Secrets Management 101s

Secrets Management 101s
Photo by Shana Van Roosbroek / Unsplash

Introduction to Secrets Management

  • Secrets include API keys, database credentials, IAM permissions, SSH keys, and certificates.
  • Many organizations have secrets hardcoded in plaintext within source code or configuration files.

General Secrets Management Strategies

  • High Availability: Choose robust technology to handle a large volume of requests.
  • Centralize and Standardize: Use multiple secret management solutions across different teams but standardize interaction to maintain usability.
  • Access Control: Apply the least privilege principle and configure granular access controls.
  • Automate Secrets Management: Limit human interaction with secrets to reduce risk of leakage and human error.
  • Handling Secrets in Memory: Minimize the time secrets are in memory and limit access to memory space to enhance security.
  • Auditing: Ensure all auditing has correct timestamps and monitor for clock-skew and manual time adjustments.
  • Secret Lifecycle Management: Includes secure creation, regular rotation, secure revocation, and setting expiration for secrets.

Continuous Integration (CI) and Continuous Deployment (CD)

  • Hardening CI/CD Pipeline: Store secrets securely and ensure CI/CD tooling has designated service accounts with limited access.
  • Secret Storage and Access: Secrets can be stored in a management system, not touched by CI/CD, or dynamically created during CI/CD processes.
  • Logging and Accounting: Log every action in CI/CD tools and define security alerting rules for monitoring secret usage.

Cloud Providers and Secrets Management

  • Services to Use: Prefer cloud provider's secret management solutions or third-party solutions like HashiCorp Vault.
  • Encryption and IAM: Use client-side or server-side encryption and manage access with IAM roles.
  • API Limits: Be aware of API call limits to avoid self-induced denial of service.

Containers, Orchestrators, and Implementation Guidance

  • Secrets Injection: Use file or in-memory injection of secrets or short-lived side-car containers.
  • Implementation Guidance: Follow official documentation for the chosen secrets management system and ensure usability to prevent workarounds.
  • Encryption: Use secure encryption types and manage where encryption keys are stored.
  • Detection and Incident Response: Implement detection strategies for secrets and have a clear incident response plan for secret exposure.