SSH session recording and zero trust: what IAM teams need to know

TL;DR: The security issue is not just access control, but whether privileged session evidence can still be trusted after it leaves the session boundary, according to Pomerium. Its tamper-evident SSH session recording model treats recordings as immutable, independently verifiable evidence, with audit trails and digest checks that can detect modification during upload or storage.

NHIMG editorial — based on content published by Pomerium: How We Designed a Tamper-Evident SSH Recording System for Zero-Trust Infrastructure

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams protect SSH session recordings from tampering?

A: Security teams should protect SSH recordings with cryptographic integrity checks, immutable storage controls, and audit correlation.

Q: Why do tamper-evident recordings matter for PAM and compliance?

A: Tamper-evident recordings matter because privileged access evidence is only useful if it can survive dispute, audit, and incident review.

Q: What breaks when recording integrity depends only on storage permissions?

A: When recording integrity depends only on storage permissions, an administrator or attacker with enough custody can alter the evidence without immediate detection.

Practitioner guidance

• Define session recordings as evidence objects Classify SSH recordings as governed evidence with explicit integrity and retention requirements, not as routine log files.
• Add digest verification to the recording pipeline Require the recording system to generate and verify digests between capture and storage so any change during upload or persistence is rejected before the file is accepted as evidence.
• Correlate replay activity with immutable identity markers Ensure every download, replay, and metadata lookup is tied to a unique access identifier and an identity hash that can be checked against storage audit logs.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• Implementation specifics for digest generation and verification across the SSH recording pipeline.
• How Pomerium maps access identifiers and identity hashes into cloud audit logs for replay and download events.
• The storage assumptions behind immutability, versioning, legal holds, and retention policies.
• The architecture of the replay path and how storage custody is separated from recording authenticity.

👉 Read Pomerium's analysis of tamper-evident SSH session recording →

SSH session recording and zero trust: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →