What is Secret Management?
We live in an age where corporate data breaches occur with worrying frequency resulting in costly damage control and a loss of trust from clients.
What is a “Secret” in the technology world?
Simply put, a secret is a digital authentication credential.
Non-human privileged credentials are often called “secrets” and refer to a private piece of information that acts as a key to unlock protected resources or sensitive information in tools, applications, containers, DevOps and cloud-native environments.
The most well-known example of a secret is a “password”.
What is Secrets Management?
Secrets management allows organisations to consistently enforce security policies for non-human identities. Secrets management provides assurance that resources across tool stacks, platforms and cloud environments can only be accessed by authenticated and authorised entities.
Secret Management refers to tools or methods that are used to manage authentication credentials (or secrets). These may include passwords, access keys, API keys, and tokens that can be used in applications, services, privileged accounts or other sensitive areas of the IT ecosystem.
To ensure proper protection of their critical data, organisations pay attention to the processes they use for managing identities, privileges, and secrets. Collectively referred to as secrets management, these processes provide organisations with capabilities for managing passwords, encryption keys, API keys, and other types of secrets in a centralised and secure way.
Advantages
- By this approach, service accounts — generic administrative accounts which may be assumed by one or more users — can access these secrets, but no one else
Disadvantages
- Not compliant with regulatory requirements which specify FIPS-certified hardware
Why is Secret Management important?
Secrets management enables you to securely store, transmit, and audit secrets. It removes, or at least minimises, the involvement of humans in the management of secrets to reduce potential points of failure.
Passwords and access keys are some of the most used tools to authenticate users or automated applications onto the network or give access to specific services, systems, or information that might be otherwise classified. Since these secrets need to be transferred securely, secret management would need to account for and mitigate the risk portrayed on the secrets while in transit as well as on rest.
Some of the secrets include:
- Passwords
- API keys or other application keys/credentials
- SSH keys
- Database and other system passwords
- Certificates for secure communication (TLS/SSL and more).
- Private encryption keys such as PGP
- RSA and other one-time password devices
Challenges in Secret Management
As I.T. infrastructure grows and develops, it increases the complexity and the diversity of the secrets involved that needs to be properly protected. Those secrets should be securely stored, transmitted and audited securely.
Some of the common risk and considerations are:
- Incomplete visibility and awareness:
All privileged accounts, applications, tools, containers, or microservices deployed across the environment, and the associated passwords, keys, and other secrets. SSH keys alone may number in the millions at some organisations, which should provide an inkling of a scale of the secrets management challenge. This becomes a particular shortcoming of decentralised approaches where admins, developers, and other team members all manage their secrets separately, if they are managed at all. Without oversight that stretches across all IT layers, there are sure to be security gaps, as well as auditing challenges. - Hardcoded/embedded credentials
Privileged passwords and other secrets are needed to facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Often, applications and IoT devices are shipped and deployed with hardcoded, default credentials, which are easy to crack by hackers using scanning tools and applying simple guessing or dictionary-style attacks. DevOps tools frequently have secrets hardcoded in scripts or files, which jeopardises security for the entire automation process. - Privileged credentials and the cloud
Cloud and virtualization administrator consoles (as with AWS, Office 365, etc.) provide broad superuser privileges that enable users to rapidly spin up and spin down virtual machines and applications at massive scale. Each of these VM instances comes with its own set of privileges and secrets that need to be managed - DevOps tools
While secrets need to be managed across the entire IT ecosystem, DevOps environments are where the challenges of managing secrets seem to be particularly amplified at the moment. DevOps teams typically leverage dozens of orchestration, configuration management, and other tools and technologies (Chef, Puppet, Ansible, Salt, Docker containers, etc.) relying on automation and other scripts that require secrets to work. Again, these secrets should all be managed according to best security practices, including credential rotation, time/activity-limited access, auditing, and more. - Third-party vendor accounts/remote access solutions
How do you ensure that the authorisation provided via remote access or to a third-party is appropriately used? How do you ensure that the third-party organisation is adequately managing secrets? - Manual secrets management processes
Leaving password security in the hands of humans is a recipe for mismanagement. Poor secrets hygiene, such as lack of password rotation, default passwords, embedded secrets, password sharing, and using easy-to-remember passwords, mean secrets are not likely to remain secret, opening up the opportunity for breaches. Generally, more manual secrets management processes equate to a higher likelihood of security gaps and malpractices.
The modern I.T. landscape is filled with secrets: certificates, cryptocurrency wallets, SQL connection strings, storage account keys, passwords, and encryption keys. Getting a handle on secrets management can be a major challenge.
Can Your Secrets Management System Keep a Secret?
