Secrets Management: the Must-Dos

Written by

The modern IT landscape is filled full of secrets: There are certificates, SQL connection strings, storage account keys, passwords, SSH keys, encryption keys and more. And no matter what role one plays in the group—developer, admin, PKI manager—managing these secrets can become a high-stakes management headache.

Speaking at the DigiCert Security Summit 2017, Rashmi Jha, Microsoft program manager, said that getting a handle on secrets management is one of the No. 1 challenges in modern IT security. Too often, enterprises don’t even know when secrets are compromised, or even how they will be used—and it’s a self-inflicted issue.

 “A full 80% of data breaches are caused by silly mistakes by those responsible for managing secrets,” she said. “It’s not that the adversaries are so sophisticated.”

The issues stemming from poor secrets management are myriad, and extend beyond the obvious issue of information leaks and account compromise.

“You have to consider outages and expired certificates too, which can cause loss of reputation,” she said. “If a Microsoft service goes down for even 15 minutes on just one endpoint—you can guarantee it will be written up on Reddit.”

Also, for some businesses, if secrets aren’t maintained the right way, it can cause compliance issues.

“For certain verticals that means shutting down your business,” Jha said.

She went on to lay out a few secret management must-dos, starting with knowing where secrets are in the company.

She explained the fragmentation issue: “Do you have employees with private keys and connection managers? Are secrets being passed through emails or dumped on a server or on Dropbox? Maybe you’ve encrypted it all, but it’s scattered and you don’t even know where to go to find those secrets. It’s crucial that you put all the secrets in a central place so you have that collective place to go for information somewhere in your company data tree.”

With a centralized approach to secrets management, it of course becomes imperative to control access to these literal keys to the kingdom.

“Many people just don’t need access to certain resources, but they seem to have it anyway—this is easy-to-fix negligence,” Jha said. “Check the permissions on your secrets. And not just for human users—think about applications too. Not every app needs access to the same secrets. Think through everything about permissions and broaden your scope from users to also machines and applications.”

Logging use is another best practice. By collecting data automatically and daily, it becomes possible to look at the patterns for how secrets have been used—and that’s intelligence with which companies can create permissions policies.

Organizations should also keep in mind that secrets have a lifespan. “If the secret is shared or has been seen, its susceptibility increases a lot,” Jha said. “You have to rotate those secrets and change them on a regular basis.”

If all of that sounds daunting, automation can be an important aspect of secret management. Automated management helps companies react to industry problems and keep on top of issues like the Heartbleed vulnerability.

“Companies might not have even know that they were compromised,” Jha said. “If you have to react to something in the industry like this, removing the human out of this whole secrets thing can be really helpful.”

And last but not least, Jha emphasized that it’s critical to assume that there will be a data breach, and to plan ahead of time for how to reduce the impact on one’s organization.

“You should know the incident response process for your company beforehand,” she recommended. “First, create an inventory of every impacted credential (a recursive process); and make sure you’re already rotating credentials from the top down. When something happens, first validate that all leaked credentials no longer work, ideally in an automated way—and then make sure to examine team practices to prevent a recurrence.”

She added, “This might take one week, or it might take two weeks, but at least you have a plan and are working on it instead of it being a chaotic free-for-all. You demonstrate that you’re in charge and you become the hero.”

What’s hot on Infosecurity Magazine?