Secret Management Primer: Challenges, Standards, and Best Practices

Secret management is the process of securely storing and managing sensitive information such as keys, passwords, and tokens. Secrets are used to provide privileged access and are usually stored in secure environments using secret management tools. Secrets are essential to establish the right access and connections on both the app and the infra side of things.

What are secret management tools?

Secret management tools are made for this specific task - to manage, organize, safely store and retrieve secret information. We cover some popular tools in this blog and suggest actionable steps for choosing the right tool to suit your requirements. These tools help address the challenges across SaaS, LaaS, PaaS, private, and hybrid multi-cloud scenarios.

Challenges of secret management

The challenges of managing secrets can occur in the various stages of the secret’s lifecycle, from generation and storing to distribution and revocation.

1. Secrets at rest can be vulnerable, especially if they are a part of the automated CI/CD pipelines and must be exposed to external tools or stored in the code repository or local device.
2. Secret distribution to authorized users has to be done securely. This may involve the use of secure communication channels, specific tools (Doppler, 1Password, not slack) or physical measures such as security tokens.
3. Static secrets that don’t change in value can cause serious security issues as they may easily be shared, and recovering or updating their value can be difficult especially if the same value is used in multiple places.
4. Compliance: It is important to ensure one’s secret management practices comply with the legal requirements and regulations defined either in data privacy laws or industry standards. We will talk about some industry standards in the best practices section below. Manually managing secrets makes it hard to comply with such standards.
5. Scalability: As the company scales, the issue of secret sprawl arises, which makes credentials difficult to track and manage, hence more vulnerable to hacking. According to a report from Verizon, stolen credentials account for nearly half of all data breaches.
6. Human factors: People are an important part of secret management, but they can also be a weak point. Ensuring that individuals handle secrets responsibly and follow established procedures is critical to the system’s security.

Benefits of Secret Management Tools

Secret management tools like Vault, AWS Secret Manager, Doppler, and many others discussed here can help organizations overcome the various challenges of secret management practice discussed above.

1. Storing secrets: All secret management tools act as a central store for your secrets; this includes passwords, SSL certificates, and API keys. This makes it easy to manage and protect secrets.
2. Access controls: These tools can enforce access control to ensure that only authorized users access specific secrets. Types of access controls can be based on identity, location, or roles. You can also easily set limits on the count of clients and revoke or update access to any user.
3. Automated distribution: Secret management tools can automate the process of distributing secrets to authorized users and revoking access when necessary. This can help reduce the risk of human error and improve the efficiency of secret management.
4. Compliance: Secret management tools make it easier for organizations to comply with regulatory and industry standards, such as data privacy laws and PCI DSS.
5. Integrations: Their ability to integrate with other systems and tools, such as configuration management tools and CI/CD pipelines, helps streamline the management of secrets in a cloud environment.
6. Scalability: These tools are built to enterprise standards and grow as your organization grows. Having a centralized store with good access control and compliance policies also reduces the risks of secret sprawl.

Secret Management Best Practices

Once you’ve chosen the right secret management tool and are ready to make the most of the benefits, it’s time to check off these best practices.

1. Consolidate your secrets and secure them: If you’re using any kind of developer tool or cloud service, you will already be using secrets. Some of them may lie as plain text on your config files or encrypted and pushed to your Git repo. You must first bring them to a secret management tool to secure them.
2. Rotation: Secrets can be reset or changed based automatically on a schedule. It is a good practice to rotate your secrets constantly. In fact, many compliance standards require that secrets are rotated regularly.
3. Automation: Secrets no longer need to be hard-coded or embedded. They can be injected directly into the pipeline in most cases and made available for the tools/users that need access to a particular resource.
4. Create and enforce policy: Cloud security policies are essential components that provide a formal guideline for how a company operates in the cloud. Creating and enforcing these policies help companies reduce the risk and also assures their customers that their data is protected. Here’s how to create a cloud security policy.
5. Least privilege access: Enforcing least privilege access for machines and humans means that access to the secret is given a need-to-know, just-in-time access to the specific secret for a specified duration.
6. Scalable solution: Picking a tool that scales as your needs and secrets rise and can work just as efficiently with your future systems and secrets. There is an extra price, but it is worth paying for securely managing secrets.

Some Industry standards for Secret management

There are several industry standards and best practices for cloud secret management:

1. ISO 27001: Is an international standard that outlines the best practices for information security management, including the secure handling of secrets.
2. NIST SP 800-53: The National Institute of Standards and Technology (NIST) publishes guidelines for securing federal information systems, including recommendations for secret management.
3. PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements for organizations that handle credit card information. It includes guidelines for securing secrets and protecting against unauthorized access.
4. Center for Internet Security (CIS) Controls: The CIS Controls are a set of best cybersecurity practices organized into 20 control families. Secret management is addressed in several of the control families, including Access Control and Maintenance.
5. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM): The CSA CCM is a framework for evaluating the security of cloud computing environments. It is a set of requirements to certify that all companies that collect and transmit credit card information maintain a secure environment. It also includes secret management controls such as using strong passwords and implementing access controls.
6. Service Organization Control (SOC 2): This compliance is intended to provide assurance to customers that a service organization has implemented the necessary controls to protect sensitive data. It includes risk assesssments, disaster recovery procedures, confidentiality and integrity control for sensitive data.
7. Health Information Privacy Protection Act (HIPAA): Under HIPAA, covered entities, such as health care providers and insurance companies, are required to implement policies and procedures for safeguarding protected health information (PHI). This includes encryption, access, and audit controls to protect electronic protected health information (ePHI).

It is important for organizations to understand and comply with relevant industry standards and best practices when implementing cloud secret management. Based on your region of operation, there may be local laws such as CCPA or GDPR.

Check out the other blogs in the secret management series where we talk about top cloud secret management tools and also about kubernetes secret management approaches.

Argonaut has a native secret management solution for small teams. Argonaut integrations with third party secret providers is coming in Q1CY23.

With Argonaut’s modern deployment platform, you can get up and running on AWS or GCP in minutes, not weeks. Our intuitive UI and quick integrations with GitHub, GitLab, AWS, and GCP make managing your infra and applications easy - all in one place.