Big problems tend to start off small. As your IT infrastructure expands, so does the number of secrets - passwords, encryption keys, certificates, and other credentials - required by both users and applications (machines) to access sensitive data and business critical systems. The problems start when management of these important secrets gets out of control to the point where an organization loses the ability to effectively prove mandatory compliance controls related to segregation of duties and enforce organizational security policies. This is what is known as secrets sprawl, and it can quickly take on a life of its own and increase the risk of account compromise if the root cause is not dealt with immediately.
But tackling this issue and creating an effective secrets management strategy requires more than just early planning.
Here are four ways that organizations can take a holistic approach to reducing secrets sprawl:
1. Simplify security – Developers, like end users, will opt to take the most efficient route to finish their task. It’s incumbent upon security to make the easiest path the most secure and take the secrets management responsibility off the developer. Making security too cumbersome will drive developers to make localized development choices rather than aligning with a shared security goal.
Offering secrets management as a self-service with a simple workflow is a great way to do this – the secret is delivered while maintaining centralized controls and audit. Security teams also need to ensure that they don’t implement a workflow too late in the development process, which can delay a project.
2. Prioritize risk correctly – Enterprises may feel overwhelmed because they believe they need to begin securing all their applications at the same time. Rather, organizations should prioritize the applications that are most critical to their business and most at risk. To do this, security teams must have visibility into the most vulnerable applications, for instance, those that could have exposed secrets embedded in their source code.
3. Secure both non-human and human identities – Most organizations know the importance of securing IT administrator credentials. What may be less obvious, but just as important, is securing the hundreds or even thousands of secrets utilized for containers and apps doing the work in the background. To have a comprehensive Identity Security program, both human and machine identities should be managed, monitored and controlled.
4. Automate security - The same automation inherent in DevOps tools should be applied to the management of their secrets. This minimizes human interaction and manual intervention, in turn reducing administration overhead and errors. In addition, credentials should be automatically rotated the moment a security breach is identified, reducing the impact of a stolen secret and preventing attackers from gaining access to DevOps tools and access keys.
To learn how secrets management can reduce IT risk, download a complimentary copy of the 2021 Gartner Critical Capabilities for Privileged Access Management report.1
By Kurt Sand, General Manager, DevOps Security at CyberArk
1- Gartner, 2021 Critical Capabilities for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, Swati Rakheja, 19 July 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.