• DevOps
  • Posted by George Wainblat

  • May 4, 2020

Secrets Management for DevOps:
Best Practices

The Current State of Secrets Sprawl Leads to Inefficiency

The combination of proliferation and decentralization of secrets, widely familiar to any DevOps team, creates an operational burden, not to say a nightmare. Having the same passwords in your multiple Ansible jobs, your Kubernetes containers, or in the daily batch routine you’re coding, requires considerable effort when these passwords need to be rotated.

Since secrets are located in various environments (cloud, on-prem, hybrid) and managed by different administrators (islands of secrets), such as Ansible Secrets, Docker Secrets and Kubernetes Secrets, to name a few, no unified control pane is available for the management of the multiple secrets repositories.

For organizations that operate in both a cloud-native environment and classic IT infrastructure, a duplication issue is created due to having their own secrets managed with different tools and cloud-native solutions. Last but definitely not least, there is a security concern - how can cloud-native systems securely access resources that are external to their environment? 

8 Things to Look for When Choosing a Secrets Management Solution

  • A single, unified SaaS platform for various use cases
    Support for all types of secrets, machine and human, such as: Encryption keys, API-keys, Tokens, Passwords, SSH keys, x.509 certificates, Signing keys
  • Works in hybrid, multi-cloud, multi-region environments
    Allows seamless cross-platform, cross-environment workflows to solve the ‘closed garden’ operational block
  • Plugins to every DevOps tool
    Common cloud platforms such as Kubernetes, Docker, Jenkins, Terraform, Ansible, and others
  • Works via CLI, UI, REST API, SDK
    Allows authentication via third-party Identity Providers while could workload platforms provision secrets
  • Solves the Secret-Zero problem 
    Providing inherited identity derived from the parent system together with an ephemeral token for continuous authentication
  • Visibility into who accesses what secret, when and where
    A robust analytics dashboard to create real-time audit logs for individual accountability
  • Enforced least privileges for both machines and humans
    Both users and application are allowed access on a need-to-know, just-in-time basis - specified access for a specified duration
  • A solution that supports your future scale
    As your operation expands to more environments and regions, scalable integration capabilities with support for a wide variety of plugins  

Existing Secret Management Solutions

On-prem: Thycotic Secret Server, Hashicorp Vault, CyberArk Conjur

With on-prem solutions, the burden of deployment and ongoing operations falls on the user since some of these secret management solutions are OSS tools that integrate with only a limited number of platforms, and require a great deal of effort to support future scale. Additionally, on-prem solutions cover a small number of use cases. Lastly, there is no support, unless you opt for a pricy, enterprise solution. 

SaaS: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager

With CSP-based solutions there isn’t solid support for multi-cloud and hybrid environments, not to mention multi-region that requires to replicate objects, secrets and keys by the user. Additionally, there is a significant lack of support for integration with third-party platforms, such as identity providers and container platforms. Last, there is no solution for the issue of identification beyond the specific environment of the CPS provider.

Akeyless Vault - The Secrets Management Solution Tailored for DevOps

We are changing the secrets management game by offering unified management across hybrid and multi-cloud environments that supports workflows and future scale.

To see Akeyless in action, Schedule a Demo!