Every one of us has our own system for keeping track of passwords and other sensitive credentials, whether it’s a dedicated app or a customized spreadsheet. Now imagine that instead of let’s say 40 passwords you needed to keep track of, and constantly use, you’ve got hundreds or even thousands of passwords.
Imagine that every time you wanted to open the fridge you needed a password, the washing machine needs to send a password for the drier to start its cycle, or every time you turned on the air conditioner you needed to authenticate that you are indeed the rightful owner and thus have the right to turn it on.
While all of the above sounds a bit much, this is the reality that the cloud-first agenda has brought upon organizations large and small all over the world. Not only workers who need to log in and out of multiple web and SaaS applications that they use to do their everyday work, but also numerous cloud servers, sandboxed development environments, services, containers, processes, scripts, tools and platforms that constantly communicate with each other.
This massive scale of human-to-machine and machine-to-machine interactions is creating a no-less massive security-headache to CISOs and security teams. And like all headaches, it needs to be managed, or else it can spin out of control. And who better to talk to about this than the CEO and co-founder of a secrets management solution company?
Oded Hareven of Akeyless helped me to get a better grasp of the problem and solution.
Before we dive into Akeyless, please explain, what exactly are “secrets” in this context? Where do engineers and DevOps teams usually keep their secrets?
Secrets are the credentials, certificates, and keys required for users and processes to gain authorized access to an organization’s applications, systems, and data.
There are human secrets, such as passwords and similar credentials, and machine secrets — the way that containers, services, microfunctions, and applications can access and authenticate to each other.
Secrets are frequently stored across an overwhelming number of code repositories, orchestration tools, and pipeline scripts, in various cloud environments and on-premises, which is a significant security risk.
What exactly is the issue you’ve recognized with cloud secrets that needs solving with better management?
The numerous locations where secrets are kept causes “secret sprawl.” Many security teams don’t even know how many secrets their organization has, or where they are being kept. According to a Ponemon Institute study, 74% of security practitioners don’t know how many keys and certificates they have. A study in 2019 showed that over 100,000 public GitHub repositories included exposed secrets.
Secret sprawl can jeopardize business and personal data, cause outages due to unmanaged expired secrets, and leave the organization open to a variety of attacks. Some prominent examples include the hacks at Nvidia, Solarwinds, Scotiabank, and the recent Uber hack.
In recent years, not a week passes without hearing about another attack through an exposed secret. Verizon’s 2022 Data Breach Investigations Report found that 61% of all breaches involve hacked credentials.
A solution to secret sprawl is using a centralized secrets management system that ensures all secrets are centrally secured, tracked, and managed. Centralized secrets orchestration not only keeps your secrets safe, but rotates secrets and generates just-in-time dynamic secrets so that even hacked secrets cannot be used to access sensitive information.
All secret usage is tracked, so the security team is no longer in the dark.
Can you explain in some further detail what machine secrets are all about, as opposed to human secrets?
Machines, which include applications, processes, servers and devices, have increased exponentially due to recent DevOps innovations. Containerization in application development has created numerous distinct machine components within a single application.
At the same time, the rise of automation in DevOps processes, including scripts, CI/CD automation tools, and orchestration platforms and systems such as Kubernetes, means that various microservices and tools need to continuously access each other as well as databases in a variety of locations, both on-prem and in the cloud.
These machines use many more secrets than you may think for mission-critical processes to run. Passwords, API keys, TLS certificates, and encryption keys, to name a few, are all constantly accessed in the background to make the wheels turn for your organization’s applications. The average DevOps pipeline uses multiple interconnected systems and shared secrets that may be accessed by every person who triggers a build.
In what ways has the move to the cloud caused secrets management to become a major issue for organizations?
As companies have moved their data to the cloud, it has become even more difficult to secure access.
Most companies keep some data and processes in on-premises systems while moving other data to various cloud providers. This means that processes must access data from numerous sources, and that this data is at least partially exposed.
The number of secrets used to access this data has grown, while it is increasingly clear that these secrets must be carefully safeguarded.
So, what exactly does Akeyless do to help companies take control over the issues you’ve just mentioned?
The Akeyless Secrets Orchestration Platform allows organizations to secure, manage and account for every type of secret for both human and machine access. By providing a single dashboard for managing all secrets, Akeyless stops secrets sprawl and gives control back to the security team.
The Akeyless platform is a SaaS solution, ensuring high availability and data recovery at an SLA of 99.99% globally, and supports hybrid and multicloud environments. Akeyless integrates easily with existing DevOps workflows, tools and automated processes, injecting secrets on demand.
The Akeyless SaaS platform is built on top of patented Distributed Fragments Cryptography (DFC) technology that enables a true Zero Knowledge solution, where even Akeyless can’t access the customers’ secrets and keys.
What types and sizes of companies do you work with? How does someone know if they need a secrets management solution?
Our customers come from a wide range of industries including retail, fintech, insurance, manufacturing, shipping, software, adtech, pharmaceutical, health care, and telecoms. They tend to be midsize, but also include Fortune 100 companies as well.
Secrets management is needed wherever access to applications, systems, and data must be managed, tracked, and secured. You particularly need a secrets management solution like Akeyless if you have data both in the cloud and in on-premise systems, or on more than a single cloud service provider.
What practical advice would you give companies on how to manage their secrets?
Managing your secrets can present an organizational challenge. To be effective, secrets management must be a cross-organizational effort to address the overlapping areas of responsibility between your security team, DevOps, cloud teams, identity and access management (IAM), and more.
All of these departments have overlapping areas of responsibility but tend to have a different approach to secrets and secret security, which all must be taken into account in the final project. Multidisciplinary technical skills are also required. For example, the cloud team will need to be included to ensure that secrets required by cloud services are adequately managed, while the DevOps team needs to make sure that secrets management can be integrated into the CI/CD pipeline while not causing friction in the development lifecycle.
The IAM team needs to be involved to ensure that machine and human secrets are not managed in completely separate silos.
The security team, of course, must spearhead this interdisciplinary effort, as they are responsible for ensuring security and compliance guidelines are instituted and followed across the organization. Likewise, they must understand the security requirements that must be met by the project as a whole and what resources are available to support it in order to keep company and customer data protected.