Introduction
What is secret ? Secret can be anything to protect the information from others and hiding it from humans and machines. For e.g. PII(Personally Identifiable Information), Transaction data, passwords, Keys and so on. For the purpose of this article we are going to focus only on secrets to give access to other systems such as Passwords, API keys and so on.
In nutshell, Secrets Manager should able to store, retrieve and rotate secrets securely.
Secret Management Features:
- Storing Secrets
- Retrieving Secrets
- Rotation of Secrets
- Auditing Secrets
- Dynamic Secrets
- Centrally Vs Distributed
- Multi-cloud Secrets
Storing Secrets
Secret Manager should able to encrypt the secrets at rest with the protection of cryptographic key material. Hashicorp Vault, AWS Secrets Manager and Azure Key Vault are some of the examples can able to store secrets and able to encrypt the secrets at rest.
Retrieving Secrets
Secret Manager should able to retrieve secrets using API or CLI. Most importantly can be secrets can be retrieved easily with CI/CD servers to inject secrets during build if required or run-time without compromise of secrets to unauthorised entities.
Rotation of Secrets
Secret Manager should able to rotate the secrets based on certain conditions and policies. For e.g. AWS secrets manager uses AWS Lambda to rotate the secrets by integrating directly with target applications.
Auditing Secrets
Audit each and every call to secrets should be recorded and stored securely with integrity check
Dynamic Secrets
Secret Manager should able to create short-lived secrets and handover to application. It requires high privileged access to create/destroy secrets at target system.
Centrally Managed Vs Distributed Secrets
It “depends” – there is a pros and cons of centrally managed vs distributed secret managed solution.
Centrally Managed Secrets
Pros:
- Easy to govern and maintain the secrets
- Easy to apply organisation policies at one-place.
- Easy to audit the activities.
Cons:
- Hard to apply fine grained authorisation rules who can retrieve what secrets when multiple teams or Business units using same secrets manager.
- Hard to implement different policies for different teams if multiple teams have different set of requirements. For e.g Rotation policy for one team may varies based on the sensitive level.
- Blast radius is high if secrets manager is compromised.
Distributed Secrets Management
Pros:
- Easy to apply fine-grained authorization rules
- Blast radius is limited only to team or business unit if secret manager solution is compromised
- Flexibility to apply different policies based on the requirements of the team like rotation / deletion policy
Cons:
- Hard to enforce centralised policies at individual secrets management solution
- Hard to govern and maintain similar security posture throughout the organisation
- Difficult to Auditing centrally which requires to retrieve the logs and store securely
Multi-cloud Secrets
There will be use-case to store and retrieve secrets from different hosting providers whether is Azure, AWS , google or on-premise servers. So option is mix and match secret manager solution which can share the secrets across multiple clouds. For e.g. AWS secrets manager works nicely within AWS secrets but the storing the on-premise secrets may not be correct solution in that case use of Hashicorp vault may help to store / retrieve the secrets for on-premise secrets.
There is an option to store Hashicorp as central secrets management solution to store all secrets whether its on-premise or cloud secrets. Answer is “yes” its technically possible but it comes to previous discussion of central vs distributed.
Conclusion
We discussed what to look for secrets management solution and also having centralised and distributed approach of secrets. Some of the great tools out there in market to provide this capability such as:
- Hashicorp Vault
- AWS Secrets Manager
- Azure Key Vault
- Google Secrets manager
- CyberArk
Assess which products best fit for your organisation based on your requirements.