As more and more company data gets migrated to the cloud, organizations need to ensure only authenticated and authorized users and machines are accessing their data. Authentication is the process used to verify user and machine identities.
Users enter passwords, access keys, and use multi-factor authentication (MFA) tokens to authenticate their identity. Properly authenticated users provide organizations with confidence that the user accessing their corporate access is a trusted one. Machines, however, use digital certificates to authenticate their identity and prove that they can be trusted. These secrets (e.g., keys and certificates) must be securely managed; otherwise, if exposed, the organization will be vulnerable to unauthorized access to sensitive data. And this can result in reputational harm and financial consequences—to the tune of millions of dollars.
Five common types of secrets
Secrets are sensitive information used to authenticate user and machine identities. For example, secrets allow a database administrator to access an organization’s database or an application to access another application (app-to-app or A2A). The proliferation of applications and machine-to-machine authentication and authorization has highlighted the need to understand the most commonly used secrets.
The most common types of secrets include:
- Application Program Interface (API) keys
- Encryption keys
- Secure Shell or Secure Socket Shell (SSH) keys
As securing access to corporate assets becomes more complex, organizations will want to follow best practices in securely storing and transmitting secrets leveraging encryption.
Secrets management is a security measure that mitigates risks associated with maintaining secrets.
Although most enterprises understand the use and importance of secrets, many organizations are unaware of how to securely manage these secrets. According to a recent report from 1Password, Hidden in Plain Sight, out of the 500 IT/DevOps businesses that were surveyed, 52% say that the explosion of cloud applications has made managing secrets more difficult, and 60% have experienced secrets leakage. The report highlights the following challenges experienced by IT and DevOps survey responders:
- Secrets leakage
- Loss of productivity due to manual secrets management
- Insecure sharing of secrets
- Reuse of secrets
- Secrets sprawl
In addition, there is a financial cost associated with these challenges. The average cost of a secrets leak is $1.2 million. Poor secrets management can result in organizations losing $8.5 billion annually. To address these challenges, organizations must determine the best approach to identifying the secrets they use, how the secrets are stored and transmitted, and what tool to use to automate secrets management.
Secrets management: DevOps, IT teams
DevOps is a set of practices that works to automate and integrate the processes between software development and IT teams, so they can build, test, and release software faster and more reliably. As the demand for software delivery increases, developers feel the pressure to meet demand, and in their haste, they may end up compromising enterprise security. Developers have been known to include company passwords or secrets in their code for convenience. However, storing passwords in plaintext has resulted in data breaches.
Hardcoded secrets, which are credentials that provide A2A access, are often left in the developer’s code. Leaving the code exposed creates a vulnerability that may be exploited by a cybercriminal. Furthermore, DevOps teams and IT teams are often decentralized and do not necessarily work together. This results in a siloed, decentralized environment, which is not conducive for strong secrets management. Effective secrets management across the continuous integration/continuous delivery (CI/CD) pipelines and DevOps processes is a great step towards integrating security in all development processes, commonly referred to as DevSecOps.
Secrets power an organization’s digital infrastructure. Just one exposed password or machine identity can lead to a far-reaching, costly data breach. Companies that are poorly managing their secrets, for example, by implementing manual procedures, invite risks that could be mitigated with strong secrets management.
As with any security measure, people are as important as the technology and processes that support implementation of the security measure. Creating a culture that has the appropriate awareness and training regarding secure secret storage and transmission will be key to the successful implementation of a secrets management tool.
The mark of strong secrets management is the use of a single automated source for securely storing and transmitting secrets. But it’s also critical that secrets management does not stand in the way of the developer and allows them to work within their preferred toolsets. Along those lines, Venafi integrates with HashiCorp Vault to allow DevOps to effectively manage their secrets.