The number of SSH User Keys in enterprise environments can be staggering. At one global bank an audit conducted by SSH Communications Security found over 1.5 million SSH User Keys, including over 150 thousand keys that not only granted root access privileges but also had no identified ownership. This is analogous to finding 150 thousand username password accounts granting the highest level of privileged access, without knowing the identity of the individuals associated with those accounts.
This white paper takes a closer look at how use of Secure Shell in cardholder data environments (CDE) relates to the specific intent, guidance and requirements of PCI DSS Version 3. The paper gives detailed guidance on what Quality Security Assessors and Internal Security Assessors should look for when conducting PCI DSS audits.