What is secrets management?

Secrets management is the process of organizing, managing and securing IT infrastructure secrets. It allows organizations to securely store, transmit and audit secrets. Secrets management protects secrets from unauthorized access and ensures an organization’s systems function properly. A secrets manager is a secure storage system and single source of truth for privileged credentials, API keys and other highly sensitive information used in IT infrastructures.

Keep reading to learn more about secrets management and what you can do to protect your company's data environment.

What is a secret?

In an IT data environment, secrets are non-human privileged credentials, most often used by systems and applications for authentication or as inputs to a cryptographic algorithm. Secrets allow applications and systems to transmit data and request services with each other. They unlock applications, services and IT resources containing highly sensitive information and privileged systems.

Common types of secrets include:

Non-human login credentials
Database connection strings
Cryptographic keys
Cloud service access credentials
Application programming interface (API) keys
Access tokens
SSH (Secure Shell) keys

Why is secrets management important?

Secrets management is a cybersecurity best practice for consistently enforcing security policies for non-human authentication credentials—ensuring that only authenticated and authorized entities can access resources containing confidential data and highly sensitive apps and systems. With a secrets management tool, organizations have visibility into where secrets are, who can access them and how they are used.

As organizations grow, IT and DevOps teams encounter a problem called secrets sprawl. This occurs when an organization has too many secrets to manage, and those secrets become scattered across the entire organization, and stored in insecure locations with insecure methods. Without a centralized secrets management policy or tool, each team within an organization will manage their secrets independently which can result in mismanaged secrets. Meanwhile, IT administrators lack centralized visibility, auditability and control over the storage and usage of these secrets.

Secrets management best practices

Because secrets are so numerous – SSH keys alone can number in the thousands for some organizations – using a secrets management solution like Keeper Secrets Manager^® is a must. Using a secrets management tool will ensure secrets are stored in one encrypted location, allowing organizations to easily track, access, manage and audit their secrets.

However, a technical tool can only do so much! In addition to implementing a secrets manager, organizations should also follow secrets management best practices.

Manage privileges and authorized users

After centralizing and securing your secrets with a secrets management solution, the next step is to ensure that only authorized people and systems can access them. This is accomplished through Role-Based Access Control (RBAC). RBAC defines roles and permissions based on a user’s job function within the organization to restrict system access to authorized users. RBAC helps prevent unauthorized users from accessing secrets.

Organizations also need to manage the privileges to these secrets due to their access to highly sensitive data. If privileges are mismanaged, organizations are susceptible to privilege misuse in the form of insider threats and lateral movement by cybercriminals within their network. They should implement least-privilege access – a cybersecurity concept that grants users and systems just enough access to sensitive resources to do their jobs and no more. The best way to manage privileges and implement least privilege access is with a Privileged Access Management (PAM) tool.

Rotate secrets

Many organizations will use static secrets which allow too many users to access them over time. To prevent secrets from being compromised and misused, organizations should regularly rotate secrets on a predetermined schedule to limit their lifespan. Rotating secrets limits the amount of time a user has access to the secrets, giving them just enough access to do their job. It prevents secrets from accidentally leaking due to negligent or malicious users. Organizations should also protect secrets with strong and unique passwords and multi-factor authentication.

Differentiate between secrets and identifiers

Organizations need to gather every secret within their organization to ensure they are secure from unauthorized access. However, organizations need to differentiate between secrets and identifiers when gathering secrets.

An identifier is how an Identity Access Management (IAM) system or other entity refers to a digital identity. Usernames and email addresses are common examples of identifiers. Identifiers are often shared freely within and even outside of an organization. They are used to grant general access to the organization’s resources and systems.

Secrets, conversely, are highly confidential. If a secret is compromised, threat actors can use it to access highly privileged systems, and the organization could sustain major or even catastrophic damage. Secrets must be strictly monitored and controlled to prevent unauthorized access to sensitive data and systems.