Secrets management: what is it and why is it important?
There are many different types of secrets in a digital enterprise.
In this post, we discuss what secrets management is and take a look at a secret's lifecycle. But first, let's define exactly what a secret is, what they do, why they’re important, and how you can apply this knowledge to protect your organization.
What is a Secret?
A Secret is a digital authentication credential.
Secrets are individually named sets of sensitive information; they address a broad spectrum of secure data. There are many kinds of secrets, including user passwords, application and database passwords, auto-generated encryption keys, private encryption keys, API keys, application keys, SSH keys, authorization tokens, and private certificates (e.g. TLS, SSL). Each type of secret is well suited to a particular use, whether storing information at rest, or in transit, or granting access to sensitive, business-critical IT resources.
The most well-known example of a secret is a password, used to log in to an application, website, or endpoint. But these types of secrets aren’t the most common, nor are they the most difficult secrets to secure.
Secrets used by non-humans are ubiquitous yet invisible, essential to cybersecurity yet underappreciated.
Modern applications, whether hosted in the cloud or on-premise, have accelerated the need for all types of digital secrets. Application-to-application secrets are increasing exponentially. These are used to encrypt data when it’s transferred between applications—like sending information from a web page, making a secure request to an API, accessing a cloud database, or countless other cases that modern enterprises encounter as they pursue digital transformation and increase automation.
With so many types of secrets used in so many contexts, it’s easy to lose track of them or apply them consistently across the enterprise. That’s where Secret management comes in.
When we first launched our PAM product, Secret Server, well over a decade ago, Delinea chose the word “Secret” to apply to all types of digital credentials, not just passwords. “Secret” has since become a standard term, used by everyone in the PAM industry.
What is Secrets management?
Secrets management is a process for managing Secrets, such as IDs and passwords, API access keys, tokens, and sensitive information, such as application configuration data, in a secure and centralized repository with strict access controls. Secrets management embeds security controls within the highest-risks layers of a modern organization's infrastructure, including cloud, code, data, and devices.
Secrets management keeps all secrets safe, prevents secret sprawl, and ensures systems can connect instantly to accomplish automated tasks. Specifically, it enables you to control how secrets are stored and transmitted, when they’re used, how frequently they’re rotated, and how easily they’re revoked. With proper secrets management, you make it more difficult for the bad guys to use your secrets against you.
Managing secrets requires broader and deeper security controls than traditional enterprise password management. It requires a coordinated process for managing all types of secrets in a centralized way to ensure systems and data remain secure.
Cloud: In the past year, 77% of cloud breaches involved compromised credentials, as reported in the 2020 Verizon Data Breach Report. Secrets management addresses SaaS, LaaS, PaaS, private, and hybrid multi-cloud scenarios.
Code: Rapid development practices require rapid PAM practices. Secrets management provides dev teams on-demand access to applications and databases to administer changes without compromising security or production credentials. It eliminates the need to embed secrets in code or external repositories like Github.
Data: Secrets management protects access and usage of sensitive data, personal data, and intellectual property stored and shared within databases and applications.
Devices: 85% of cyber attacks enter through compromised endpoints, according to SANS. Secrets management protects secrets used to access devices such as user workstations, laptops, and servers.
Most people know what they need to do to stay physically and mentally fit, but sometimes they cut corners or skip steps entirely, and their long-term health suffers.
The same can be said of the secrets lifecycle.
Once a Secret is created, it’s not always managed properly. It may never be rotated and may be very difficult to revoke. Most secrets do not age well.
A healthy Secret should follow a lifecycle like this:
- Generation/creation: The Secret is created, either manually by a user or automatically as needed. Passwords will often, but not always, need to conform to a policy governing their make-up and use. (More on that below.) Automatically generating credentials removes one of the key weaknesses of Secret management: human-generated credentials tend to be easier to crack than computer-generated ones.
- Rotation: Once in use, a Secret should be changed on a regular schedule. This is often specified and required by different standards, such as PCI DSS which mandates a maximum 90-day rotation cycle. It can take the form of automatically regenerating a new Secret on a schedule, or of prompting for manual creation. If a Secret is stale or expired, access is denied until it is updated.
- Revocation: The ability to remove credentials from a user or application, thus denying access to a resource, is so important that it’s enshrined in many security policy standards, such as NIST 800-53. Secret revocation can be used when an employee leaves a company or anomalous behavior is detected. Pruning unneeded, expired, breached or weak secrets is an essential step in good Secret hygiene.
To manage secrets throughout their lifecycle, any PAM system you choose must be able to store and serve up secrets when needed, as well as provide you visibility and policy-based control from end to end.
Why is Secrets Management important?
Secrets management enables you to securely store, transmit, and audit secrets. It removes, or at least minimizes, the involvement of humans in the management of secrets to reduce potential points of failure. This systematic approach to preventing unauthorized access to sensitive data and systems helps you avoid data breaches, data, and identity theft or manipulation.
A strong secrets policy helps mitigate these common challenges:
- Sharing secrets with other users
- Reusing secrets, either out of expediency or because the passwords are hardcoded or embedded within applications and systems
- Weak Secret storage, such as storing secrets unencrypted or in plain text
- No Secret rotation, which could be a side effect of having hard-coded or embedded secrets
- No Secret revocation
Secrets management prevents secret sprawl
As the volume, diversity, and complexity of your IT systems increase, it’s harder to implement and manage a consistent policy across all of them, and know where secrets are and how they’re used. Secrets sprawl is the insidious condition in which an organization loses track of its credentials, succumbing to a patchwork of management systems, each with its own management policy. There are many ways to manage secrets, and when each application, cloud provider, or organization department has its own security model, the organization as a whole loses visibility.
Secrets policies need to be set and managed centrally to ensure they are applied consistently defining the rules for how secrets are handled at each stage of their lifecycle.
Secrets Management Best Practices
These are the key tenets of a well-run secrets management system:
- Discover secrets. Take the time to uncover all of the secrets used throughout your organization. Then, secure them.
- Create a single, comprehensive Secret management policy. The policy should set strict rules around the structure of secrets (minimum length, complexity, use of special characters, forbidden passwords, reuse, duration) while restricting the use of default or hard-coded secrets.
- Automate the Secret management process. Remove the human element from the mix. Eliminate hard-coded and embedded secrets. Rely on systems, not people, to create, manage, distribute, and maintain secrets.
- Enforce Secret policies. You’ve taken the time to create a policy, so enforce it. Require that applications and users comply with rules related to Secret strength, rotation, reuse, and revocation. Don’t trust. Always verify. Don’t set it and forget it. Set up session monitoring and regularly review audit logs.
- Separate data from the secrets. Use the distributed nature of today’s networks to your advantage. Rather than concentrating both Secret management and sensitive data in the same location, keep them apart.
How Delinea Secrets Management Can Help
Modern PAM needs to secure every secret and privileged object within the enterprise no matter where they reside—on-prem systems, multi-cloud layers, and devices—by embedding security controls within the highest-risk layers: Clouds, Code, Data, and Devices.
- Secret Server manages secrets throughout the end-to-end lifecycle, including creation, storage, rotation, revocation, and auditing.
- DevOps Secrets Vault is designed for high-velocity secrets management in DevOps, RPA, and other automation scenarios. DevOps teams stay productive by automating Secret creation and ensuring ongoing security.
What does cybersecurity like this cost? Not as much as you think