Page 18 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 18
What’s Your Secret – Best Practices for Managing Digital
Authentication Credentials
By Morey Haber, CTO, BeyondTrust
Secrets management refers to the tools and methods for managing digital authentication credentials
(secrets), including passwords, keys, APIs, and tokens for use in applications, services, privileged
accounts and other sensitive parts of the IT ecosystem. While secrets management is applicable across
an entire enterprise, the terms “secrets” and “secrets management” are referred to more commonly in IT
with regard to DevOps environments, tools, and processes.
Challenges to Secrets Management
Passwords and keys are some of the most broadly used and important tools your organization has for
authenticating applications and users and providing them with access to sensitive systems, services, and
information. Because secrets have to be transmitted securely, secrets management must account for
and mitigate the risks to these secrets, both in transit and at rest. But as the IT ecosystem increases in
complexity and the number and diversity of secrets explodes, it becomes increasingly difficult to securely
store, transmit, and audit secrets. Common risks to secrets and some considerations include:
Incomplete visibility and awareness of all privileged accounts, applications, tools, containers, or
microservices deployed across the environment, and the associated passwords, keys, and other
secrets. SSH keys alone may number in the millions at some organizations, which should provide an
inkling of a scale of the secrets management challenge. This becomes a particular shortcoming of
decentralized approaches where admins, developers, and other team members all manage their
secrets separately, if they’re managed at all. Without oversight that stretches across all IT layers,
there are sure to be security gaps, as well as auditing challenges.
18
