Best Practices & Solutions for Secrets Management
As noted above, manual secrets management suffers from many shortcomings. Siloes and manual processes are frequently in conflict with “good” security practices, so the more comprehensive and automated a solution the better.
While there are many tools that manage some secrets, most tools are designed specifically for one platform (i.e. Docker), or a small subset of platforms. Then, there are application password management tools that can broadly manage application passwords, eliminate hardcoded and default passwords, and manage secrets for scripts.
While application password management is an improvement over manual management processes and standalone tools with limited use cases, IT security will benefit from a more holistic approach to manage passwords, keys, and other secrets throughout the enterprise.
Some secrets management or enterprise privileged credential management/privileged password management solutions go beyond just managing privileged user accounts, to manage all kinds of secrets—applications, SSH keys, services scripts, etc. These solutions can reduce risks by identifying, securely storing, and centrally managing every credential that grants an elevated level of access to IT systems, scripts, files, code, applications, etc.
In some cases, these holistic secrets management solutions are also integrated within privileged access management (PAM) platforms, which can layer on privileged security controls. Leveraging a PAM platform, for instance, you could provide and manage unique authentication to all privileged users, applications, machines, scripts, and processes, across your entire environment.
While holistic and broad secrets management coverage is best, regardless of your solution(s) for managing secrets, here are 7 best practices you should focus on addressing:
Discover/identify all types of passwords: Keys and other secrets across your entire IT environment and bring them under centralized management. Continuously discover and onboard new secrets as they are created.
Eliminate hardcoded/embedded secrets: In DevOps tool configurations, build scripts, code files, test builds, production builds, applications, and more. Bring hardcoded credentials under management, such as by using API calls, and enforce password security best practices. Eliminating hardcoded and default passwords effectively removes dangerous backdoors to your environment.
Enforce password security best practices: Including password length, complexity, uniqueness expiration, rotation, and more across all types of passwords. Secrets, if possible, should never be shared. If a secret is shared, it should be immediately changed. Secrets to more sensitive tools and systems should have more rigorous security parameters, such as one-time passwords, and rotation after each use.
Apply privileged session monitoring to log, audit, and monitor: All privileged sessions (for accounts, users, scripts, automation tools, etc.) to improve oversight and accountability. This can also entail capturing keystrokes and screens (allowing for live view and playback). Some enterprise privilege session management solutions also enable IT teams to pinpoint suspicious session activity in-progress, and pause, lock, or terminate the session until the activity can be adequately evaluated.
Extend secrets management to third-parties: Ensure partners and vendors conform to best practices in using and managing secrets.
Threat analytics: Continuously analyze secrets usage to detect anomalies and potential threats. The more integrated and centralized your secrets management, the better you will be able to report on accounts, keys applications, containers, and systems exposed to risk.
DevSecOps: With the speed and scale of DevOps, it’s crucial to build security into both the culture and the DevOps lifecycle (from inception, design, build, test, release, support, maintenance). Embracing a DevSecOps culture means that everyone shares responsibility for DevOps security, helping ensure accountability and alignment across teams. In practice, this should entail ensuring secrets management best practices are in place and that code does not contain embedded passwords in it.
By layering on other security best practices, including the principle of least privilege (PoLP) and separation of privilege, you can help ensure that users and applications have access and privileges restricted precisely to what they need and is authorized. Restriction and separation of privileges help reduce privileged access sprawl and condense the attack surface, such as by limiting lateral movement in the event of a compromise.
The right secrets management policies, buttressed by effective processes and tools, can make it much easier to manage, transmit, and secure secrets and other privileged information. By applying the 7 best practices in secrets management, you can not only support DevOps security, but tighter security across the enterprise.