DIY Secrets Management is Letting Everyone Down
February 5, 2015 | DevOps |
One of the first things I do every morning is read the NYTimes and the WSJ. I can’t help but notice that Cybersecurity and Cybercrime have become very common themes. However, despite all the front page news, there doesn’t seem to be much information that is actually newsworthy on the cybersecurity front. Today’s top story was the Anthem Healthcare breach.
Kudos to Anthem for getting out in front of this story by making an announcement. The details are still unfolding but clearly data was stolen from the systems, and assuming the data was encrypted according to HIPAA requirements, database encryption keys must have been stolen too if the data were to be useful to the thieves.
If we want to stop this from happening, IT organizations need to code their way out of the problem. Automation and security policies as code is the way forward so that the standardization and reproducibility of secrets management permeates the organization consistently. Why is code the answer? It can be 1) inspected, 2) tracked, and 3) verified. Everything else is duct tape and bailing wire.
But this is like any burndown or behavioral change — elimination of security debt around secrets management must begin with a step in the right direction. Are you using a privileged password right now?
Make it a game to start getting IT creds off disk, out of backups, and out of source control and config files. Set up a bounty for your system admins to get these creds out of sight, anywhere and everywhere – it will cost less in time, money, and lost consumer faith in the end compared to credit card monitoring for thousands or millions of people!
Step 1: Get passwords off of wikis and out of shared repositories like source control
Step 2: Identify the high value master keys. Control them and rotate them as frequently as you can- that means, don’t hardcode them into anywhere.
This is a solved problem, don’t let it sit on the IT to-do list for another year. There are better practices and good tools that can be adopted that won’t hinder what you want your organization to be able to do from a functional perspective. These functional practices still get these credentials out of the hands of those who shouldn’t have them. You don’t need to build something, you just need to deploy one of the many products that provide controlled access to secrets and system credentials and stop inventing your own.
Even if you don’t use Conjur to fix this problem, please fix it. Take control of this issue before your company is the next lead article in The New York Times and The Wall Street Journal.