We all know that password management is an issue for us as individuals. It’s why the most-used passwords found in data breaches are still "123456" and “password.” For an enterprise, amplify the complexity and seriousness of the problem by many orders of magnitude. Our credentials aren’t just passwords, they are PINs, certificates, encryption keys. They aren’t just in our browsers, they are in our infrastructure and our multi-cloud environments. They aren’t only used by us, they’re shared by developers working on transforming our business processes.
And while the consequences of having your passwords compromised in your personal life is bad enough, at an enterprise level, the penalties of non-compliance can be catastrophic. Applying consistent security policies is a challenge that is only getting harder for enterprises as IT environments evolve. This is where secret management comes in. Here we explain why you should evaluate your approach to secrets management, and explain how it should automate, manage and safeguard access to your most important data.
Cloud migration increases organizational secrets
Organizational secrets - digital authentication credentials – come in many forms. It is a growing list including access tokens, passwords, SQL connection strings, PINs, certificates, API, SSH keys and encryption keys. As organizations migrate to the cloud and, through DevOps, accelerate their developmental processes, they will only need to manage more and more secrets.
Organizations are increasingly embracing multi-cloud, multi-deployment environments. They are deploying applications because they offer the best technology, and because they’re secure – regardless of whether they’re on-premises or in the cloud. This migration creates an increase in volume and complexity of secrets, for example, machine-based identities which can run into the tens of thousands. It becomes incredibly hard even to store these IDs without any automation. So, to ensure smooth daily running of the business for all users, enterprises need a strategy to be able to manage and control access to the credentials that protect data across multi-clouds.
Organizational secrets are siloed without one standard policy
As more enterprise applications offer their own repositories to store secrets, siloes get created. Organizations are uncovering repositories holding different sensitive assets, with different lifecycle management and protection policies. This can be complicated by our individual behavior too – with passwords and private keys likely being shared outside of central repositories.
Organizational secrets are invisible
At best, siloed information is complicated to keep track of. At worst, it’s invisible. Without visibility, companies don’t know if their secrets are compromised and therefore if they’re compliant with regulations. Not knowing where these secrets are maintained, and applying independent and inconsistent management policies, creates security and compliance audit risks.
Organizational secrets are an important part of high assurance security
Established and evolving data security regulations – like GDPR and the new CCPA, which began enforcement this month –– are forcing organizations to proactively protect their data. In evolving IT environments, you need high assurance security. You need to be able to prove appropriate technical or organizational security measures are in place. Leaving password security to humans is not only inefficient, it is also risky.
DevOps poses a challenge for secret management
The DevOps environment poses a special challenge because secret management needs to be transparent to allow rapid application development. Developers need to share secrets for a myriad of services – how do they find them? How do they share them? They are operating quickly, so often looking for the easiest route. DevOps for cloud-native applications is even more complex – AWS has an estimated 100 services that need credentials. Again, managing these secrets is not a human-scale job. You need a good secret management solution for consistent workflows to connect and run in different infrastructures for any application, in a trusted manner.
As consumers, we can use passwords managers like LastPass and Dashlane to make our lives easier. What is available for the far more complex needs of an enterprise? How can enterprises manage their organizational secrets? Many enterprises have worked on their own secret management systems, but open source and commercial solutions are available to manage and store secrets. As enterprise IT has adopted a cloud-first strategy, or the as-a-service model, encryption and key management solutions have also migrated to this approach. This option offers businesses the alternative to lease encryption and key management services.
These solutions automate good security behaviors and practices from the basics of generating strong passwords, expiring them, and offering a secure way to share them. Ease of use is essential for users; no one is incentivized to find a longer or harder way to do something. Security ensures that the confidentiality and integrity of data in transit and at rest is maintained and reduces the risk of exposure by enforcing a centralized and consistent security policy.
Centralization enables uniform policy enforcement and facilitates auditing and regulatory compliance. It also stops ‘secrets sprawl,’ solving the visibility problem, but aggregates risks. If you are storing everything in one place, that place better be secure. Keeping all secrets in a vault means that that vault needs extra protection, with additional security for the master keys. Establishing a root of trust that protects the centralized secret management repository is critical to enable enterprise access to computing resources across a variety of on-premises and multi-cloud environments.
Choosing the right secret management approach – beyond knowing that the solution is highly available and resilient - is a matter of understanding your specific requirements, the cloud infrastructure you use, and the kind of features you want to have.
The pop group The Romantics’ 1983 hit “Talking in your Sleep” told the story of secrets revealed. Organizations don’t “talk in their sleep,” but hackers can “hear the secrets that they keep,” if the organizations don’t follow consistent security practices. Strong secret management isn’t just an opportunity to improve your defenses and reduce your security risks – big wins for any organization already – it’s also an opportunity to support business transformation as you make it easier for your infrastructure to evolve quickly and safely. That is the real secret to secret management.
Juan Asenjo, Director of Product, Solutions and Partner Marketing, nCipher Security