Speaking at BSides San Francisco on April 16 2018, Evan Johnson, security engineer at Segment, and Maya Kaczorowski, product manager, Security & Privacy at Google, explored the topic of cloud ‘secrets’, highlighting common mistakes in secret management and solutions to the problem.
A cloud secret is “anything an application needs at build or run time,” said Kaczorowski, citing examples such as credentials, API keys, usernames and passwords.
Johnson added that “secret management was a very big thing that blasted onto the scene in 2015/16 – but people are still coming up to me saying ‘we’re still working on that and need a solution for it’.”
Kaczorowski said that secrets are typically either managed in a decentralized manner adjacent to code (which is undesirable) or with a centralized, purpose-built solution, with more and more people opting for the latter. “There’s really no point at this time in keeping things decentralized,” she claimed.
In terms of common mistakes made in secret management, Kaczorowski highlighted the following:
- Putting secrets in code
- Not rotating secrets
- Not backing up secrets
- Not having a concept of identity
- Protecting secrets the same way you protect everything else
Conversely, Johnson and Kaczorowski then pointed-out the good properties of secret management:
- Identity: requires strong identities and least privilege
- Auditing: verify the use of individual secrets
- Encryption: always encrypt before writing to disk
- Rotation: change a secret regularly in case of compromise
- Isolation: separate where secrets are used vs managed
What organizations need to consider when selecting the best secret management option for them is whether they run mostly in containers or mostly in the cloud, they both added.
To conclude, Johnson and Kaczorowski highlighted the issues that make, and will continue to make, secret management difficult:
- Usability: it’s great to have these tools, but now figure them out without messing up
- Root secret: how do you protect the secret to all secrets?
- Secret rotation: some tools do it, some don’t; but it’s still highly manual in most cases