What is secrets management?
- IAM Glossary
- What is secrets management?
Secrets management is the process of organising, managing and securing IT infrastructure secrets. It allows organisations to securely store, transmit and audit secrets. Secrets management protects secrets from unauthorised access and ensures an organisation’s systems function properly. A secrets manager is a secure storage system and single source of truth for privileged credentials, API keys and other highly sensitive information used in IT infrastructures.
Keep reading to learn more about secrets management and what you can do to protect your company's data environment.
What is a secret?
In an IT data environment, secrets are non-human privileged credentials, most often used by systems and applications for authentication or as inputs to a cryptographic algorithm. Secrets allow applications and systems to transmit data and request services with each other. They unlock applications, services and IT resources containing highly sensitive information and privileged systems.
Common types of secrets include:
- Non-human login credentials
- Database connection strings
- Cryptographic keys
- Cloud service access credentials
- Application programming interface (API) keys
- Access tokens
- SSH (Secure Shell) keys
Why is secrets management important?
Secrets management is a cybersecurity best practice for consistently enforcing security policies for non-human authentication credentials—ensuring that only authenticated and authorised entities can access resources containing confidential data and highly sensitive apps and systems. With a secrets management tool, organisations have visibility into where secrets are, who can access them and how they are used.
As organisations grow, IT and DevOps teams encounter a problem called secrets sprawl. This occurs when an organisation has too many secrets to manage, and those secrets become scattered across the entire organisation, and stored in insecure locations with insecure methods. Without a centralised secrets management policy or tool, each team within an organisation will manage their secrets independently which can result in mismanaged secrets. Meanwhile, IT administrators lack centralised visibility, auditability and control over the storage and usage of these secrets.
Secrets management best practices
Because secrets are so numerous – SSH keys alone can number in the thousands for some organisations – using a secrets management solution like Keeper Secrets Manager® is a must. Using a secrets management tool will ensure secrets are stored in one encrypted location, allowing organisations to easily track, access, manage and audit their secrets.
However, a technical tool can only do so much! In addition to implementing a secrets manager, organisations should also follow secrets management best practices.
Manage privileges and authorised users
After centralising and securing your secrets with a secrets management solution, the next step is to ensure that only authorised people and systems can access them. This is accomplished through Role-Based Access Control (RBAC). RBAC defines roles and permissions based on a user’s job function within the organisation to restrict system access to authorised users. RBAC helps prevent unauthorised users from accessing secrets.
Organisations also need to manage the privileges to these secrets due to their access to highly sensitive data. If privileges are mismanaged, organisations are susceptible to privilege misuse in the form of insider threats and lateral movement by cybercriminals within their network. They should implement least-privilege access – a cybersecurity concept that grants users and systems just enough access to sensitive resources to do their jobs and no more. The best way to manage privileges and implement least privilege access is with a Privileged Access Management (PAM) tool.
Rotate secrets
Many organisations will use static secrets which allow too many users to access them over time. To prevent secrets from being compromised and misused, organisations should regularly rotate secrets on a predetermined schedule to limit their lifespan. Rotating secrets limits the amount of time a user has access to the secrets, giving them just enough access to do their job. It prevents secrets from accidentally leaking due to negligent or malicious users. Organisations should also protect secrets with strong and unique passwords and multi-factor authentication.
Differentiate between secrets and identifiers
Organisations need to gather every secret within their organisation to ensure they are secure from unauthorised access. However, organisations need to differentiate between secrets and identifiers when gathering secrets.
An identifier is how an Identity Access Management (IAM) system or other entity refers to a digital identity. Usernames and email addresses are common examples of identifiers. Identifiers are often shared freely within and even outside of an organisation. They are used to grant general access to the organisation’s resources and systems.
Secrets, conversely, are highly confidential. If a secret is compromised, threat actors can use it to access highly privileged systems, and the organisation could sustain major or even catastrophic damage. Secrets must be strictly monitored and controlled to prevent unauthorised access to sensitive data and systems.