By Scott McDonald
Too often, managing the integrity of secrets and credentials—passwords, API keys, tokens, and so on—is an overlooked security factor in organizations. The trouble is, since every automation tool, script, and application we use contains sensitive data, no one can afford to ignore secrets management.
Many companies lack the proper security measures to protect their secrets and risk exposing their sensitive data to bad actors. A secret manager can help you secure, store, manage, and audit your secrets and reduce common security risks.
Challenges in Storing and Managing Secrets
First, what is a secret?
Every organization has secrets. A secret can be anything that acts as a key to protect the data or resources kept inside tools, systems, applications, and containers. There are many different types of secrets, but the most common ones are:
- User or auto-generated passwords
- API and other application keys/credentials
- SSH Keys
- Database and other system-to-system passwords
- Private encryption keys for systems
- And one-time password devices
One of the challenges is that secrets are widespread across an ever-growing ecosystem of people, systems, and tools. Many secrets are also hard-coded into applications, and non-human users with access to a secret — including any data, resources, and information therein — can be prone to advanced cyberattacks if left unprotected.
Why Secret Management Matters
Secrets provide access to sensitive data and information — that’s why it’s important to keep secrets secure both in transit and at rest.
Secret management refers to the tools and methods for managing digital authentication credentials, including passwords, keys, API keys, certificates, and tokens, to protect sensitive data. Having a secret management strategy simplifies upkeep and maintenance for secrets. It helps you spot and reduce potential failures and avoid data breaches and identity theft or manipulation. The main benefits of secret management include:
- Mitigates secret sprawl
- Improves security for secrets storage
- And prevents unauthorized users and applications from sharing secrets with others
What Is a Secret Manager?
One of the most powerful secret management tools at your disposal are secret managers. A secret manager provides a central place and single source of truth to manage, access, transmit, and audit secrets. They can protect every layer of a company’s infrastructure, including code, data, devices, and cloud environments.
A secret manager can store any type of sensitive data for your application. It lets you control access based on role, machine identity, environment, and other factors to apply the principle of least privilege.
Best Practices
Implementing a secret management strategy is only half the battle. Once you set up a secret manager and enforce a solid set of security policies across your organization, there are a few best practices to follow for keeping your secrets safe.
Don’t Leave Passwords in Your Code
Sometimes secrets get embedded in applications or source code because it saves developers time, but it’s a mistake that could end up costing you. Hackers can break into systems after discovering those embedded credentials and leak sensitive information in what’s called “data exfiltration” attacks.
You can eliminate hard-coded and embedded secrets altogether and rely on secret managers to maintain and distribute credentials.
Rotate Secrets Regularly
Rotating keys regularly minimizes their exposure to attackers. Secret management tools automate this process, with you deciding how often they’re rotated. The CIS Benchmarks for Google Cloud recommends rotating keys every 90 days, but many companies do so more frequently.
Revoke Secrets Access to Users and Applications That Don’t Need It
When getting started with a secret manager, you’ll need to uncover all the secrets used throughout your organization. Once complete, it’s crucial to remove access from applications and users who don’t need it.
Our Pick: Google Cloud’s Secret Manager
While most major cloud providers offer secret managers plus built-in integrations to support third-party tools, we recommend using Google Cloud’s Secret Manager (which can now rotate secrets, by the way). Top features of Google Cloud’s Secret Manager include:
- Least privilege made easy: The Secret Manager’s Cloud IAM roles make it easy to follow the principle of least privilege. You can grant individual permissions to secrets and separate the ability to manage secrets from the ability to access their data.
- Simplified life cycle management: It enables simple life cycle management with first-class versioning and the ability to pin requests to the latest version of a secret. Cloud Functions can automate rotation.
- Built-in auditing: With Cloud Audit Logs integration, every interaction with Secret Manager generates an audit log. This integration makes meeting audit and compliance requirements easy.
If your cloud environment is set up in Google Cloud, Cloudbakers | Qwinix offers a simple Google Cloud-based tool that can be used to inventory your entire organization’s Service Account keys in Google Cloud. Talk to us today about getting started and improving security to protect your company’s data.