• DevOps
  • Posted by Jeremy Hess

  • March 8, 2021

8 Best Practices for Secrets Management in DevOps

The Current State of Secrets Sprawl Leads to Inefficiency

The combination of proliferation and decentralization of secrets, widely familiar to any DevOps team, creates an operational burden, if not a nightmare. Having the same passwords in your multiple Ansible jobs, your Kubernetes containers, or in the daily batch routine you’re coding, requires considerable effort when these passwords need to be rotated.

Since static secrets are located in various environments (cloud, on-prem, hybrid) and managed by different administrators (islands of secrets), such as Ansible Secrets, Docker Secrets and Kubernetes Secrets - to name a few - no unified platform is available for the management of these multiple secrets repositories.

For organizations that operate in both a cloud-native environment and classic IT infrastructure, a duplication issue is created due to having their own secrets managed with different tools and cloud-native solutions. Last but definitely not least, there is a security concern - how can cloud-native systems securely access resources that are external to their environment? 

8 Best Practices to Look for in a Secrets Management Solution

  1. A single, unified SaaS platform for various use cases
    A best-in-class secrets management solution will have support for both static and dynamic secrets that can be use for machine-to-machine and human-to machine access. These different types of secrets include encryption keys, API-keys, tokens, passwords, SSH certificates, x.509 certificates, signing keys, and more.

  2. Works in hybrid, multi-cloud, multi-region environments
    The right platform should allow seamless cross-platform, cross-environment workflows to solve the ‘walled garden’ issue that can be problematic for enterprises using only a native cloud platform tool. Top solutions should be completely agnostic and work in both cloud and legacy IT environments.

  3. Plugins for every DevOps tool
    This almost goes without saying, but I will say it anyway - you need to have integrations with the most common cloud platforms such as Kubernetes, Docker, Jenkins, Terraform, Ansible, and others at a minimum. If not, DevOps teams will not even consider your product.

  4. Works via CLI, UI, REST API, SDK
    The secrets manager in question must allow authentication via third-party Identity Providers, both for human users and machines. There should also be options to use the tool via command line, a decent UI, REST API, and have SDKs for the major languages.

  5. Solves the Secret-Zero problem 
    To use the platform in a secure way, you need to provide some initial credentials with a form of ephemeral token for continuous authentication with the parent machine so that the initial secret - "secret zero" - cannot be compromised.

  6. Visibility into who accesses what secret, when and where
    An enterprise-grade secrets management platform must provide robust analytics dashboards and have the ability to create real-time audit logs of every action for individual accountability.

  7. Enforced least privileges for both machines and humans
    Both users and applications are allowed access on a need-to-know, just-in-time access basis with specific application access for a specified duration.

  8. A solution that supports your future scale
    As your operation expands to more environments and regions, scalable integration capabilities - with support for a wide variety of plugins - is essential. You need to be able to grow at cloud scale.

Existing Secret Management Solutions

Let's discuss some of the secret managers and tools that have these capabilities, and what the pros and cons are of each.

On-prem: Thycotic Secret Server, Hashicorp Vault, CyberArk Conjur

With on-prem solutions, the burden of deployment and ongoing operations falls on the user since some of these secret management solutions are OSS tools that integrate with only a limited number of platforms, and require a great deal of effort to support future scale. Additionally, on-prem solutions cover a small number of use cases. Lastly, there is no support, unless you opt for an expensive, enterprise solution. 

SaaS: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager

With CSP-based solutions there isn’t solid support for multi-cloud and hybrid environments, not to mention multi-region that requires the ability for users to replicate objects, secrets, and keys. Additionally, there is a significant lack of support for integration with third-party platforms, such as identity providers and container platforms. Finally, there is no solution for the issue of identification beyond the specific environment of the cloud service provider.

Akeyless Vault - The Secrets Management Solution Tailored for DevOps

We are changing the secrets management game by offering unified management across hybrid and multi-cloud environments that supports workflows and future scale.

Want to learn more about our secrets management platform?
Schedule a demo of Akeyless today!

See the Akeyless Vault in Action