How to Properly Manage Secrets in Development Projects
Secrets like passwords and ssh keys are scattered throughout the software development process. However, few people can access this data. Controlled access is still a major challenge for development teams, due to difficulties in managing this information and adopting non-recommended standards.
The standards that can compromise the security of a system include weak passwords, a topic already addressed here in senhasegura‘s blog.
However, in this article, we will bring more details about the management of secrets in development processes. To facilitate your understanding, we divided our text into the following topics:
- What Are Secrets?
- Challenges to Manage Secrets in Development Projects
- Password Management: Non-Recommended Standards
- Five Key Practices for Secret Management
Follow our text to the end!
What Are Secrets?
All authentication credentials used in applications and services in an IT structure are considered secrets. This includes passwords, ssh keys, API keys, OAuth tokens, and configuration files.
Secrets management can be viewed as enhanced password management, which includes creating, rotating, revoking, and storing credentials.
After all, the scope in this case is broader, but the purpose remains to protect against unauthorized access to data and systems, data losses, and breaches.
Secrets management contributes to cybersecurity in three instances. They are as follows:
- Infrastructure Security – It prevents users, devices, applications, and other network elements from being invaded;
- Cloud Service Security – It allows you to limit and manage access to cloud-based services;
- Data Security – It makes it possible to protect critical systems, among other resources against data losses and breaches.
Another advantage of secrets management is to help bring organizations into compliance with the requirements of demanding cybersecurity standards, such as FIPS, NIST, and HIPAA.
Challenges to Manage Secrets in Development Projects
Secrets management involves some difficulties. Next, let’s point out the most common ones. Check it out:
Lack of Visibility
With the migration of IT infrastructure to the cloud, the number of resources, systems, applications, and accounts changes frequently. As a consequence, the places where secrets are stored also change.
Therefore, for an organization to remain secure, it is essential to know clearly where this information is stored. What’s more: A lack of visibility can also create obstacles to managing these resources, or when going through an audit.
Lack of Management Policies
To meet the criteria of security regulations and facilitate the control of the life cycle phases of a secret, companies must define rules in security policies, which does not always occur.
Most organizations do not use automated secret management capabilities to manage their digital credentials yet. In this way, they delay the management process and make the storage of secrets more vulnerable.
Password Management: Non-Recommended Standards
Many organizations still have non-recommended standards in their password management routine. Here are a few:
Due to the difficulty in memorizing complex passwords, many people adopt simple and easy-to-remember codes. However, this is one of the main vulnerabilities when it comes to password management. After all, easy-to-remember passwords are just as easy to crack.
Also, malicious agents can discover embedded and encoded passwords with the help of verification tools, by performing a brute force attack or simply guessing.
Many companies use shared accounts and passwords to manage their systems, making it impossible to identify who performed each action within an online environment in the event of an incident.
In addition, their employees can share passwords with co-workers or others, facilitating the action of attackers interested in sensitive organization data.
Storing Secrets in Plain Text
It is common for employees in a company’s department to use text files that contain all passwords for critical situations or forward messages to colleagues with the necessary secrets to access a resource.
Nevertheless, these practices pose risks to the cybersecurity of organizations: attackers only need to obtain a file, message, or email to have tools to hack a system.
Reuse of Secrets
It is also very common to reuse secrets for different services in order to facilitate their memorization and save time. However, if one malicious user discovers one code, the others will also be compromised.
NIST has as a criterion the revocation of user credentials when necessary. This should occur in the event an employee is fired or a contract with a third-party supplier is terminated, for example. However, this security procedure is not followed by all organizations.
Secrets Without Rotation
Various security standards dictate that passwords be changed within a given time frame, as do application keys and other types of secrets. Once again, it is not all companies that follow this recommendation.
Are you enjoying this post? Join our Newsletter!
Newsletter Blog EN
Five Key Practices for Secret Management
There are several ways to provide a secure method for protecting secrets. The following are five important steps to achieve this goal:
Centralized Secrets Management
First, you should centralize your secrets in one place to ensure more security and facilitate their management. This makes it easier to build governance, security, and auditing to know who accesses this information and when it is accessed.
ACLs (Access Control Lists)
Once you have your secrets centralized in one place, make sure the right people have access to them. To do this, you can create human, machine, and application ACLs that give you control of that access.
The third and fourth actions must occur simultaneously: they consist of having dynamic secrets. In practice, to ensure dynamic secrets, individuals and entities must be given temporary credentials to access the systems.
As mentioned, it is important that data in transit or at rest can be encrypted, with encryption keys centralized in secrets management.
Now, you might be wondering how to audit your secrets management and know what was accessed by which user.
Each dynamic secret can be used by a single user, who is properly authenticated when retrieving this information, and encryption as a service allows you to know who accessed an encryption and decryption operation. All of this can give you a complete picture of everything that happens in your IT infrastructure.
By reading this article you have learned what secrets are, how they should be managed, and what are the biggest challenges in managing this information. You were also able to understand which standards are not recommended in password management, such as:
- Weak Passwords;
- Password Sharing;
- Storing Secrets in Plain Text;
- Reuse of Secrets;
- Unrevoked Secrets; and
- Secrets Without Rotation.
In addition, we presented five fundamental practices for good secrets management.
Did you like our text? Share it with someone interested in this information.
ALSO READ IN SENHASEGURA’S BLOG