials. As our CTO recently wrote: “Some types of software promising to replace passwords are more dangerous than they seem, because they give you a false sense of security and reinforce the status quo. If you are using them, you haven’t replaced passwords, but created a treasure chest for hackers. These apps call themselves ‘Password managers’ or ‘Vaults’. I would call them ‘password aggregators’.”
The average cost of a data breach is about $4 million dollars, and it is even higher in regulated markets like health care and financial services. Mega-breaches, defined as breaches of more than 50 million records, cost on average 100x the average breach, or about $400 million. The 2017 Equifax breach cost $2 billion.
When you look at the cost of continuing to use SSH keys and other password-like static credentials to access infrastructure, it becomes clear that an alternative is needed.
Luckily there is one, and it is not only more secure but also improves developer productivity. I’m talking about identity-based, short-lived certificates. In our survey, the innovative companies who had moved to certificates pointed out their enhanced security, great functionality (e.g. ability to easily deliver fine-grained role-based access controls), and how since they automatically expire, they reduce attack surface in time.
Teleport makes it easy to get all the advantages of identity-based, short-lived certificates for your entire infrastructure. In the process, your developers are more productive and you improve security. Want to learn more about how Teleport allows you to move away from passwords in your infrastructure? Talk to a solutions engineer today.
*** This is a Security Bloggers Network syndicated blog from The Teleport Blog authored by The Teleport Blog. Read the original post at: https://goteleport.com/blog/ssh-keys-are-passwords/