BR +55 11 3069 3925 | USA +1 469 620 7643

How to Properly Manage Secrets in Development Projects

by | Mar 21, 2022 | BLOG

Secrets like passwords and ssh keys are scattered throughout the software development process. However, few people can access this data. Controlled access is still a major challenge for development teams, due to difficulties in managing this information and adopting non-recommended standards.

The standards that can compromise the security of a system include weak passwords, a topic already addressed here in senhasegura‘s blog.

However, in this article, we will bring more details about the management of secrets in development processes. To facilitate your understanding, we divided our text into the following topics:

    1. What Are Secrets?
    2. Challenges to Manage Secrets in Development Projects
    3. Password Management: Non-Recommended Standards
    4. Five Key Practices for Secret Management
    5. Conclusion

Follow our text to the end!

  • What Are Secrets?

All authentication credentials used in applications and services in an IT structure are considered secrets. This includes passwords, ssh keys, API keys, OAuth tokens, and configuration files.

Secrets management can be viewed as enhanced password management, which includes creating, rotating, revoking, and storing credentials.

After all, the scope in this case is broader, but the purpose remains to protect against unauthorized access to data and systems, data losses, and breaches.

Secrets management contributes to cybersecurity in three instances. They are as follows:

  • Infrastructure Security – It prevents users, devices, applications, and other network elements from being invaded;
  • Cloud Service Security – It allows you to limit and manage access to cloud-based services;
  • Data Security – It makes it possible to protect critical systems, among other resources against data losses and breaches.

Another advantage of secrets management is to help bring organizations into compliance with the requirements of demanding cybersecurity standards, such as FIPS, NIST, and HIPAA.

  • Challenges to Manage Secrets in Development Projects

Secrets management involves some difficulties. Next, let’s point out the most common ones. Check it out:

 Lack of Visibility

With the migration of IT infrastructure to the cloud, the number of resources, systems, applications, and accounts changes frequently. As a consequence, the places where secrets are stored also change. 

Therefore, for an organization to remain secure, it is essential to know clearly where this information is stored. What’s more: A lack of visibility can also create obstacles to managing these resources, or when going through an audit.

 Lack of Management Policies 

To meet the criteria of security regulations and facilitate the control of the life cycle phases of a secret, companies must define rules in security policies, which does not always occur. 

 Manual Management

Most organizations do not use automated secret management capabilities to manage their digital credentials yet. In this way, they delay the management process and make the storage of secrets more vulnerable.

  • Password Management: Non-Recommended Standards

Many organizations still have non-recommended standards in their password management routine. Here are a few:

 Weak Passwords

Due to the difficulty in memorizing complex passwords, many people adopt simple and easy-to-remember codes. However, this is one of the main vulnerabilities when it comes to password management. After all, easy-to-remember passwords are just as easy to crack.

Also, malicious agents can discover embedded and encoded passwords with the help of verification tools, by performing a brute force attack or simply guessing.

 Password Sharing

Many companies use shared accounts and passwords to manage their systems, making it impossible to identify who performed each action within an online environment in the event of an incident.

In addition, their employees can share passwords with co-workers or others, facilitating the action of attackers interested in sensitive organization data. 

 Storing Secrets in Plain Text

It is common for employees in a company’s department to use text files that contain all passwords for critical situations or forward messages to colleagues with the necessary secrets to access a resource.

Nevertheless, these practices pose risks to the cybersecurity of organizations: attackers only need to obtain a file, message, or email to have tools to hack a system. 

 Reuse of Secrets 

It is also very common to reuse secrets for different services in order to facilitate their memorization and save time. However, if one malicious user discovers one code, the others will also be compromised.

 Unrevoked Secrets 

NIST has as a criterion the revocation of user credentials when necessary. This should occur in the event an employee is fired or a contract with a third-party supplier is terminated, for example. However, this security procedure is not followed by all organizations.

 Secrets Without Rotation

Various security standards dictate that passwords be changed within a given time frame, as do application keys and other types of secrets. Once again, it is not all companies that follow this recommendation. 

Are you enjoying this post? Join our Newsletter!

Newsletter Blog EN

12 + 8 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

Five Key Practices for Secret Management

There are several ways to provide a secure method for protecting secrets. The following are five important steps to achieve this goal:

 Centralized Secrets Management

First, you should centralize your secrets in one place to ensure more security and facilitate their management. This makes it easier to build governance, security, and auditing to know who accesses this information and when it is accessed. 

 ACLs (Access Control Lists)

Once you have your secrets centralized in one place, make sure the right people have access to them. To do this, you can create human, machine, and application ACLs that give you control of that access. 

 Temporary Credentials

The third and fourth actions must occur simultaneously: they consist of having dynamic secrets. In practice, to ensure dynamic secrets, individuals and entities must be given temporary credentials to access the systems. 

Encryption

As mentioned, it is important that data in transit or at rest can be encrypted, with encryption keys centralized in secrets management.

 Audit

Now, you might be wondering how to audit your secrets management and know what was accessed by which user. 

Each dynamic secret can be used by a single user, who is properly authenticated when retrieving this information, and encryption as a service allows you to know who accessed an encryption and decryption operation. All of this can give you a complete picture of everything that happens in your IT infrastructure.

Conclusion

  • By reading this article you have learned what secrets are, how they should be managed, and what are the biggest challenges in managing this information. You were also able to understand which standards are not recommended in password management, such as:

  • Weak Passwords;
  • Password Sharing;
  • Storing Secrets in Plain Text;
  • Reuse of Secrets;
  • Unrevoked Secrets; and
  • Secrets Without Rotation.

In addition, we presented five fundamental practices for good secrets management. 

Did you like our text? Share it with someone interested in this information. 

 

ALSO READ IN SENHASEGURA’S BLOG

Learn All About Passwordless Authentication

How Does Pam Help Protect Healthcare Organizations?

Multifactor Authentication: How to Benefit from This Security Strategy

The 14 Best Cyber Podcasts in 2022

When it comes to cybersecurity, staying informed is one of the first steps to avoid risks such as data leaks and hacker invasion, which can generate a series of disruptions in an organization, even compromising business continuity. The good news is that there is a lot...

How Does PAM Help Protect Remote Access?

With the imposition of social distancing caused by the Covid-19 pandemic, most companies began to migrate to remote work, adopting solutions such as cloud computing. According to Forrester, more than 50% of IT leaders have revealed the need to adapt to this reality,...

How to Appropriately Protect Remote Access from Cyberattacks

The Covid-19 pandemic has brought the need for many companies to join remote work with it. The mass adoption of this modality resulted in a significant increase in cyberattacks on IT business structures through breaches in the security of remote accesses. The...

Network Security Perimeter: Why Is This Concept Obsolete?

For a long time, companies had data centers as their IT infrastructures, which needed to be protected from external agents.  Business-critical data was embedded in these allocations, including internal networks, client devices, Internet gateways, applications, and...

How Has Robotic Process Automation Revolutionized Routine Execution?

Many people fear the elimination of jobs due to the adoption of Robotic Process Automation, since robots are able to perform tasks previously performed by humans. However, we understand this technology is not able to replace all of our capabilities. We know that RPA...
Copy link
Powered by Social Snap