Secrets Management: Importance, Challenges, Best Practices

Category: 

To ensure proper protection of their critical data, organizations pay attention to the processes they use for managing identities, privileges, and secrets. Collectively referred to as secrets management, these processes provide organizations with capabilities for managing passwords, encryption keys, API keys, and other types of secrets in a centralized and secure way.

 

In this article, we tell you about common types of secrets and the role of secrets management in an organization’s cybersecurity. We also cover common challenges of secrets management and provide helpful recommendations for improving your secrets and password management routines.

 

Secrets management is vital for data security

 

Poor secrets management leads to cybersecurity incidents.

 

According to Gartner, by 2021, more than half of organizations using DevOps will be using PAM-based secrets management services and solutions. That’s a promising prediction, considering that today only about 10% of organizations use secrets management solutions. At the same time, secrets management is crucial for all organizations, whether they use DevOps or not, because all organizations use digital secrets to some extent.

 

Let’s start by clarifying what a secret is from the cybersecurity perspective. Secrets are digital credentials: passwords, APIs, encryption keys, SSH keys, tokens, and so on. They’re used for managing access permissions at both human-to-application and application-to-application levels of interaction.

 

Types of secrets

 

Secrets provide users and applications with access to sensitive data, systems, and services. This is why it’s so important to keep secrets secure both in transit and at rest — and, therefore, to manage them properly.

 

So what is secrets management?

 

Secrets management is the process of securely and efficiently managing the creation, rotation, revocation, and storage of digital authorization credentials. In a way, secrets management can be seen as an enhanced version of password management. While the scope of managed credentials is larger, the goal is the same — to protect critical assets from unauthorized access.

 

With a well-thought-through secrets management policy, organizations can prevent various cybersecurity issues, including unauthorized access to critical data and systems, data losses, and data breaches.

 

In general, secrets management helps to ensure security at three levels:

 

  • Infrastructure security – Protect user and application accounts, devices, and other network elements from intrusions.
  • Cloud service security – Limit and manage access to cloud accounts and important cloud-based services.
  • Data security – Protect critical systems, storages, databases, and other resources from data compromise.

 

Plus, managing and auditing secrets — particularly passwords, as one of the most common types of secrets — is among the key requirements of cybersecurity standards and acts such as NIST, FIPS, and HIPAA.

 

Read also: Top 5 Poor Privileged Account Management Practices

 

Secrets management challenges and anti-patterns

 

Sometimes it’s hard to keep a secret.

 

Let’s take a look at the key challenges of secrets management. The biggest difficulty of managing digital credentials is the need to ensure full protection at every phase of a secret’s lifecycle, from creation to deletion.

 

Secrets lifecycle

 

There are four main phases a password or other secret can go through:

 

  • Creation – Secrets can either be created manually by a user (a password to a personal account) or generated automatically (an encryption key for deciphering a protected database).

  • Storage – Secrets can be stored centrally or separately, using designated solutions (a PAM-based secrets management tool or password manager) or common approaches (in a text file, on a shared disk, etc.).
     
  • Rotation – Secrets can be changed or reset on a schedule, thus improving the overall protection of an organization’s infrastructure. Secrets rotation is one of the key requirements of many regulations and standards, including NIST and PCI DSS.

  • Revocation – Secrets can be revoked in the case of a cybersecurity incident. Thanks to this measure, organizations can prevent or limit the negative consequences of an incident and make sure that attackers can’t use compromised credentials for accessing your organization’s critical resources, systems, endpoints, or applications.

 

At each of these phases, secrets should be protected from unauthorized access, intervention, and manipulation. However, many organizations struggle to build an efficient password management system.

 

Here are some of the most common secrets management problems:

 

Lack of visibility. With a constantly changing number of systems, resources, accounts, and applications, the number and locations of secrets change as well. Without clear visibility, an organization won’t be able to manage secrets effectively and securely. Plus, visibility gaps can create additional challenges for audits.

 

No secrets management policy. Setting clear rules in security policies makes it easier to control different stages of a secret’s lifecycle and helps organizations meet the requirements of security regulations. However, many organizations don’t have such a policy or don’t follow it properly.

 

Manual management. According to a survey conducted by Centrify, 52% of organizations don’t use password vaults or any other dedicated secrets management tools or systems to manage their digital credentials. This slows down the management process and can make both storage and transmission of keys less secure.

 

In addition, many organizations still have one or more anti-patterns in their password management routine. Here are the six most common:

 

Secrets management anti-patterns

 

Let’s look closer at each of these anti-patterns.

 

1. Weak passwords. To make things easier for themselves, people tend to use default account passwords, embedded and hard-coded application secrets, and weak, easy-to-remember passwords. These three bad practices constitute one of the biggest password management sins. 

 

Usually, the easier it is to remember a password, the easier it is to crack it. Nevertheless, people still use passwords like “password,” “admin,” and “123123.”

 

As for embedded and hard-coded passwords, hackers can easily get them with the help of scanning tools, guessing, or performing a brute-force attack.

 

2. Storing secrets in plain text. Have you ever seen a team or a department using a shared text file containing all the passwords to critical resources? Or sending each other emails and messages with the secrets needed for accessing specific applications, resources, or services? While it’s a pretty common practice, storing and transmitting secrets in plain text creates multiple security risks. 

 

Storing secrets in plain text makes it so much easier for an attacker to get into the target system. The only thing they need to do is obtain a file, email, or text message.

 

3. Sharing passwords. There are two sides to the problem of sharing passwords. On the one side, many organizations use shared accounts for managing their systems or working with cloud services and web applications. The key weak point here is that to access a specific resource or application, several people use the same credentials. So in the case of a security incident, you never know who did what under such an account.

 

On the other side, some employees may share credentials to their personal accounts with colleagues or even outsiders without giving it a second thought. These credentials can be used by malicious insiders and intruders to surreptitiously get hold of an organization’s sensitive data.

 

4. No secrets revocation. Being able to revoke user credentials is one of the key NIST requirements. Revoking secrets should be a standard response to an employee’s resignation, the expiration of an agreement with a third-party vendor, failed authorization attempts, etc. But unfortunately, not all organizations follow this procedure in their secrets management routines.

 

5. No secrets rotation. Many security standards require changing passwords on a schedule. PCI DSS, for example, requires changing user passwords at least once every 90 days. The same recommendation applies to application keys and other types of secrets.

 

However, not all organizations rotate secrets regularly, increasing the risk of their compromise.

 

6. Reusing secrets. Using the same secret for different accounts, services, or applications is a common bad practice. Employees often do it to save some time and avoid bothering with the need to remember multiple secrets. However, if a reused secret gets compromised, all the accounts and resources it was used for will be at risk.

 

As you can see, ensuring the security and effective management of secrets within an organization isn’t that easy. However, we have several recommendations that can help you tackle this task. In the next section, we discuss three best practices for secrets management.

 

Read also: Incident Response Planning Guideline for 2019

 

3 best practices for secrets management

 

Say no to threatening anti-patterns.

 

In order to minimize the risk that sensitive data will be compromised, organizations need to pay more attention to the way they manage secrets. Below, we list three recommendations that can help you build an efficient secrets management system within your organization.

 

Secrets management recommendations

 

1. Build a secrets management policy 

 

Using the list of bad practices from the previous section, determine your secrets management strategy and build a basic secrets management policy for your organization. Here are some basic elements to include in this policy:

 

  • Restrict the use of hard-coded secrets and default passwords
  • Set strict requirements for the format of passwords
  • Specify mandatory secrets revocation in certain cases
  • Set a fixed period for mandatory secrets rotation

 

You can expand this list based on the particularities of your organization. Look to the password management requirements of the regulations you must comply with for additional guidance.

 

2. Automate secrets management processes

 

When things aren’t automated, there’s always room for human errors. That’s why you need to deploy dedicated secrets management software for managing secrets in a secure and centralized manner.

 

Look for a tool that allows you to discover and account for all secrets in use. Pay special attention to options for key generation, rotation, revocation, storage, and transmission.

 

3. Manage privileges

 

Users and applications with elevated privileges have access to the most critical data, services, and resources. Not to mention that privileged accounts are one of the key targets for cybercriminals.

 

Ideally, no user or application should have more privileges than they need for accomplishing regular tasks. Any privilege elevation should be granted for a valid reason and be strictly limited in time. This is why such privileges also should be closely monitored and managed.

 

Some of today’s PAM solutions go far beyond managing privileges assigned to specific accounts or roles and provide full coverage of different types of secrets.

 

Manage secrets effectively with Ekran System

 

Ekran System is an insider protection platform that comes with a rich set of PAM and secrets management functionalities. With the help of this platform, you can effectively manage:

 

  • Local Windows admin passwords
  • Windows Active Directory (AD) secrets
  • SSH/Telnet keys (for UNIX environments)
  • And more

 

Ekran System’s PAM features cover all vital secrets management and privileged access management tasks, including:

 

  • Configuration, encryption, and management of privileged user credentials
  • Secure delivery of secrets
  • Delivery of temporary credentials to specified users or groups
  • Password rotation with manual or automatic generation of new secrets

 

With the help of these features, you can ensure secure and efficient management of the most important secrets used by your organization. And to secure your critical assets from insider threats, you can use Ekran System’s user activity monitoring and identity management capabilities.

 

Learn more about Ekran System’s Privileged Access Management solution

 

Conclusion

 

Secrets management is important for ensuring an organization’s cybersecurity. It covers all processes and tools related to the creation, storage, transmission, and management of digital credentials such as encryption keys, APIs, and passwords.

 

To manage secrets both securely and effectively, organizations should build a core secrets management policy that establishes standard rules and procedures for all phases of a secret’s lifecycle. To avoid human errors, it’s best to deploy a centralized secrets management solution.

 

PAM solutions enriched with secrets management capabilities allow organizations to tackle two main cybersecurity tasks:

 

  • Securely and effectively manage different types of secrets
  • Control, monitor, and audit privileged accounts

 

Ekran System is an all-in-one insider threat protection platform. It offers a large selection of tools and features for effectively managing and protecting privileged accounts and secrets. Start exploring the capabilities of Ekran with a 30-day trial.

Rating: 
Average: 4.2 (5 votes)