Governments and intelligence agencies continue to emphasize technology providers’ critical role in strengthening cybersecurity and supply chain resilience for the long run. In fact, the Biden Administration’s recent call to “bake security in, don’t bolt in on” could serve as the DevSecOps mission statement.
Managing the secrets used by applications, scripts and other non-human identities across DevOps environments and CI/CD pipelines is widely considered fundamental to “shifting security left” — especially as non-human identities outnumber human ones by a factor of 45 in the average enterprise.
So how are organizations tackling secrets management as they move toward DevSecOps maturity? What do they see as major benefits, challenges and priorities? To take a pulse, IDC recently conducted a global survey of more than 400 cybersecurity, DevOps and IT practitioners at organizations with at least 1,000 employees. To explore the results of the research summarized in the IDC InfoBrief, “Managing Application Secrets Across the Enterprise,” we spoke with author and IDC Research Director for DevOps and DevSecOps Jim Mercer. The following are his perspectives on key findings.
Let’s start with a definition: what exactly is “secrets management” in your view?
IDC defines secrets management as the processes used to manage digital authentication and identification (i.e., secrets) within applications, including passwords, encryption keys, application programming interfaces (APIs), certificates and tokens.
Secrets are essentially “digital keys” that unlock doors to valuable corporate data, so protecting them within applications, on developer workstations, on admin consoles and everywhere else across the development environment is key.
It was encouraging to see secrets management ranked as the No. 1 priority for organizations over the next year to improve the security of application development environments. But the fact that 71% said their current approach for securing the software supply chain leaves them susceptible to cyber attacks suggests there is still work to be done.
The White House recently urged technology organizations to only develop applications on systems that are “highly secure and accessible only to those actually working on a particular project,” noting that “this will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.” How can secrets management help with this?
In the context of application development, secrets management provides assurance that resources across stacks, platforms and the cloud can only be accessed by authenticated and authorized identities.
By removing secrets from code and other unprotected areas, secrets management solutions can help protect secrets and other credentials from being stolen or compromised. And by enforcing the principle of least privilege and rotating and monitoring credentials, secrets management makes it harder for threat actors to move through an environment and gain the privileged access needed to progress their attacks.
It should be obvious to say that “all secrets must be protected,” but why does this still prove to be a challenge for many organizations?
Because secrets are everywhere. And as an organization’s applications and infrastructure continue to constantly evolve, new secrets are created and are stored in various places — often with little tracking and varying levels of security. This “secrets sprawl” only gets worse over time, especially as cloud-native app development increases. Managing secrets with disparate tools creates even greater complexity from both a security and compliance standpoint, as secrets get stored in duplicate locations or are missed altogether.
Our survey found a direct correlation between organizations’ DevSecOps maturity level and their secrets management approach: 91% of DevSecOps early adopters use secrets managed by individual teams, which tends to create more sprawl and makes it difficult to establish and share security best practices. Meanwhile, 94% of DevSecOps leaders embrace a centralized approach to secrets management.
What is the biggest hurdle organizations face in integrating security, including secrets management, into application development?
Our survey revealed a continued lack of collaboration between DevOps and security teams, and 66% of organizations admitted to experiencing avoidable mistakes as a result.
To bridge this gap, effort is needed on both sides. DevOps teams need to proactively include security teams, rather than waiting to get them involved just before code goes live. Forty-two percent admitted security stakeholders are rarely included in planning discussions about secrets management. Likewise, security teams need to contribute by getting up to speed on secrets management — a subject 50% of cloud infrastructure VPs said is not well understood by security.
Small steps can lead to big changes over time. Consider creating agile “birds of a feather” and “coffee chat” groups focused on application security and secrets management to bring teams together.
How can security teams make it easy for developers to “do the right thing” when it comes to secrets management?
When developers are empowered with the right security tools, they will take ownership of security. Based on our survey findings, developers want secrets management tools that are easy to use, can integrate seamlessly into the DevOps pipeline and offer self-service capabilities.
What key areas of secrets management do organizations want to improve?
Respondents ranked support for modern hybrid and multi-cloud environments and integration with Identity and Access Management (IAM) and Privileged Access Management (PAM) solutions as their top two areas of improvement over the next two years.
They’re also looking to up-level their existing secrets management approaches with enterprise-class capabilities, with particular emphasis on support for hybrid and multi-cloud environments.
Get more secrets management insights to protect the software supply chain
Software supply chain attacks can be multi-layered — involving several interim steps or vectors. But the ultimate goal is the almost always the same: compromise identities by stealing secrets and credentials and escalating privileges to reach valuable corporate assets.
A fundamental component of a defense-in-depth approach is securing identities throughout the application development environment — including cloud-native applications — with secrets management. When approached holistically and collaboratively, secrets management can help improve operational efficiency (38%), reduce the risk of secrets leaks (41%) and accelerate the adoption of DevSecOps (39%), said survey respondents.
Get more secrets management insights from enterprise teams by reading the IDC InfoBrief, sponsored by CyberArk, “Managing Application Secrets Across the Enterprise,” IDC Doc. #US48924522, March 2022.