Non-human identities and privileged credentials called secrets are protected through practices, tools, and processes known as secrets management. These secrets include sensitive information in the digital environment across IT networks. They need to be secured and only accessed by trusted entities. Storing, transmitting, and auditing secrets can be complicated, as the digital environment is complex and constantly changing. Comprehensive, holistic, broad, and automated solutions usually offer the most secure environment and best practices for secrets management.
Secrets management defined
A secret in the tech world refers to digital authentication tools and can include the following:
- API keys as well as other application keys and credentials
- Auto-generated or user passwords
- System-to-system passwords, including databases
- SSH keys
- Private encryption keys
- Private certificates for secure communication, transmitting, and receiving data, such as TLS and SSL
- RSA and additional one-time password devices
- Privileged account credentials
Secrets management refers to the protection of these secrets, allowing only authorized and authenticated entities access to them. Secrets management involves policies, processes, and tools in a digital environment. It can include the following:
- Authentication of access requests using non-human credentials
- Automated management of secrets
- Consistent access policies
- Enforcement of the principle of least privilege (giving lowest level of access possible)
- Rotating credentials and secrets often
- Using role-based access control (RBAC) (allowing access based on role in the organization)
- Maintaining comprehensive audits and tracking all access
- Removing secrets from unprotected areas, including within code and configuration files
Secrets management can help to reduce human error, and keep applications and pipelines secure.
Challenges of secret management
Application secrets and digital authorization credentials are part of a complex IT infrastructure that needs to be carefully managed. These are some of the challenges regarding secrets management:
- The scope of secrets is large and often without complete oversight. Secrets are often held within certain parts of the team or organization, for example, and they are not visible across the entire infrastructure. This can leave security gaps and challenges with auditing.
- Credentials are often hardcoded and easy to crack. Applications and lOT devices regularly come with default credentials. DevOps tools often have secrets already hardcoded in files or scripts. This can create security risks for the automation of secrets management.
- Complex infrastructures often encompass multiple cloud services, all with their own secrets that need to be managed.
- DevOps environments rely on numerous scripts and automation processes that require secrets to run properly. These secrets need to be managed using good security practices.
- Integration can be tricky with large infrastructures and environments. Tools used to manage secrets need to orchestrate well with other tools in the security stack and with all parts of the DevOps stack.
- Remote access and authorized third-party access need to be used appropriately, and secrets need to be managed for these users as well.
Best practices for managing secrets
Some of the issues with managing software secrets are the secrets themselves. Secrets need to be strong, so they should be long, complex, and changed regularly. There is the human element with creating and storing secrets, as humans are often the cause of leaked secrets. Automating secrets management can take the human error factor out of the equation. Passwords should be rotated regularly. Automation can help achieve this and reduce the risk for leaks.
Best practices for secret management include the following:
- Identify and keep track of all passwords with a centralized management system.
- Eliminate all hardcoded, embedded, and default secrets.
- Enforce security best practices, including one-time passwords for sensitive systems, password rotation, separation of privilege, and principle of least privilege (PoLP).
- Extend secret management to partners and vendors, ensuring third parties are also conforming to best practices.
- Use privileged session monitoring to log, monitor, and audit activity.
- Analyze secrets continuously to work to detect threats and anomalies.
- Build security into the DevOps lifestyle and ensure code does not contain embedded passwords.
Secret management should be automated, integrated, holistic, and comprehensive to encompass your entire IT infrastructure all the way down to third parties.
Solutions for secrets management
Secrets should not be stored where they can be easily hacked or accessed by unauthorized users. This means keeping them out of the source code and application systems. There are several types of secret management tools on the market today that serve to store and maintain secrets. Many of them provide a method or external place to store and manage sensitive information. A good secret management solution will manage application passwords, and also eliminate hard coded ones, manage secrets for scripts, and work across the entire IT infrastructure, not just have limited capacity or use. This form of holistic secrets management is broader and more comprehensive, making it more effective, secure, and efficient. All of the big cloud service providers have a secrets manager, but if you are using multiple cloud services, an external secrets manager tool can help to keep things simple. Using a secret management service can also help to keep things secure, integrated, and automated. Secret management tools, practices, and processes can be combined. Multiple tools can be used together to make things even more secure.
Use cases for secrets management
Any environment with digital authentication credentials can benefit from secret management. Managing secrets properly can protect you from cyber attacks and bad actors who are seeking to gain access to privileged and sensitive information. Four of the most common use cases for secrets management are as follows:
- Secret management for containers: Containers are often used by engineering and DevOps teams to enhance productivity and improve portability. They require secrets to access sensitive information but are only used short term, which can make them harder to track and keep secure. Secrets management processes can authenticate container requests, and help to secure and control access to critical information.
- Secret management for CI/CD pipelines: CI/CD pipeline tools are made for speed and efficiency, and are not without security challenges. These are automated configuration management tools that require secrets to access protected resources, including HTTPs services, databases, and SSH servers. They often have secrets hardcoded insecurely. With secrets management, these default secrets can be removed and secured.
- Secrets management to secure COTS and internally developed applications: Third-party solutions and tools, IT management tools, and internally developed scripts and applications require privileged access and often come with hardcoded credentials. Secrets management solutions can remove these hardcoded credentials and create more secure secrets that can then be effectively stored, managed, and rotated securely.
- Secrets management for auto-scale and elastic environments: Auto-scaling capabilities are offered by cloud providers, which can improve efficiency but also create challenges with managing security. Secrets management practices can offer more security and automation in real-time while taking out the need for a human operator to have to manually apply policies to each host.
Secrets management should enforce best security practices. It should be only as complex as necessary, so the system is still manageable. Secret management programs, policies, and tools are designed to take some of the human error out and improve security while maintaining usability.
Securing Pipelines Through Secrets Management. (June 2021). The Newstack.
Secret Management Design Decisions: Theory Plus an Example. (March 2018). Sander Knape.
Secret Management Architectures: Finding the Balance Between Security and Complexity. (June 2017). Slalom.