What is Secret Management?
Why it is Important?
Challenges of Secret Management?
Best Practices
What is Secret Management?
- As we all know today world, rely more on commercially developed and open source application to run any business and leverage the automations in IT Infrastructure services and Devops methodologies to speed the development and innovation of the Organization/Business.
- While the types of applications and usages differs/vary, the things that remains constant is application, script, automation tool etc relying on privilege credentials to access these resources.
- The constant thing here is called “Secrets” which is a non-human privilege credentials or piece of private information that act as key to access the confidential information/tools/data stored in tools/server/application/clouds.
- Managing the secrets through a tools/technology is Secret management. Basically, it refers to the tools and methods for managing the credentials, APIs, keys used in applications and other sensitive resources in the organization.
Some of the common Secrets we see in our environment includes
- Privilege account credentials
- Passwords
- Certificates
- SSH Keys
- API Keys
- Encryption keys
Key Aspects of Secret Management
- Password and keys are some of the most broadly and important tools use by any organization for authentication to the critical systems/data/information.
- The secrets (password/credentials) need to be securely transmitted hence secret management need to mitigate the risks during rest and in transit of the secrets.
Challenges in Managing Secret Management
- Managing the secrets in this Cyberattack(s) era is a big challenge
Since this is a non-human accessing secret gains access to real time data/systems & permission to perform any activities.
Understanding the concept of secret management, hackers explore the way to gain these secrets to access targeted hosts/environments and perform their malicious activities
Organization should be very keen in improvising the Security architecture of the company and its resources. Before that it has to ask few questions themselves to find the way to improve security
Can my cloud platforms and applications can access the secrets easily?
If an employee leaves, can we rotate the secrets easily?
How long does it take to resolve or respond to a Security breach and limit its exposure?
Does third party or external party access the secret if yes how long it is a threat?
Can we access audit logs/audit the secrets to check who accessed it for specific period/month?
Can we create/implement different access level groups for managing the secrets?
The answers to these questions may vary based on type of industry the company manages however this will help to focus on a specific area for starting the security architecture.
The more robust and security you build a solution, The more complex it becomes to develop.
Best Practices
How to create a Robust Security Environment?
The below points help to build you a robust security and to visualize the Secret management architecture
Stage 1/Level 1 - Is to Limit the access of secrets to public/external parties and this is strong and robust controls in implementing Secret management.
Stage 2/Level 2 - encryption of the stored secrets, Apply industry-standard encryption at rest and in transit, which ensures keys and certificates are stored securely and managed properly.
Stage 3/Level 3 - Application that Manages the secret and control access to audit logs. To ensure who/what/when accessed the secrets will help to analyze security incidents.
These levels are the entry point in building the architecture of secret management from simple to complex based on the requirements/complexity of the business.
Main goal of secret management is to achieve acceptable level of security of the project/organization.
Manual process of managing secret management is possible however there is a high risk of human error and can be inefficient.
First step is to implement a password management tool in the system, follow a holistic approach for large organization.
There are multiple tools available to manage the Secrets and you can best choose the tools to manage the secrets based on the size of the organization and type of secrets you manage
Secret management To be Continued in Part 2
Thank you!!!