Are you managing your secrets well or have you already been breached? Stolen credentials cause almost half of all data breaches as industry reports have shown. Also, in a Cloud Top Threat report by the Cloud Security Alliance, the number one threat to cloud environments is insufficient identity, credentials, access, and key management. Undoubtedly, operating your business-critical systems without a properly implemented secrets management strategy can be disastrous. It can lead to credential and personal data leaks, prolonged outages, and reputational damage.
By implementing a secrets management strategy to best practices, it can reduce the risk and impact on your business against data breaches. We’ll first explore what a secret really is and how to manage them. We’ll cover example vendors, along with the best practices, benefits and risks. Finally we’ll introduce some guidelines and tools you can use to learn and upskill on how to secure one of your most important assets.
What is a Secret?
Before truly understanding the criticality of secrets management, we must first define what a secret is and why it is essential. A secret encompasses any digital asset used for authorisation or authentication to one or more systems. A secret can be access credentials, an application environment configuration file, an API key, anything that you do not want unauthorised users to access. In a poorly managed environment there is no visibility of who has a copy of the secrets, where they are being stored, or how they are used. This requires a secret management system to properly manage the storage, protection, and access to these secrets.
What is a Secrets Management System?
A secrets management system has capabilities to secure, store and enable access to tokens, passwords, certificates and encryption keys to protect secrets and other confidential data. You can choose a Cloud service provider’s own secrets management system, or third party and open source alternatives. There are also stand-alone solutions for multi-cloud purposes that can be Platform as a Service (PaaS) or Software as a service (SaaS). The following are a sample of the available solutions:
- Google Cloud (GCP) Secret Manager – Manage secrets for API keys, passwords, certificates and other sensitive data.
- Amazon Web Services (AWS) Secrets Manager – Encrypts the protected text of a secret using the AWS Key Management service for key storage and encryption.
- Azure Key Vault – Microsoft provided service for managing and rotating secrets in Azure.
- HashiCorp Vault – A popular SaaS secrets management system for managing secrets across multiple cloud providers and on-premise infrastructure.
- A keyless Vault Platform – Protect and automate access to secrets like credentials, keys, tokens, and API-Keys across your DevOps tools and Cloud platforms using a secured vault.
- Confidant – Confidant is an open source secret management service that provides user-friendly storage and access to secrets in a secure way.
The following are just some of the values of incorporating a secret management system in your secrets management strategy:
- Centralised management and access – granular role-based access control and secret access policies to trusted identities only.
- Short-lived secrets – define expiration dates, automatically rotated and revoked if this has been compromised.
- Auditing – All actions against a secret and the secrets management system are audited, as well as alerting and monitoring can be set up.
- API based access – enable integration with other third-party applications both across clouds and on-premise systems.
However without following best practices, the following risks and challenges present themselves:
- Compromised secrets – unauthorised access to secrets can lead to financial and reputational damage.
- Breaches of sensitive data and applications – secrets can be the only thing standing in between threat actors and access to highly sensitive systems and devices.
- Decreased productivity of DevOps teams – managing secrets in a CI/CD environment can be time consuming and the storage of secrets insecure.
- Secrets sprawl – without a strategy, secrets can be generated, stored and shared with no visibility or management.
- No secrets management policy – Who is responsible for managing secrets? Individual departments and teams are left on their own, all independently managing the secrets under their control.
In order to maintain your secrets management strategy there are some best practices and guidelines that must be followed.
Best Practices and Guidelines
Ultimately secrets are to be used, by following these best practices you can ensure that users and applications can safely retrieve them.
In the Hashicorp PDF Unlocking the Cloud Operating Model: Security it describes a three-stage rollout pattern; Adoption, Operationalising, and Scaling:
- Adoption: Centrally Managing Secrets – Eliminates secret sprawl and strengthens security posture.
- Operationalising: Application Onboarding & Legacy Tokens – Streamline the lifecycle of secrets and making them easier to consume.
- Scaling: Dynamic Secrets & Encryption as a Service – Use a time-to-live expiry time on a secret to make it invalid as well as protecting application data at rest and in transit using encryption (especially in a cloud environment).
The National Cyber Security Centre (NCSC) also reinforces the importance of protecting data, including secrets, at rest and in transit. In particular this guideline:
- Guideline 3.5: Long-term cryptographic secret keys used for protecting data at rest or in transit shall be securely generated and stored. This protects cryptographic secret keys from an attacker by ensuring they remain encrypted until required by an authorised entity with the proper authentication.
The NCSC also provides guidelines for choosing and configuring a key management system (KMS) for the storage of cryptographic secret keys. The NCSC advises that you should make full use of a cloud provider’s KMS if it meets your needs and meets the requirements for a secure KMS, therefore the PaaS secret management systems provided by Amazon, Google or Microsoft can be used. When choosing a KMS the NCSC advise the following:
- Encryption of data in transit – It should only be possible to connect to the KMS using an approved protocol with secure settings, such as well-configured TLS.
- Backup of encryption keys – If a key is lost, then all data encrypted under that key (whether it is user data, or another key) is unrecoverable. The cloud provider should therefore automatically facilitate backup of keys to ensure availability of user data.
- Rotation of encryption keys – Key rotation involves periodically retiring a previously used key and creating a new one to be used in its place.
- Deletion or revocation of encryption keys – When the data protected by a key is no longer required, it should be possible to delete the key so that the data can no longer be accessed.
- Monitor access to encryption keys – KMS activities should be logged, ideally using a logging system provided by the cloud provider which integrates with the KMS.
- Adhere to modern cryptographic standards – You should be confident that your cloud provider has a strong track record of evolving their approach to cryptography over time, upgrading both hardware and software functionality as required.
The NIST 800-63B publication is also available to further strengthen the adoption and operation of a secrets management strategy.
Finally, it is also important to note that best practices should also include tools for training and upskilling leadership and engineers alike. OWASP WrongSecrets can be used to provide security training, awareness demos and as a test environment for secret detection tools, and bad practice detection tooling.
Secrets management done right will provide you with a secure method for users and applications alike to retrieve secrets, as otherwise you are putting your business-critical data and applications at risk. Without a secrets management strategy you risk poor visibility and management of your secrets leading to secret sprawls and decreased productivity, and in a worst case scenario compromised secrets that cause data breaches as well as financial and reputational loss. However, with secrets management done right you can leverage the benefits and values of a secrets management system. This includes; centralised management and access in a cloud environment, choice of PaaS and SaaS as well as open source solutions to meet your requirements, auditing capabilities, third party integration, encryption of secrets at rest and in transit, automatic rotation and revocation of secrets, and more. By following best practices and guidelines set out by institutes such as the NCSC and NIST you can ensure your security posture is strengthened.