Secret Sprawl

DevSec professionals already know the importance of secrets, the sensitive credentials used to digitally authenticate business users so that they can access relevant systems and data for their workflows. Identity and Access Management is already a staple of modern cybersecurity, but what about the unfortunate trend of secret sprawl

Secrets come in the form of usernames, passwords, API keys, SSH certificates and keys, SSL certificates, and many other forms. It’s not surprising then why management often fears that secrets might land in the wrong hands. A malicious third party can gain access to your business’s sensitive resources through secret theft.

What Is Secret Sprawl?

Secret sprawl occurs whenever an organization’s secrets become too heavily distributed throughout the company. Because software development and other business operations require that secrets be shared among multiple entities (such as between developers and applications), the result is many secrets being littered everywhere with little control of their whereabouts.

Secrets might be shared on platforms like Slack or email or might sit in many servers and repositories.

Why Is Sprawl an Issue?

Sprawling secrets result in a larger attack surface, the points where unauthorized hackers could gain access. Every hidden, undocumented secret has a chance of going “rogue,” and a malicious party with access to user credentials can easily compromise other secrets without the management knowing.

Even private internal systems are not ideal for sensitive information, especially when details like credit card payments are stored in a plain-text file. The same holds true for secrets, which need better protection protocols.

How Common Is Secret Sprawl?

Secrets management can be a tricky task. Secrets themselves must be kept secure, but they also must be distributed widely throughout the business to be used. Teams everywhere need them to access the resources and data they need to work.

The implication is that secret sprawl is often unavoidable and requires proper security practices to mitigate. Software development is a hotbed for sprawl due to short release cycles, constantly changing development teams, and collaboration amongst groups in different regions.

Further complicating the issue is the use of version control systems, which keep a history of previous changes to code. Secrets may be hidden accidentally inside this history even after you clear out the current source code of them.

The Challenges of Secret Sprawl

In addition to raising the potential for data breaches, secret sprawl generates a variety of headaches for management and IT professionals.

• It’s incredibly difficult to keep track of everything when secrets can hide in source code, in GitHub repos, or anywhere else. Not having visibility means not having control.
• The third-party services and tools you use might not have secrets management solutions built-in either, meaning controlling secrets within those applications is difficult as well. Dropbox, for instance, does not offer auditing features.
• Sprawl makes it challenging to respond properly in the event of a cybersecurity incident. If a credential is stolen, then how can you determine where it came from and what you can do to remediate it?
• Scaling business operations in the long-term cannot be done easily without addressing secret sprawl. The issue will eventually become a significant obstacle that you cannot ignore when scaling up infrastructure.

Businesses must address secret sprawl before it goes out of hand. Let’s go into some best practices to eliminate secret sprawl.

What’s the Solution?

Secret sprawl results in a lack of visibility and control in an organization. DevOps teams will have little to work with in the event of a cybersecurity incident, so secrets management must address the issue beforehand.

The best weapon you can have against it is centralization. Keeping all your secrets in a single place helps fight the sprawl since you can then control, audit, and protect all your secrets. By using root of trust tactics, one central authority can encrypt everything to ensure only authorized users have the right access.

Having a DevOps secrets vault helps, but it’s also worth investing in access control tools. These features only give out access whenever it’s necessary and keeps track of each granted session. In the event of a breach, the audit logs will tell you who has access and for how long.

Controlling secret sprawl in the cloud is even easier now thanks to cloud-based enterprise key management systems. As long as you have eyes on every aspect of access control in your business, sprawling secrets won’t be nearly as significant of a problem as they could be.