Secrets Management in Cloud
Cloud secrets management refers to cloud-based methods and tools that organizations use to secure and manage their digital credentials like authentication credentials (secrets), including passwords, keys, APIs, and tokens for use in applications, services, privileged accounts and other sensitive parts of the IT ecosystem.
While secrets management is applicable across an entire enterprise, the terms “secrets” and “secrets management” are referred to more commonly in IT with regard to DevOps environments, tools, and processes.
Why Secrets Management is Important
For DevOps and CI/CD tools, repositories, containers and applications to work together, they need to establish communication and access to each other. This communication and access are accomplished via secrets, such as application passwords, container credentials, SSH Keys, database username/passwords, TLS Certificates, LDAP passwords, as well as third-party vendor accounts, and more.
Secrets and keys are some of the most broadly used and important tools your organization has for authenticating applications and users and providing them with access to sensitive systems, services, and information. Because secrets have to be transmitted securely, secrets management must account for and mitigate the risks to these secrets, both in transit and at rest.
Types of secrets can include:
- User or auto-generated passwords
- API and other application keys/credentials (including within containers)
- SSH Keys
- Database and other system-to-system passwords.
- Private certificates for secure communication, transmitting and receiving of data (TLS, SSL etc.)
- Private encryption keys for systems like PGP
- RSA and other one-time password devices
- Container secrets
Secret Management Challenges
Here are some common risks and considerations relating to secret management.
1. Manual Sharing and Failure to Rotate Sensitive Data
Without secrets management, the only way to enable software systems to access each other is to manually share secrets within teams or embed them in code or configuration. This leads to the use of weak passwords, and reuse of passwords across systems.
2. Hardcoded Credentials
App-to-app and application-to-database access and communications require secrets such as privileged passwords to enable authentication.
3. Lack of Awareness and Visibility
There are often many privileged applications, accounts, tools, microservices, or containers deployed across an organization’s environment, along with their associated secrets, such as keys and passwords. Some organizations have millions of SSH keys, which is only part of the overall secret management burden.
4. Cloud Computing Privileges
Virtualization and cloud administrator consoles like Office 365 and AWS use superuser privileges allowing users to access a broad range of resources and spin up or wind down applications and VMs quickly.
5. DevOps Solutions
Secrets require management across an organization’s IT ecosystem, but DevOps environments tend to amplify the challenges of secret management. DevOps teams usually use many different configuration management and orchestration tools, employing automated technologies and platforms that rely on secrets to operate. It is important to apply the best practices to secure these secrets, such as rotating credentials, limiting access, auditing, etc.
6. Third-Party Accounts and Remote Access
Third-party vendors and external users often access sensitive resources with accounts connected via a remote access solution. Ensuring external users implement the right remote access practices and authorization is challenging. In these cases, the organization relies on a third party to manage secrets, relinquishing some control of the IT system’s security.
7. Manual Processes for Managing Secrets
Password and secret security should not be the sole responsibility of humans, who are prone to error and mismanagement. Human error and negligence can expose secrets and result in breaches.
8. Lack of Centralized Secrets Management
Another concern is the need for centralized secrets management. As the number, variety, and complexity of IT systems increases, it becomes increasingly difficult to enforce and manage consistent policies across systems, understand where secrets are and how they are used.
Best Practices for Secrets Management
- Discover/identify all types of credentials: Use automation to find secrets, keys, certificates, and passwords across your entire IT environment and bring them under centralized management, such as in a secrets vault. A secrets vault should be able to store a variety of credentials, such as passwords, API keys, tokens, XML files, JSON files, and more. Continuously discover and onboard new credentials in your vault as they are created.
2. Eliminate hardcoded/embedded secrets: In DevOps tool configurations, build scripts, code files, test builds, production builds, applications, and more. Bring hardcoded credentials under management, such as by using API calls, and enforce password security best practices. Eliminating hardcoded and default passwords effectively removes dangerous backdoors to your environment.
3. Enforce password security best practices: Including password length, complexity, uniqueness, expiration, rotation or dynamic secrets creation, and more across all types of credentials. Secrets, if possible, should never be shared. If a secret is shared, it should be immediately changed. Secrets to more sensitive tools and systems should have more rigorous security parameters, such as one-time passwords (OTPs), and rotation after each use.
4. Apply privileged session monitoring to log, audit, and monitor: All privileged sessions (for accounts, users, scripts, automation tools, etc.) to improve oversight and accountability. This can also entail capturing keystrokes and screens (allowing for live view and playback). Some enterprise privilege session management solutions also enable IT teams to pinpoint suspicious session activity in-progress, and pause, lock, or terminate the session until the activity can be adequately evaluated.
5. Extend secrets management to third-parties: Ensure partners and vendors conform to best practices in using and managing secrets.
6. Implement threat analytics: Continuously analyze secrets usage to detect anomalies and potential threats. The more integrated and centralized your secrets management, the better you will be able to report on accounts, keys applications, containers, and systems exposed to risk.
7. Embrace DevSecOps: With the speed and scale of DevOps, it’s crucial to build security into both the culture and the DevOps lifecycle (from inception, design, build, test, release, support, maintenance). Embracing a DevSecOps culture means that everyone shares responsibility for DevOps security, helping ensure accountability and alignment across teams. In practice, this should entail ensuring secrets management best practices are in place and that code does not contain embedded passwords in it.
References:
What is Secret Management | Tools & Best Practices | Imperva
What is Secrets Management? Definition & Best Practices | BeyondTrust
