Notifications
Clear all
Topic starter
28/05/2026 11:37 am
TL;DR: Multi-site infrastructure often cannot prove who accessed what, when, and what they did because shared accounts, static SSH keys, fragmented logs, and standing privileges leave auditors with incomplete evidence, according to Teleport. The governance problem is structural: compliance at scale depends on identity-linked, time-bound access and unified audit trails, not more logging.
NHIMG editorial — based on content published by Teleport: Multi-Site Data Center Audit and Compliance Best Practices
By the numbers:
- A team of 50 engineers sharing one SSH key still leaves the audit log showing only that the key logged in, not the actual user identity.
Questions worth separating out
Q: How should security teams handle auditability in multi-site data center environments?
A: They should standardize access on identity-bound, short-lived credentials and require every privileged session to produce a traceable request, approval, and expiry record.
Q: What is the difference between session logging and audit-ready evidence?
A: Session logging records that a connection happened, while audit-ready evidence can show which identity acted, what commands or system calls occurred, and when access expired.
Q: Should organisations keep standing admin access in production?
A: No, because standing admin access creates permanent exceptions that are hard to justify, review, and revoke.
Practitioner guidance
- Replace shared administrative credentials Eliminate shared SSH keys, shared service accounts, and static admin passwords in favour of identity-bound access that can be traced back to one person or workload.
- Adopt short-lived certificates for privileged access Issue access at session time from a central identity provider and let it expire automatically when the task ends.
- Capture kernel-level activity for sensitive sessions Use syscall-level session recording for administrative workflows where terminal text alone cannot prove what happened.
Teams should expect auditors to ask for identity-bound proof, not log volume?
👉 Read Teleport's blog on multi-site data center audit and compliance best practices →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
28/05/2026 11:41 am
Static credential sprawl is now an audit-risk multiplier, not just an operational nuisance. Multi-site environments accumulate exceptions across SSH, RDP, Kubernetes, BMC, and vendor access paths until no single control can explain the whole picture. That creates a governance failure because auditors need a continuous identity story, not a pile of disconnected logs. The practitioner conclusion is simple: if access cannot be attributed and expired cleanly, it is not auditable.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, organisations failing to scope AI access properly are 4.5x more likely to experience a security incident, according to the 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Why do shared credentials create compliance risk for NHI and IAM teams?
A: Shared credentials destroy identity attribution, which means the environment can no longer prove which person or system performed a given action. That weakens access review, offboarding, and incident response at the same time. For NHI and IAM teams, the risk is not only compromise but also the inability to produce defensible evidence.
👉 Read our full editorial: Multi-site data center auditability still breaks on static credentials
