Tamper-evident SSH session recording extends zero trust evidence

At a glance

What this is: This is a design analysis of tamper-evident SSH session recording and its key finding is that recording integrity must be protected as part of the zero-trust boundary.

Why it matters: It matters because IAM, PAM, and NHI programmes increasingly rely on recordings as evidence, and if that evidence can be altered, audits, investigations, and access governance all lose credibility.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Pomerium's analysis of tamper-evident SSH session recording

Context

Tamper evidence is what turns a session recording from a convenience feature into evidence that can survive audit, dispute, and incident response. In SSH environments, the question is not only who got access, but whether the record of what happened can still be trusted after storage, retrieval, or replay.

Pomerium’s analysis frames SSH session recording as a zero-trust problem because the recording pipeline, storage layer, and replay path all sit inside the trust boundary. For identity teams, that puts session evidence, privileged access governance, and storage custody into the same control conversation.

The practical issue is familiar across human PAM, NHI operations, and autonomous access workflows: if the artefact can be changed without detection, the control has not truly enforced accountability.

Key questions

Q: How should security teams protect SSH session recordings from tampering?

A: Security teams should protect SSH recordings with cryptographic integrity checks, immutable storage controls, and audit correlation. The key is to verify that the recorded artefact matches what the session produced and to prove every replay or download came through the authorised custody path. Without that, a recording may exist but still fail as evidence.

Q: Why do tamper-evident recordings matter for PAM and compliance?

A: Tamper-evident recordings matter because privileged access evidence is only useful if it can survive dispute, audit, and incident review. If the recording can be modified or replaced, the organisation can no longer rely on it to prove what an administrator did or did not do. Evidence integrity becomes part of accountability.

Q: What breaks when recording integrity depends only on storage permissions?

A: When recording integrity depends only on storage permissions, an administrator or attacker with enough custody can alter the evidence without immediate detection. That breaks the trust model because the organisation may still believe the recording is authentic. A secure design needs independent verification, not just restricted access to the bucket.

Q: Who should own session recording authenticity in an identity programme?

A: Session recording authenticity should be owned jointly by PAM, IAM, and audit stakeholders, with clear accountability for integrity checks, replay access, and retention policy. The owner is not the storage platform. The control lives in the evidence pipeline and the governance process around it.

Technical breakdown

Why SSH recordings need independent integrity proofs

A session recording is only useful if it can be shown to match the original session output. Pomerium describes a model where the SSH reverse proxy generates a digest during capture and later verifies it against the stored object after upload. That comparison makes integrity a property of the artefact itself, not of the storage system alone. In practical terms, the recording becomes self-checking evidence: if the bytes change, the digest fails and the file is rejected. That is a stronger model than assuming bucket permissions or operator trust are enough.

Practical implication: treat recorded sessions as evidence objects that require cryptographic verification, not just access restrictions.

Immutability, storage custody, and tamper detection

Immutable storage is only part of the answer. The article distinguishes between Pomerium’s handling of recordings and the customer-controlled blob store that ultimately stores them. Versioning, object locking, legal holds, and retention policies help prevent changes, but they do not by themselves prove that an object was never altered before or during upload. The important design point is that the system assumes storage may be administratively accessible, so trust must be layered above the storage provider. That makes tampering detectable even when the underlying platform is not fully trusted.

Practical implication: pair storage controls with application-level integrity checks so evidence remains trustworthy even in customer-managed infrastructure.

Audit trails for privileged session evidence

Pomerium’s audit model adds unique access identifiers and identity hashes to storage operations, then correlates those markers with cloud audit logs. This creates a second line of evidence showing whether a recording was accessed through the authorised path. If the storage layer shows access without those markers, the access happened outside Pomerium’s custody. For compliance teams, that is the difference between assuming replay events are legitimate and being able to prove it. The mechanism also narrows the evidentiary gap between the proxy, the storage system, and the audit record.

Practical implication: require correlated access telemetry for every replay, download, and metadata lookup tied to privileged sessions.

NHI Mgmt Group analysis

Tamper-evident session evidence is now part of privileged access governance. SSH recording has historically been treated as a monitoring feature, but this design shows it must be governed as evidence with its own integrity boundary. Once recordings are used in audits or investigations, the question becomes whether the evidence can be trusted independently of the infrastructure that stores it. That makes session evidence a PAM and lifecycle control issue, not just a logging issue. The implication is that identity programmes need to treat evidence integrity as a first-class governance requirement.

Zero trust for access is incomplete if the recording path is trusted by default. The article’s key insight is that the recording pipeline, storage layer, and replay path can all be modified by an actor with enough privilege unless integrity is explicitly enforced. That creates a governance gap where privileged access can still erase accountability after the fact. In identity terms, the control plane has protected entry, but not the evidentiary record of the session. The implication is that zero trust must extend beyond session approval into record authenticity.

Identity accountability now depends on tamper evidence across human and machine-administered access. Whether the operator is a human admin, a service account, or an automated workflow, the governance problem is the same: can the session record prove who accessed what, when, and through which custody chain? That is a cross-actor identity question that PAM, NHI governance, and audit teams all share. The implication is that organisations should align recording integrity with the same accountability model they use for privileged access.

Storage administration is no longer outside the trust boundary for identity evidence. The article makes clear that customer-controlled storage can be operationally convenient while still being adversarial from an evidence perspective. That assumption collapse matters because many programmes still separate access governance from evidence governance. A tamper-evident model removes that separation by making storage modifications visible, attributable, and provable. The implication is that evidence custody must be designed as part of the identity architecture, not as an afterthought.

Recording authenticity is the named control gap this design addresses. Pomerium’s model is built around the idea that a recording must be complete, immutable, and independently verifiable if it is to support compliance or incident response. That is a specific control gap, not a generic monitoring enhancement. In framework terms, it aligns with zero trust principles and privileged access governance, where proof of integrity matters as much as proof of access. The implication is that evidence authenticity should be reviewed alongside access policy, not separately from it.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• As a forward-looking lens, the Ultimate Guide to NHIs , Standards is useful for mapping tamper-evident evidence controls to identity governance and zero-trust expectations.

What this signals

Tamper evidence is becoming a baseline requirement for privileged access evidence. As more organisations use session recordings for audit and forensics, the programme question shifts from whether recordings exist to whether they can withstand challenge. That is why evidence authenticity should be governed with the same rigor as access entitlements and privilege review.

Identity teams should expect evidence custody to merge with storage governance. When the storage layer is customer-controlled, custody becomes a governance issue even if the access workflow is technically sound. The practical signal is that audit trails, replay logs, and retention policy now need to line up as a single control story, not separate operational artefacts.

Zero trust for privileged access now implies zero trust for the artefacts it produces. The NHI Mgmt Group position is that evidence integrity belongs in the identity architecture, especially where machine accounts or delegated workflows can access the same storage paths as human administrators. That shift will matter most in organisations trying to prove accountability after an incident.

For practitioners

• Define session recordings as evidence objects Classify SSH recordings as governed evidence with explicit integrity and retention requirements, not as routine log files. Assign ownership for evidence authenticity, replay access, and chain-of-custody review across PAM and audit teams.
• Add digest verification to the recording pipeline Require the recording system to generate and verify digests between capture and storage so any change during upload or persistence is rejected before the file is accepted as evidence.
• Correlate replay activity with immutable identity markers Ensure every download, replay, and metadata lookup is tied to a unique access identifier and an identity hash that can be checked against storage audit logs.
• Test for storage access outside the authorised path Regularly compare cloud provider audit logs with the recording system’s own logs to spot accesses missing the expected markers, then treat those events as custody exceptions.

Key takeaways

• Tamper-evident SSH recordings turn session logs into evidence that can support audits and incident investigations.
• The core control problem is not access to storage alone, but whether the recording can be modified without detection.
• Practitioners should pair immutable storage, digest verification, and correlated audit trails to preserve trust in privileged session evidence.

Key terms

• Tamper-evident recording: A tamper-evident recording is a session artefact designed to reveal any alteration after capture. In identity governance, that means the recording can be trusted as evidence only if integrity checks, immutability controls, and audit trails can prove it has not been changed.
• Chain of custody: Chain of custody is the documented path an evidence object follows from creation to storage, access, and review. For SSH recordings, it shows who handled the file, through which system, and under what authority, so the organisation can prove the evidence was not substituted or accessed outside the approved path.
• Immutable storage: Immutable storage is storage configured so objects cannot be changed in place after they are written. In practice, it reduces the chance of silent modification, but it does not replace application-level integrity checks, which are still needed to prove the object was authentic at the point of capture.
• Privileged session evidence: Privileged session evidence is the record of what a high-risk user or account did during an administrative session. It matters because PAM programmes, audits, and incident responders often rely on it to reconstruct actions, assign accountability, and challenge claims after the fact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pomerium: How We Designed a Tamper-Evident SSH Recording System for Zero-Trust Infrastructure. Read the original.