Today’s digital enterprises rely on commercial, internally developed and open source applications to run their businesses and increasingly leverage automated IT infrastructure and DevOps methodologies to speed development and innovation. While application and IT environments vary significantly from organization to organization, one thing remains constant: every application, script, automation tool and other non-human identity relies on some form of privileged credential to access other tools, applications and data.
What is a Secret?
These non-human privileged credentials are often called “secrets” and refer to a private piece of information that acts as a key to unlock protected resources or sensitive information in tools, applications, containers, DevOps and cloud-native environments.
Some of the most common types of secrets include:
- Privileged account credentials
- Passwords
- Certificates
- SSH keys
- API keys
- Encryption keys
Key Challenges in Managing Secrets
A non-human user with access to a secret automatically gains real-time access and permissions to any resources belonging to the owner of the secret. Cyber attackers understand this and target secrets to gain unauthorized access to additional secrets and hosts to complete their mission. A cyber attack targeting secrets can often spread far beyond the scope of the initial breach.
Secrets are widespread. They include embedded hard-coded credentials in containerized applications (e.g., Red Hat OpenShift, Kubernetes or Pivotal); automation processes (e.g., Ansible Playbooks, Puppet or Chef); business-critical applications, including both internally developed and commercial off-the-shelf solutions (COTS); security software, such as vulnerability scanners; application servers and IT management software, Robotic Process Automation (RPA) platforms and the Continuous Integration/Continuous Deployment (CI/CD) tool chain.
Automated processes are incredibly powerful. They can access protected data, scale at unparalleled rates, leverage cloud resources and execute business processes instantaneously. But, as well-publicized cybersecurity breaches demonstrate, automated processes are susceptible to sophisticated cyber attacks, which can occur suddenly and spread rapidly. Organizations must protect secrets assigned to non-human identities to defend against attacks and mitigate risks.
What is Secrets Management?
A cybersecurity best practice for digital businesses, secrets management allows organizations to consistently enforce security policies for non-human identities. Secrets management provides assurance that resources across tool stacks, platforms and cloud environments can only be accessed by authenticated and authorized entities.
The following steps are typically included in a secrets management initiative. Many of these approaches and techniques are also used to protect privileged access by human users.
- Authenticate all access requests that use non-human credentials.
- Enforce the principle of least privilege.
- Enforce role-based access control (RBAC) and regularly rotate secrets and credentials.
- Automate management of secrets and apply consistent access policies.
- Track all access and maintain a comprehensive audit.
- Remove secrets from code, configuration files and other unprotected areas.
What are Common Secrets Management Use Cases?
Secrets management to secure CI/CD pipelines. Popular CI/CD pipeline tools such as Jenkins, Ansible, Puppet and Chef are designed for efficiency and speed, but can present new security challenges. These automated configuration management tools require secrets to access protected resources like databases, SSH servers and HTTPs services. These secrets are often insecurely hard-coded or stored in configuration files or code for these tools (e.g., JenkinsFiles, playbooks, scripts, or source code). Effective secrets management allows organizations to remove these hard-coded secrets from DevOps tools within the CI/CD pipeline while providing full audit trails, policy-based RBAC and secrets rotation.
Secrets management to secure containers. DevOps and engineering teams increasingly rely on containers to accelerate development and improve portability and productivity. Containers require secrets to access critical and sensitive information. But, since containers are ephemeral (or short-lived), they can be difficult to track and access to specific resources can be hard to manage and secure. Secrets management security measures enable teams to authenticate container requests for secrets with native container platform attributes and manage secrets with RBAC policy for granular control.
Secrets management to manage elastic and auto-scale environments.
Cloud providers offer auto-scaling capabilities to support elasticity (ephemeral) and pay-as-you-grow economics. While this improves efficiency, it also creates new security management challenges—particularly around scalability. By implementing secrets management best practices, organizations can eliminate the need to have human operators manually apply policies to each new host by assigning an identity to the host in real time and securely authenticating the calling application based on the predefined security policy.
Secrets management to secure internally developed applications and COTS applications.
Internally developed applications and scripts, along with third-party tools and solutions such as security tools, RPA, automation tools and IT management tools often require high levels of privileged access across the enterprise’s infrastructure to complete their defined tasks. Effective secrets management practices require the removal of hardcoded credentials from internally developed applications and scripts and that all secrets be centrally stored, managed and rotated to minimize risk.
