Posted by Joyce Ling
June 20, 2023
In the digital realm, secrets management best practices help you navigate the task of safeguarding sensitive data like passwords, tokens, and API keys. To help make this easier, we’ve compiled a comprehensive guide.
Strengthen Security with Encryption
The first cornerstone of secrets management best practices is effective encryption. In 2021, nearly two-thirds of companies have 1,000 sensitive files and folders unencrypted and open to all their employees (2021 Data Risk Report, Varonis).
What is Encryption?
Encryption is the process of converting plaintext data into an unreadable format (known as ciphertext) to prevent unauthorized access. This process uses an algorithm and a secret key, and the ciphertext can be converted back into its original plaintext form—a process known as decryption—only by those who have the key.
Encryption can act as a shield against unauthorized access. To ensure the highest level of security, it’s advisable to use recognized industry standards such as AES-256 or RSA-2048 encryption. These standards have been meticulously developed to protect the integrity of your data.
Encryption Best Practices
Yet, encryption goes beyond transforming data; it also involves the careful management of encryption keys. It’s crucial to be mindful of which platforms have access to these keys. For instance, if you’re storing keys in cloud providers like Azure Key Vault or AWS KMS, be aware that you are sharing key ownership with these providers.
Moreover, when considering encryption solutions, it’s important to look for those validated by reputable standards like NIST FIPS 140-2. This standard is employed by the U.S. and Canadian governments to assess the effectiveness of cryptographic hardware.
Finally, to maintain robust security, it’s vital to ensure your data is encrypted both at rest and in transit. This ensures that your secrets are protected regardless of their state or location.
Control Access for Enhanced Security
An integral part of secrets management best practices involves controlling who can access what secrets. According to the 2022 Verizon Data Breach Investigations Report, the vast majority of incidents involving Web applications are using stolen credentials.
Because credentials play such a large role in security incidents and breaches, it’s important to limit access to processes and secrets to those who need them, especially when it comes to sensitive resources. This is where the principle of least privilege comes into play. By granting individuals only the minimum levels of access necessary for their job, you can mitigate the risk of unauthorized access or misuse of sensitive data.
Access control can be further strengthened through role-based access control (RBAC). This approach assigns access rights based on roles within the organization, making it easier to manage and monitor access to sensitive information.
Moreover, maintaining zero standing privileges, meaning no employee has access to a resource or secret all the time, can enhance your security posture.
In general, using a centralized platform for access control can be beneficial in reducing security risks around access. Centralized platforms not only help you implement RBAC and least privilege principles, they also help you track and revoke access privileges in the case of incidents.
Secure Storage: Safeguard Your Secrets
The way you store your secrets is as critical as how you control access to them. There are often three main choices when it comes to storing your secrets:
- Hardware Security Modules (HSMs)
- On-premise Secrets Management
- SaaS Secrets Management
While HSMs are considered the gold standard of protection, they can be quite complex to maintain and configure. When handling complex hardware like Hardware Security Modules (HSMs), it’s crucial to maintain consistent configuration standards. This can help prevent vulnerabilities due to misconfiguration.
Another popular choice for storing secrets is on-premise secrets management. With on-premise solutions, be mindful of the complexity of deployment. On-premises solutions can require multiple deployments for different regions and business units, as well as in-house support. On-premise deployment can lead to increased investment, cost, and vendor lock-in.
Lastly, there are SaaS secrets management platforms. Often, these platforms are very easy to deploy and scale. However, it’s important to work with a SaaS platform with robust security measures. Because of the less secure nature of SaaS, it’s important to work with platforms that ensure Zero Knowledge, assuring that only you have ownership and access to your own secrets and that the SaaS vendor cannot decrypt them.
Ensure High Availability and Disaster Recovery
A critical aspect of secrets management best practices is ensuring that your secrets are always accessible and protected, even in the face of unexpected events. One way to do this is by caching your secrets to maintain access during connectivity issues with your secrets provider. In addition, periodically backing up secrets locally can help recover data lost during disasters.
Finally, your secrets should be available at all times. For SaaS platforms, ensure that 24/7 support is available, and the Service Level Agreement (SLA) guarantees a quick recovery time from operational failure or system compromise. For on-premise systems, make sure staff is always available to respond to system failures.
Go Beyond Static Secrets
In addition to these practices, it is advisable to safeguard your secrets from hacks by using rotated and dynamic secrets. Unlike static secrets that stay the same for a long time, these change regularly, making it harder for unauthorized people to gain access.
Rotated secrets are replaced or ‘rotated’ every set period of time. Just like how you might change the locks at your home regularly for safety, rotating secrets keeps digital ‘locks’ fresh and harder to crack. They are especially useful for compliance needs and for long-standing accounts where static secrets could become vulnerable over time.
On the other hand, dynamic secrets are like temporary passwords that expire after a set period of time. Think of them as hotel guest keys that stop working after the guest has left. These are best for temporary accounts and for granting highly sensitive access. Because they expire quickly, even if someone unauthorized gets a hold of them, they won’t be able to use them for long.
By using rotated and dynamic secrets, you can add an extra layer of much-needed protection to your sensitive information, making it even more difficult for unauthorized access.
Secrets Management in Hybrid Environments
Securing and rotating both cloud and on-premise secrets is critical for your security. Operating in both these environments has become a common practice in modern businesses, and it’s important to have visibility and control of secrets across your entire organization. Ensure that your secrets management initiative includes all secrets in your organization, across environments.
It’s also important to implement best practices consistently across hybrid environments—for example, by ensuring you can create and maintain both dynamic and rotated secrets no matter where they exist.
Mastering Secrets Management Best Practices
Mastering secrets management best practices involves a multi-faceted approach, encompassing robust encryption, stringent access control, secure storage, and measures for high availability and disaster recovery. With these best practices and the right secrets management system, you and your team can rise to the challenge.
Save these best practices for later 👇 (Right click, “Save Image As…”)
Let Akeyless do the heavy lifting—learn more about how to make secrets management best practices easier today.
DevOps InfoSecLearn why secret rotation is crucial, the challenges faced, and best practices for both manual and automated rotations.
What is Just In Time (JIT) Access Management?Explore the transformative power of Just in Time (JIT) Access Management in enhancing cybersecurity and streamlining operations. Learn its types, benefits, and best practices.
Why Open Source Based Vaults Will Be Left BehindThe origins of Vaultless™ Secrets Management and why Vaults based on legacy open-source code are being left behind.