With the dawn of cloud services, businesses faced new cybersecurity challenges. Moving from on-premises networks to decentralized cloud environments meant security teams had to invent new models for protecting everything they put into the cloud as well as how authorized users accessed cloud environments. Try as they might, teams weren’t hugely successful in porting on-prem processes and controls to distributed services. Old methods wouldn’t cut it in the cloud; the environments were too dynamic for on-prem approaches.
Enter microservices just a little while later, followed closely by the rapid ascent of DevOps and CI/CD pipelines and the explosion of API-based tools integration. Now security teams were truly pressed for how to manage data protection, access controls, and authentication across these new, highly complex, and interdependent environments.
Securely managing passwords, API keys, encryption keys, certificates, and other credentials had to be handled differently for cloud- and microservices-based systems and applications. Poor secrets management practices would have significantly increased the risk of exposure, so businesses looked for new processes and tools to help security, cloud, IT, and development teams protect, manage, and automate secrets handling.
Secrets management frustrations
Today, secrets management is a top priority for cybersecurity organizations, especially for cloud- and development-heavy businesses that need to balance security with efficiency. Yet, secrets management remains hard for many companies for a variety of reasons. To start, the complexity and sprawl of most companies’ infrastructures creates a diverse ecosystem in which it’s hard for security teams to keep track of secrets that might be scattered and/or reused across cloud, multi-cloud, on-prem, and hybrid environments. Furthermore, the dynamic nature of these environments — and the applications and data contained within them — means that security programs and processes must adapt to this dynamism without disrupting normal operations or downgrading security efforts.
Adding to the pressure, organizations must continuously evaluate access controls (preferably using the principle of least privilege) to make sure that only authorized users and services have access to the secrets required to perform their jobs. Plus, teams must ensure that the secrets, themselves, are properly protected with encryption, both at rest and in transit, to safeguard against secrets compromise and leakage.
Other challenges with secrets management include secure storage, rotation, distribution, and expiration. All of these issues, should they pile up, create the perfect storm of opportunity for attackers, or even just simple accidents that can lead to a full-on breach.
Solving the secrets management problem
In the early 2010s, the seriousness of secrets management hit its stride when sensitive information including API keys and credentials were accidentally committed to public GitHub repositories. Since then, we’ve seen numerous incidents involving secrets exposure from well-known companies:
- Uber: In 2016, threat actors discovered hardcoded AWS credentials in a GitHub repository used by Uber software developers. As a result, the attackers gained unauthorized access and stole the personal data of 57 million Uber users and drivers.
- Slack: In 2019, Slack disclosed that improperly stored secrets had led to a 2015 breach of the company’s GitHub repositories. OAuth tokens and API keys were stolen, and the attackers used them to scrape user data. The extent of the damage was not disclosed.
- Capital One: Also in 2019, a former company employee exploited a vulnerable AWS S3 bucket and then took advantage of exposed credentials, impacting more than 100 million customer records.
From this small dataset, alone, it should be clear that businesses need better solutions to secrets management. Of course there are plentiful tools companies can use, but one of the most important aspects of managing secrets is automation.
The role of automation in secrets management
Automating is the key (pun intended) to effective and efficient secrets management. Some challenges are listed above, and you can be certain that all of these challenges are amplified if security teams attempt to manually secure secrets or use subpar tools for the job. As cloud and software development environments become more complex and interconnected, the risk of exposed secrets grows proportionally.
Automation significantly benefits secrets security through greater time savings, improved accuracy, and reduced operational overhead. Some of the top ways automation can be used include:
- Dynamic secrets generation: Automated tools can generate secrets (like API tokens or database credentials) on the fly. These dynamic secrets often have short lifespans and automatically expire after use, which helps minimize the risk of compromised credentials.
- Secrets rotation: Regularly rotating secrets such as API keys, passwords, and certificates helps reduce the risk of exposure. Automated tools can schedule the rotation process, ensuring that secrets are rotated at regular intervals or triggered by specific events like access expiration.
- Access control and monitoring: Automated systems can enforce fine-grained access control to ensure that only authorized users or services can access secrets. Tools can monitor for unauthorized access attempts in real-time and trigger alerts or remediation actions automatically.
- Automatic secrets injection: Automated secrets management can help inject secrets directly into applications at runtime, removing the possibility that they will be stored in plaintext in configuration files or version control systems, or hardcoded into applications.
- Integration with CI/CD pipelines: Automated tools can integrate with CI/CD pipelines to securely manage and rotate secrets without disrupting software delivery processes. This allows secrets to be updated automatically as part of the deployment process.
- Audit logging and compliance: Automation can ensure that all actions related to secrets (creation, access, modification, deletion) are logged and auditable, helping businesses maintain compliance with security compliance standards like PCI DSS, SOC 2, or GDPR.
- Secrets expiration and policy enforcement: Automated policies help enforce expiration dates for secrets and other security policies. This mitigates the probability of expired or insecure secrets lingering in systems and automatically enforces proper security policies.
Conclusion
Perhaps the best arguments for automated secrets management are reducing the drain on staffers and minimizing the likelihood of human error. Performing rote tasks like generating, rotating, and configuring access controls for secrets is an easily automated process that — quite frankly — doesn’t need to consume person hours. When humans are forced to attend to these types of tasks, the margin for error is high. Risks like hardcoding secrets into source code or forgetting to rotate passwords can be diminished by introducing greater automation into the secrets management process. Not only does this improve the security posture of the entire organization, but it also makes for happier, more focused employees who can turn their attention to greater innovation and efficacy.
