Itzik Alvas is the CEO and co-founder of Entro Security.
Imagine a world where the keys to every door were left under a proverbially convenient doormat. It’s an open invitation to chaos, though the “finders-keepers” of the cyber world would describe it as mostly opportunistic.
Sadly, this isn’t some whimsical fable but the stark reality of the nonhuman identities and secrets—API keys, access tokens, service accounts, Kubernetes cluster credentials, security certificates and the like—that unlock a business’s most critical assets.
As developers push the envelope and craft the next wave of cloud-native applications, the sprawl of these secrets and nonhuman identities expands unchecked, often scattered. The paradox is striking. In our effort to strengthen cloud security, we’ve ended up creating a very complex system full of sensitive nonhuman identities and secrets. Remembering them all is impossible, which is why we need clear guides and specific tools to keep things safe and organized. It’s a tough situation, but it’s also why we’re looking for better ways to handle these secrets.
Conventional tools like vaults and secret scanners aim to promise a certain level of safety. They provide a layer of security by managing and scanning for sensitive information, respectively. Vaults act as secure storage for secrets that are created from nonhuman identities, allowing controlled access while secret scanners search through codebases to find exposed secrets that could compromise security.
Despite their promise, these tools often lack the context, visibility and finesse needed in a world where secrets not only open doors but could potentially bring down walls. As we stand at this crossroads, what’s needed is a more strategic approach to managing secrets and nonhuman identities.
Secrets And Their Expanding Maze
We’re not just dealing with a few misplaced programmatic access keys. Rather, we’re facing a deluge of Kubernetes cluster credentials and access tokens scattered across the cloud. The decentralized nature of these secrets and nonhuman identities often leads to a fragmented security strategy.
The crux of the issue lies not in the proliferation of secrets but in their mishandling: secrets and nonhuman identities stowed away in digital vaults without a second thought, embedded in code, or whisked across Slack channels in a fleeting moment of convenience. Each action, while seemingly benign, can turn out to be the straw that broke the camel’s back.
In the same vein, the practice of over-provisioning access rights amplifies the risk, effectively leaving the door wide open for both internal and external threats. The manual management of these secrets and nonhuman identities, often involving copy-pasting between environments, is fraught with danger, introducing human error into a process that demands precision.
The Cracks In The Armor
With the mishandling of nonhuman identities and over-provisioned privileges, the chaos of creation is immediately followed by vulnerabilities galore. The story continues with downloaded files containing secrets that, if uncovered, could unravel the fabric of the organization’s security posture. These secrets lurk in the shadows of cloud services, waiting for an unwitting actor to set them free.
This calls for a solution that sees beyond the mere storage and discovery of some exposed secrets. A solution that understands the who, what, where and why of every nonhuman identity and secret, offering not just a map through the maze but a guide to every twist and turn.
The Beacon In The Storm
Our requirements go beyond the traditional arsenal of vaults and secret scanners. Vaults serve primarily as storage facilities for secrets and nonhuman identities and offer little in the way of active protection or insight. Similarly, secret scanners often fall short of their limited scope (typically confined to code repositories).
We need to fill the gaps left behind by these conventional systems. This requires a nuanced approach that addresses the hidden dynamics of programmatic access and identity. In other words, we need a forward-thinking strategy that emphasizes safeguarding sensitive data as well as understanding and controlling the entire life cycle of secrets and nonhuman identities across diverse environments.
Where conventional tools play catch-up, we need to cast a wide net that captures not just code repositories but also vaults, Jira tickets, wikis, Slack threads, logs and beyond.
Where vaults and secrets scanners might spot an exposed secret and stop there, we must go further and find the context behind that secret—a meta secret, if you will. Highlighting the leak isn’t enough.
Theory Meets Practice
For organizations looking to stay ahead of the curve, here’s a rundown of four no-nonsense strategies to consider:
1. Automated Secrets Rotation: Implement a context-based secrets rotation system that automatically updates secrets at regular intervals or based on specific triggers, such as a breach detection to reduce the risk of long-term exposure.
2. Secrets Detection And Remediation: Use tools that continuously scan your environments for exposed secrets. The volume of data and dynamic nature of environments make continuous, effective scanning a complex task that is difficult to perform manually.
3. Zero-Trust Architecture: Adopt a zero-trust security model that requires verification at every step, regardless of the user’s location or device. The challenge lies in the fact that it requires a fundamental overhaul of access management, which can be complex and resource intensive.
4. Misconfiguration Alerts: Deploy monitoring tools that can detect and alert on misconfigurations in your infrastructure, which could potentially expose secrets or create vulnerabilities.
Parting Thoughts
Managing machine identities and secrets balances on a fine line between essential complexity and the necessity of security. Teams must navigate this terrain carefully, as a single oversight can result in security breaches that make the morning news.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
