One of the greatest security challenges for IT organizations is the storage and access of secrets, including passwords, certificates and API keys. These secrets guard enterprise applications, systems and data.
In IT, machines increasingly depend on secrets to integrate diverse systems or support interoperability between applications. This trend had led to "secrets sprawl," where businesses store secrets in varied locations, such as plain text files, configuration management systems and databases, and access them inconsistently. This makes it difficult for IT teams to track and manage secrets -- which, over time, can pose serious security threats.
A new group of tools, such as HashiCorp Vault, GitHub Actions and AWS Secrets Manager, centralize and organize secrets to bolster an organization's security posture.
The goal of secrets management
If admins don't know the exact location of secrets, or how they are protected, it's difficult to rely on monitoring and logging to identify potential threats.
In light of these challenges, organizations reexamine how they organize, use and protect secrets. Secrets management tools store and control access to a range of secrets, including passwords, certificates, tokens and encryption keys; this enables IT teams to centrally control secrets through business policies. Admins can deploy secrets repositories locally as a service to support data center and public cloud infrastructure.
There are several common uses for secrets management tools. At their simplest, these tools store business secrets in a designated location to prevent secrets sprawl and provide centralized control. They can also store employee or user credentials for applications and services, and log secrets use -- which makes it possible for admins to review or audit access to specific secrets.
Secrets repositories increasingly support the use of dynamic or temporary secrets -- an API key for scripts, for example, that is created for the duration of a script and then is removed or revoked. This minimizes the risk of theft, as the secret is generated on the fly and eliminated after use.
Secrets repositories also support encryption. For example, HashiCorp Vault includes encryption capabilities that enable applications to encrypt data located on disk. This native encryption often simplifies data security, as it supports a common platform for encryption across the organization.
Secrets management best practices -- beyond the tool
While secrets repositories facilitate stronger and more consistent security practices, those results are not automatic. Secrets management tools will not help, for example, if developers or administrators continue to use scripts or source code with plain text credentials. Successful adoption of these tools demands commitment, as well as changes to practices and workflows across the organization. To start, implement these secrets management best practices.
Embrace the change. One of the biggest challenges of a secrets repository is to actually enforce its use. Once the repository is available, admins must secure secrets through the platform to control and track secrets access. The organization must make a concerted effort to understand and undo any existing secrets sprawl. This demands extensive human intervention and can disrupt long-standing processes and workflows among administrators, developers and others.
Build on integrations. Once secrets are in a repository, applications and services must use them, which requires integration with other tools and platforms -- some of which might run in public clouds. A secrets repository might integrate with a local identity service, such as Active Directory; a cloud service on AWS, Azure or Google Cloud Platform; or a container orchestration platform like Kubernetes. For example, a secrets repository might provide secrets to pods of VMs running on Kubernetes. Developers can use integration to reduce the amount of application changes or updates needed for effective secrets repository use.
Use dynamic secrets. Even when policies are in place to require periodic changes, a typical secret -- such as a password -- is still static and can be compromised with enough time and effort. Enhance security with dynamic secrets, which, as mentioned above, exchange unique secrets with every request.
Involve encryption. Encryption is an essential service to protect application data both at rest and in flight. But enterprises frequently omit encryption because of the challenges involved in managing encryption certificates and key rotation. A secrets repository serves as a centralized interface for key management, which can simplify and standardize encryption both locally and within the public cloud.
Consider auth methods. An auth method is a means to perform authentication and assign an identity. There are various auth methods available today, and a secrets repository can potentially support specific authentication for many major services, such as AliCloud, Okta, AWS, Azure, Cloud Foundry, Google Cloud, Kubernetes, GitHub, LDAP, RADIUS and TLS certificates. For example, software developers might use some systems that use the GitHub auth method, while cloud containers might use the Kubernetes auth method. Select the auth method -- or methods -- that are most appropriate or efficient for the repository use case, and disable additional, unused auth methods to minimize possible attack surfaces.
Use plugins. Secrets management tools provide extensibility, and future-proof platforms through support for plugins. For example, a plugin can enable new secrets engines -- to store, generate or encrypt secrets -- and authentication methods. To obtains plugins, check what the secrets repository vendor offers, or look to create them in-house to suit the specific needs of the business.
Use logs and audits. A secrets repository produces detailed logs of all requests and responses, including errors. Logs are indispensable tools for security audits as they enable administrators to quickly locate unauthorized access attempts and ensure the organization's security posture for regulatory compliance. Logs might be composed of JSON objects for further parsing and analytics. Sensitive information, such as tokens and lease details, are typically hashed to protect against unauthorized log access. Enable and direct logging features to a secure storage location in the enterprise.