Putting personal or business secrets and credentials up in the cloud is something most users of web-enabled devices are already doing unwittingly. For example, many are using password managers and form apps or browser extensions to conveniently access login details across devices. It is not a good idea to do this without the right security measures, though.
Storing sensitive information in the cloud requires more than just standard security solutions. The handling of passwords, login details, API tokens, SSH keys, private encryption keys, private certificates, and system-to-system passwords can potentially create vulnerabilities frequently targeted by social engineering and advanced cybersecurity attacks. Organizations need to find a way to make the most of the cloud in storing secrets without compromising security.
The need to secure cloud secrets
A Ponemon Research survey reveals that 90 percent of organizations have been hacked at least once. More than half of those surveyed said that they had little confidence in addressing further attacks. Passwords or credentials are the most common target of hacking. As revealed by the 2019 Verizon Data Breach Investigations Report, around 8 out of 10 breaches exploit compromised credentials.
Why is it important to raise the need to secure cloud secrets? It is because many processes that involve passwords and other secrets are handled without many organizations taking security seriously. A 2019 study by North Carolina State University researchers, for example, exposes the vulnerabilities of GitHub repositories. The study found that over a hundred thousand repositories contain app secrets in source codes.
The study revealed that authentication secrets such as API and cryptographic keys appear to be unprotected in a wide variety of projects. This issue does not only affect open source projects. Even private source code repositories are also prone to unauthorized access to secrets.
The cloud is a highly convenient environment for storing various data. However, it is still relatively new for many organizations. As such, only a few thoroughly understand how it works let alone how to ensure security in it.
Interestingly, CompTIA found that an overwhelming majority of organizations that use cloud services trust the security afforded by their cloud providers. “Despite concerns, most cloud users report being confident or very confident (net 85 percent) in their cloud service provider’s security,” the study writes. However, the same organizations also said they are reluctant in storing certain types of data in the cloud.
“Even with high confidence in cloud security, many firms are still unwilling to store certain types of data there,” the CompTIA study notes. Firms of all sizes hesitate to put onto the cloud their confidential company financial data, credit card information, employee HR files, confidential IP and trade secrets, customer contacts, and data covered by regulations.”
The findings are understandably somewhat contradicting in light of the alarmingly high levels of cyber attacks businesses are exposed to. Organizations, however, can use secrets management procedures that come with the platforms or apps they are using. Also, they can turn to third-party secrets management tools like Akeyless to address the dilemma.
These tools provide a secrets management solution that ensures secrets are safe through distributed fragments cryptography and ephemeral secrets delivery.
How to secure cloud secrets
To secure company secrets on the cloud, it is necessary to limit visibility and prevent unauthorized access. This entails encryption without creating cumbersome procedures and tedious processes that may only end up creating vulnerabilities possibly because employees miss a step or are tempted to take shortcuts.
Different platforms and applications come with different methods of securing secrets. Kubernetes, for example, has a feature aptly named “Secrets,” which makes it possible to save and manage passwords and other sensitive information. The Kubernetes website provides comprehensive details on how to use this feature, which is good, but imagine having to learn how to manage secrets with different platforms and applications.
Employees may have issues with this idea when working with multiple platforms and apps. It is not only tiresome; it can also create vulnerabilities in a cybersecurity system.
This is where secrets management solutions come in handy. Akeyless, for example, provides a unified interface and set of methods to secure secrets regardless of the types of secrets and apps and platforms used. It’s basically vault-as-a-service, with plugin capability for popular cloud platforms, including Kubernetes, Terraform, Ansible, Docker, Jenkins, CircleCI, Puppet, Chef, Slack, and many others. This simplifies and enhances the security of secrets management with these platforms.
This results in a seamless way to handle secrets across systems and environments. In general, they are designed to automate the security procedures vital in protecting secrets. In cases when there is no encryption implemented, they enforce high-level encryption. They then automatically encrypt and decrypt data as needed by users.
Secrets management platforms are particularly useful to DevOps teams. Privileged access management (PAM) expert Tyler Reese of DevOps.com acknowledges the tendency of many teams to overlook essential security practices. “What’s more, in an environment that relies heavily on code, we’ve seen time and time again careless developers leaking confidential information through APIs or cryptographic keys on sites such as GitHub,” Reese says.
Secrets security is a must
This post may sound like a recommendation to use third-party secrets management tools, but it is not the main point. The goal here is to emphasize how important it is to secure organization secrets being stored in or transmitted to the cloud.
Generally, there is nothing wrong in learning and using the specific procedures in protecting secrets for particular platforms or applications. However, some simply do not have adequate security measures in place. The Kubernetes Secrets feature briefly discussed earlier, for instance, does not perform encryption. With it, secrets are stored in Etcd in base64, which only undertakes encoding, not encryption. As such, anyone who is designated as an admin for the Kubernetes cluster can read the secrets saved in the cluster—a potential security loophole.
So why do you need to secure your secrets on the cloud? It’s because cybersecurity attacks abound and they frequently target secrets stored in the cloud. Also, some cloud platforms and applications do not provide adequate protection for secrets. How do you protect secrets? By learning and using the specific secrets management processes associated with certain platforms or applications. If this is too cumbersome and inefficient, the logical option is to use a unified secrets management solution.
Oren Rofman, senior technology writer