Every IT system runs on secrets. Applications can depend on thousands or even millions of API keys, database credentials, and encryption keys to operate smoothly.
Secrets must be hidden, but they also must be stored somewhere. In cloud architectures, secrets reside in public-facing storage, which poses a huge security challenge for companies.
This article will discuss how to secure secrets in the cloud. We’ll explain what a secret is, how they are commonly mishandled, and what it takes to formulate a secret management strategy. We will also present the different secret management solutions offered by the major cloud providers–AWS, GCP, and Microsoft Azure.
What Is a Secret?
Secrets are privileged credentials that provide digital authentication. Some common types of secrets are database passwords, privileged account credentials, SSH keys, encryption keys, API keys, and private certificates for secure communication and data transmission.
As the name suggests, a secret is a highly private piece of information that unlocks sensitive and protected resources. It is what grants access to your most sensitive systems, services, and data. Every application, automation tool, and script depends on such secrets to access other tools, applications, and data. This includes app-to-app, as well as application-to-database, authentication. Because of their importance, secrets must be protected at all costs, both in transit and at rest.
The Consequences of Mishandling Secrets
Although they should be handled with the utmost care, companies often make some grave mistakes when managing secrets. One prevalent mistake is to use hard-coded and default credentials for applications and IoT devices. This provides hackers with an attack route, making it easy to crack secrets simply through guesswork or dictionary-style attacks. Another common malpractice is managing passwords manually. This usually opens the door for security breaches with passwords that are easy-to-remember, shared among coworkers, or not changed often enough.
Secrets are often stored together with other information in application configuration files. Since these files are in plain text, anyone with read permissions can access secrets in a file, a problem that can get far worse if the file is stored in a public repository.
Secrets are also exposed anytime a configuration file is shared or used in source control. In addition, having different secrets spread out across configuration files makes it difficult to keep track of and secure them all.
Poor secret management can lead to detrimental consequences, leaving companies susceptible to security breaches of all kinds. To make matters worse, one secret can unlock resources that contain even more secrets. Thus, obtaining one secret can be enough to gain access and permissions to any resource that belongs to the secret owner. This means that one vulnerable secret can lead to a broad security breach.
The Challenge of Managing Secrets in Modern Architecture
As applications scale and become increasingly complex, secret management becomes far more challenging. This is especially true for modern decentralized architectures.
For example, some companies need to deal with millions of SSH keys, which can be extremely difficult to manage across all IT layers in a decentralized approach where each team manages its secrets separately. In the cloud, cloud providers can grant superuser privileges for quick spin-up and spin-down of applications and virtual machines, each with its own set of privileges that need to be managed.
In serverless applications, another approach that is growing in popularity, infrastructure components are provisioned and managed by your cloud provider. Since serverless applications can’t access a centralized configuration file, secrets are often stored in plain text as environment variables that are shared across multiple serverless functions. Unfortunately, secrets stored this way can leak and become exposed.
How to Use Secrets Securely in the Cloud
Securely using secrets in the cloud requires a centralized method that can reliably manage all types of secrets across all of your cloud and on-premises environments.
This type of solution is especially important for DevOps teams, as they typically rely on secrets for multiple purposes, such as orchestration and configuration management, as well as for different tools and technologies, such as Docker containers, Ansible, Puppet, and Chef.
Whether your architecture is centralized or decentralized, you should handle all secrets centrally using the best security practices.
Secret management can be broken down into a few general steps:
- Authenticate all access requests made with non-human credentials.
- Apply the principle of least privilege: ensure that each user is given the minimal access level and permissions to perform their job.
- Use role-based access control (RBAC) so that access is granted based on a person’s role in the organization.
- Enforce routine secret rotations. For example, you should change encryption keys frequently and re-encrypt the data accordingly.
- Formulate consistent access policies and enforce them with automated secret management tools.
- Keep a thorough audit trail to track all access requests.
- Remove secrets from unprotected locations, including code and configuration files.
This approach makes it possible to identify, manage, and securely store each credential centrally, significantly reducing security threats. Managing your secrets this way not only stores existing secrets securely but also enables continuous discovery of secrets as they are created and eliminates hard-coded, embedded, or default secrets. It also enforces best practices such as changing passwords frequently and keeping them complex or making sure that shared passwords are changed on the spot. In addition, centralized secret management allows for better threat analysis, reporting potential risks to the system.
Protecting Your Secrets in the Public Cloud
Besides having a general approach to secret management, each cloud provider has its own set of products, services, and key features to consider when securing secrets in the cloud. In this section, we present some of the tools available for AWS, Google Cloud Platform (GCP), and Microsoft Azure.
Secrets on AWS
AWS Secrets Manager helps users protect secrets in AWS. The service makes it easy to perform frequent secret rotation and enables quick retrieval of API keys, database passwords, and any other type of secret throughout its lifecycle with a call to Secrets Manager APIs. This architectural feature allows developers to avoid hard-coding sensitive information in plain text as well.
AWS Secrets Manager also features built-in integration with AWS’ major building blocks, such as Amazon DocumentDB, Amazon RDS, and Amazon Redshift, and gives users much more control over managing their secrets across their entire business. This is achieved through fine-grained permissions and policies, along with central auditing of secret rotation, and extends beyond AWS Cloud to on-premises operations and third-party services.
Secrets on GCP
GCP’s Secret Manager offers a centralized service and one single source of truth to access, manage, and audit different types of secrets and sensitive data across Google Cloud. This GCP security service comes with multiple features that take many best practices for secret management off your hands. These include automatic secret replication and storage, extensive audit logging equipped with anomaly detection to detect potential breaches, and default encryption; you also get Cloud IAM integration to grant individual permissions to project owners so they can easily uphold the least privilege principle.
In addition to Secret Manager, GCP offers Cloud HSM, a fully managed GCP cloud-hosted hardware security module (HSM) service to protect cryptographic keys, as well as Cloud KMS, which generates, uses, rotates, and destroys a wide array of cryptographic keys. One good practice is to leverage Cloud KMS’ integration with Cloud Audit Logs to closely manage and monitor permissions on individual keys and their usage. GCP further integrates with third-party tools such as Vault to tightly control access to secrets, and berglas, an open-source tool for storing and retrieving secrets on Google Cloud.
Secrets on Azure
Key Vault is a Microsoft Azure tool that encrypts keys and small secrets. It’s designed to securely store and access secrets in Azure, taking control of some of the heavy lifting in secret management, such as provisioning new vaults and keys, configuration, patching, and HSM maintenance. It also enables Azure users to manage secrets and policies centrally, granting permissions as needed.
Azure logging lets you uphold necessary management practices by monitoring and auditing secrets across your operations. Applying Azure HDInsight or your own SIEM solution to these logs further enables users to keep a close eye on secret rotation and perform effective threat detection.
Secrets hold the key to some of the most sensitive aspects of your business. As systems and architectures move to the cloud and become increasingly complex, secret management has never been more challenging nor more critical.
Besides avoiding the most common pitfalls, such as hard-coding and infrequent password rotation, the secrets across your entire business should be managed in a centralized, automated, and transparent way. The major cloud providers understand this and provide tools that, if leveraged properly, can help you enforce these best practices and ensure your secrets are safe and sound.
Of course, secret management is only one part of a robust cloud security strategy. Reblaze offers an all-in-one web security platform that includes a next-generation Web Application Firewall, DDoS protection, advanced bot management, API security, and more. For a demo, feel free to contact us.