The quick guide to secrets management in the enterprise
The enterprise IT scene today is characterized by continuous digital transformation and data generation of epic proportions. With remote and mobile work being the new norm in a post-pandemic world, mobility and agility have become essential drivers of business continuity in the enterprise.
In an effort to automate and integrate every possible business function, centralize and speed up the flow of data and information, improve productivity and provide a better customer experience, organizations are building agile DevOps environments with complex hybrid multi-cloud operational models.
However, with great mobility and timely data comes great responsibility. Enterprises face increasing challenges in keeping data, services, and Personally Identifiable Information (PII) secure. Despite the advances in technology, we continue to see record-breaking numbers of data breaches year after year.
How do enterprises evolve their data storage, management, and protection methods to make sure employees have a straightforward way to access digital resources while reinforcing the security of the whole IT infrastructure?
The answer lies in effective secrets management.
What is secrets management and why is it needed?
Secrets management is the appropriate set of tools and best practices used to securely store, access and centrally manage digital authentication credentials (or “secrets”) through their entire life cycle. Secrets are data items used in authentication and authorization – they include passwords, public and private encryption keys, SSH keys, APIs, tokens, and certificates. Both machines and humans use secrets to authenticate and communicate.
But why do you need secrets management in the first place?
“With the universal shift to hybrid multi-cloud infrastructure and reliance on app containerization, the need for both machines and people to continuously access systems and data has grown substantially. For example, more and more applications must continuously access different data sources, cloud services, and servers, often with different kinds of credentials needed for each resource. This has created an exponential need for secrets throughout the DevOps process,” explains Oded Hareven, CEO and co-founder of Akeyless, a SaaS-based secrets management tool.
What makes it tricky is, developers frequently encode various secrets into app or microservice code, scripts, automation tools, and code repositories – all residing across various infrastructures. Worse, these codes are at different development stages with a real risk of being mismanaged and unprotected. The result is an overall lack of control and integration of secrets, leading to what is referred to in security circles as “secret sprawl.”
The trouble doesn’t end there. Secrets kept in cloud platforms that perform continuous integration/continuous delivery (CI/CD) are required, by their nature, to manage and allow access to other machines and software. For this, they need to store secrets and signing keys (used for sealing code and software updates), which are frequently stored in non-secure locations such as a developer’s laptop or a build server.
Secret sprawl not only makes credentials difficult to track and manage, but also vulnerable to hacking. In fact, stolen credentials account for nearly half of all data breaches, according to a report from Verizon.
Many recent hacks, including software supply chain hacks, take advantage of secrets that have been placed in code, which is again stored in easily accessed repositories such as GitHub. In fact, GitHub recently detected over 700,000 potential credential leaks across thousands of private repositories, ripe for the taking.
The examples just keep coming. A recently exposed software supply chain attack hijacked popular PHP and Python libraries to steal AWS keys. In another instance, a commonly-used service that helps open source developers write and test software was found to be leaking thousands of authentication tokens and other secrets, allowing hackers to access developers’ private accounts on Docker, Github, AWS, and other code repositories.
But aren’t there a zillion methods already available to protect passwords, keys, and other credentials, you ask?
There are. And that’s part of the problem.
Challenges in secrets management
There is considerable inefficiency and duplication in today’s security solutions when it comes to managing secrets. Some of these challenges are:
Secret sprawl:
The world is moving from on-prem to the cloud – and so are secrets. The big 3 cloud service providers (and others) all offer their own secrets management solutions, which most companies accept by default, simply for want of a better solution – what could be safer than the provider’s own platform?
But with a hybrid multicloud architecture taking centerstage (it’s the only IT operational model that’s growing in adoption), most DevOps teams find themselves dealing with multiple environments chock full of microservices and containers for different workloads. These in turn have thousands of machine-to-machine components that communicate with each other, leading to a mind-boggling number of keys, tokens and other secrets in circulation.
The explosion and decentralization of secrets is a huge operational burden on admins and DevOps practitioners. The myriad cloud and virtualization solutions available today let users create and destroy VMs and apps on a massive scale. Needless to say, each of these VM instances comes with its own set of secrets that need managing. Further, SSH keys can alone number in the millions in enterprise organizations. Other than that, Ansible jobs, Kubernetes containers, and daily batch routines all tend to have passwords that need rotation.
All these systems are unable to access security resources that are external to their environment. There is no unified control plane that can help you manage multiple secret repositories stored across different platforms.
Insufficient visibility:
Static secrets localized to different environments (such as cloud, on-prem, edge or hybrid) are managed by different individuals, teams and administrators, creating “secret islands.” This inevitably leads to auditing challenges and security gaps.
Complexity of vault solutions:
Due to the large number of incumbent and legacy tools and platforms (both DevOps and non-DevOps) and the huge number of extensions for each of them, on-prem vault solutions don’t work well in many cases. Plus, it’s difficult to configure vaults according to the underlying compute, storage and networking infrastructure in a hybrid environment. The need for frequent updates only increases the complexity of on-prem vaults.
Cloud-based vaults are no better. A huge red flag is that these offerings are proprietary to the provider and only support workloads that run within their own environment and ecosystem, so again they’re not a good fit for hybrid cloud architectures. Even if you use only one major cloud provider, a multicloud environment, it only leads to vault sprawl. Another concern is that your master keys are shared with your cloud provider. This means a rogue admin, hacker or government agency could access them and you’d be helpless.
The perfect secrets management solution…
might not exist. But that doesn’t mean you can’t create foolproof Identity and Access Management (IAM) policies that keep your enterprise safe from every known threat and every known type of threat.
IAM is the new perimeter – it is fundamental to a modern security strategy. Validating the identity (authentication) of human and machine users and justifying their need to access the resource (authorization) is becoming more complex every day with the rise in automation and the number of dynamic workloads that fluctuate with demand.
Further, the nature of authentication is constantly changing. Application and database modules are no longer confined to a large block of code as they used to be. Rather, they are a complex and dynamic integration of microservices and subcomponents, each of which has its own authentication process.
Here’s what enterprises that operate in a multicloud environment or have a hybrid mix of on-prem, private and public cloud systems in place should look for in a secrets management platform or solution:
Works in hybrid, multicloud and multi-locale setups: This is perhaps the single most essential factor for enterprises. Wherever possible, choose a platform that integrates seamlessly with cross-platform, cross-environment workflows using cloud-native technology. Your secrets management solution should support IAM-enabled machine-to-machine and human-to-machine authentication and verification for different types of secrets such as SSH certificates, API keys, x.509 certificates, encryption keys, and so on to enforce continuous security compliance.
Works with different authentication protocols, languages and devices: It’s important that your secrets management tool support human, hardware and software authentication via third-party identity providers via all major interfaces, (certainly) including a command line, GUI, REST API and SDKs for major languages. Needless to say, it should facilitate dynamic secrets and integrate with common cloud-based platforms such as Docker, Kubernetes, Terraform, Ansible and Jenkins for undisrupted DevOps operations.
Then there is the question of scaling. If you want to grow at “cloud scale” and expand your geographical or technology infrastructure, you need to be able to scale your secrets management capabilities to support all existing as well as upcoming tools and plugins.
Can be managed via a unified SaaS platform: Security teams today need centralized visibility and control of authentication for all users, applications and devices across all environments used by the organization. “An intuitive SaaS-based secrets management tool with real-time visibility into every instance of secret use, audit logging and robust analytics is the need of the hour according to every security head I’ve talked to,” says Hareven.
Solves the secret zero problem and enforce the zero trust model: Password management is a common function these days. An individual might have a spreadsheet or doc in which they store all passwords for the various applications or control panels they use. However, to open this spreadsheet, they’d probably have another password. And they’d also need user credentials to log in to the OS and access the spreadsheet. Multiply this scenario by the endless types of secrets you have today, and you get the “secret zero” problem.
Your secrets management solution should provide you a set of initial credentials with an ephemeral token or key for continuous authentication into the parent machine so that the “secret zero” is never compromised.
This falls within the premise of the zero trust architecture (ZTA), which follows the principle of least privilege (PoLP), under which users and applications are granted “just-in-time” and granular access to a specific number of resources for a specific period of time – only after “justifying” their request to the administrator. These privileges are dynamically granted and automatically expire after the pre-set timeframe.
Keep your secrets
The ideal secrets management platform empowers DevOps, cloud migration and digital transformation in the enterprise by enabling different teams to access the resources they need and manage their secrets autonomously. With a solution delivered “as a service” from the cloud, you can reduce maintenance overheads, improve availability and scale your operations to meet your organizational growth targets.