Frequent readers of this blog know secrets refer to authentication credentials like passwords, API keys, SSH keys, certificates, tokens, and so on. Secrets management is then of course critical across the entire IT ecosystem and an essential part of the DevOps toolchain. However, lack of visibility into current and changing secrets or manual arduous secrets management can slow down the entire DevSecOps process.
According to the 2021 Forrester DevOps Security Survey Report, both IAM leaders and developers want to simplify access management and are challenged by inefficient access control solutions that are often too manual and full of friction. Leaders expect a purpose-built PAM for DevOps solution to help development and security teams work better together by removing the complexity and friction in the development process that arises when homegrown tools or traditional PAM vaults are retrofitted for DevOps use cases.
Key findings from the report include:
• 57% experienced a security incident related to exposed secrets from insecure DevOps processes in the past two years, and 62% expect these incidents to become more prevalent in the next two years.
• 71% of respondents want to centralize, and 76% embed automated secrets management solutions into tools developers already use.
Usability and security go together to increase adoption and decrease mistakes. Usable security that’s easy to implement and scale makes integrating security into the DevOps process easier. DevOps Secrets Vault is a cloud-based vault that balances the security and velocity that DevOps teams require for this growing part of the enterprise attack surface. With an aim to modernize and simplify the product experience, the user experience is enhanced in the new release of DevOps Secrets Vault. Several user interface improvements, such as better help, more comprehensive search, and the ability to create and update secrets with our wizard’s tool supports the speed and agility of the DevOps process.
Having a centralized, automated solution supports the agility of the development process. A single centralized vault provides efficiency and security for secrets management. In today’s container-driven environment, Kubernetes provides a mechanism for the applications in pods to access secrets.
The Kubernetes plugin for DevOps Secrets Vault provides a single, secure vault for all Kubernetes pods to access secrets. In the latest release, our Kubernetes sidecar extension now supports the use of custom namespaces. Pods can now be restricted to only access secrets located in that namespace, thereby preventing pods from accessing secrets they do not truly need to access. Support for authentication by certificate has been added to our Kubernetes Sidecar integration, eliminating the need for client credentials and addressing the issue of "secret zero.”
What’s the “secret zero” problem? Secret zero is the master secret key you need to unlock the keys of the kingdom – the last secret to access the vault. This single lucrative attack vector of secret zero exists on-premise or in private cloud environments. Using a client certificate to authorize users into the Kubernetes cluster can help make the entire environment more secure.
As DevOps scales, consolidation of access management solutions and ease of management become essential for seamless security. Innovations and updates to the Delinea DevOps Secrets Vault continue to aid DevSecOps to improve processes, minimize privilege access sprawl and lower the risk of attacks. With Delinea DevOps Secrets Vault, dynamic secrets are automatically generated at the time of the request. They can be used when a user or resource, like a configuration tool, needs a credential, but that access needs to expire after a set time. Dynamic secrets also enable fine-grained authorization through cloud policies. Limiting the scope of what the secrets can do and the timeframe that the credential is valid significantly reduces any value of the secrets to an attacker.
Try the free version of DevOps Secrets Vault to try the capabilities to automatically create, archive, and retrieve up to 250 passwords and other secrets.