Secrets and Credentials are much easier to Steal in the Cloud — What to do about it?
And why current detection solutions don’t work well
Credentials and developer secrets are essential keys to unlock doors in any organization. We require credentials to unlock access to workstations, cloud accounts, PDFs, and many other things we seek to secure from the privy. Developer secrets are essential parts of a developer’s toolstack to build their solution to its completion: in order to retrieve data, developer secrets are used to establish secure and trusted communication. Without developer secrets, data between services cannot flow. Credentials and developer secrets are thus what empowers organizations to create business outcomes while gating access to proprietary and confidential data and information.
And with many service companies now adopting a cloud-native approach, API usage has become an inevitable part of any company developing a full-fledged solution for their customer. According to Gartner, API-enabled services will contribute 65 percent of global infrastructure service providers’ revenue by 2023, up from 15 percent in 2018. With many service companies now adopting a cloud-native approach, API usage has and will become an inevitable part of any company developing a full-fledged solution for their customer.
The modern development environment has also been drastically changed by tools and automation: in order to iterate, test, and deploy fast, we have CI/CD to ensure that the customer gets well-tested code as soon as it is hot from the oven. But humans make mistakes, and making shipping so fast magnifies the chance of shipping developer keys by mistake as well.
Moreover, the explosion of collaboration tools and new channels of async communication means risk of credentials and developer keys leaking has gone up significantly, exponentiated by remote work. The different SaaS products that organizations use also enable exfiltration of API keys and credentials to occur, and a sophisticated one might not be detectable.
Problems with the current state of detection solutions
With so many potential holes for keys to slip through in the data lifecycle, not just on the developer end, many solutions in the market might not be cut out for solving the problem end-to-end. Many different solutions have to be employed to ensure that all data touch points are properly monitored in real-time, and this means many hundreds of hours to invest in evaluating products, deploying solutions, and learning and educating on the different solutions. It also means requiring more time and manpower to monitor the different solutions, and aggregating and delegating the findings of them.
What is more worrying is that different solutions have different levels of detection accuracy. Many products out there are traditional regex-based and fail because these tokens don’t have a regular pattern of expression, leading to false positives.
The most important part to note for many large-scale organizations is whether the solution can scale. Most might not be able to scale beyond a small set of data sources, and even if they do, might fail to work properly on high data volumes or velocities. It then becomes the practitioner’s task to tinker with the configurations to prioritize scanning important data sources, and that is another tumultuous effort.
How Borneo solves these technology issues
Borneo’s Credentials and Secrets Scanning solution is built on top of its scalable inspection engine, that was architected with scale in mind. Borneo’s platform is also built to scan and monitor the many different touch points of the data lifecycle within your company in real-time, from creation, to usage, to storage, and to destruction. We support many different applications, and can easily add new ones on request.
Our Credentials and Secrets Scanning is also powered by machine learning. Most keys can and will be found in conversations and code files. Our machine learning models are built to train on many of these datasets that are both organically found and synthetically generated, of different variations, to cover even the most esoteric cases.
The most important thing Borneo is able to solve is that of scale and speed. We are able to scan entire Jira and Slack histories in a matter of weeks, from companies with employees beyond 10,000. Privacy @ Scale is our mantra, and without scale such solutions are just useless tickboxes in a checklist.
With Borneo, upon detecting a secret or credential, an alert can be sent anywhere — to Jira, Slack, Splunk etc. — and you can then act upon the alert based on business and compliance needs.
The ultimate benefit therefore is to quickly remediate any occurrence of credentials and secrets, and to — both implicitly and explicitly — educate employees to use a more secure platform to share credentials and secrets, and to be careful of any form of accidental programmatic leakage.
Borneo acts like an X-Ray machine helping security and data analysts alike preemptively hunt for sensitive data breaches within the company infrastructure. It doesn’t stop there. Also goes on to remediate the privacy gaps while meeting the most demanding regulatory compliance requirements and keeps the security posture intact — Suchit, CISO, Hear.com
Borneo strives to help you ensure your keys to your data and information doors are properly shared within your company’s data systems, so that your business can operate smoothly and grow steadily without worrying about the legal and other consequences of data leakage.
To understand more about how we can help you with detecting sensitive secrets and credentials, learn more or request for a quick demo with us to get started for FREE!
