Risks and Challenges of Mismanaged Secrets

Risks and Challenges of Mismanaged Secrets

Poor secrets management leads to data breaches that can result in compromised credentials, a damaged reputation and millions of dollars in mitigation costs, legal fees and lost revenue. 

Secrets are non-human privileged credentials that provide access to  sensitive information, systems and services. Types of secrets include database passwords, SSH keys, API keys and encryption keys.

Let’s look at some of the risks and challenges associated with secrets management and what actions you can take to help better protect your company’s secrets. 

What Are the Risks of Mismanaged Secrets?

In the grand scheme of things, IT secrets are really just a type of password; both regular passwords and secrets enable users to access sensitive information and systems. The primary difference is that, in most cases, secrets are used by applications instead of people. For this reason, it can be said that all passwords are secrets, but not all secrets are actual “passwords.” API keys, for example, are a secret, but not “passwords” per se, while privileged access credentials are passwords – just passwords to very high-level systems and data.

As a result, a failure to protect secrets puts an organization at risk of the same types of problems as not protecting employee login credentials. However, because secrets unlock access to highly sensitive systems and data, the damage potential of a stolen secret can be even greater than that of a stolen employee password.

  1. Breaches of Highly Confidential Data

Mismanaged secrets put businesses at increased risk of cyberattacks, and these attacks can be quite serious. For example, in July 2022, customers of software firm Atlassian were warned to immediately patch a critical vulnerability that allowed remote threat actors to uncover hardcoded credentials, which they could then use to log into vulnerable Confluence Servers. Most companies use Confluence for internal project documentation and collaboration – in other words, highly confidential company data about ongoing projects and plans that, if compromised, could have catastrophic results on the company.

  1. Breaches of Highly Sensitive Apps and Systems

In addition to protecting access to highly sensitive data, secrets are also the only thing standing in between threat actors and access to highly sensitive systems and devices – like security cameras and other Internet of Things (IoT) devices, which are notorious for having hardcoded default passwords. Hardcoded default passwords can be found in routers and other networking equipment as well. Armed with a single default password to a piece of hardware, a threat actor can take over an entire security system – or a network.

  1. Decreased Productivity

Secrets management vexes DevOps environments, where common CI/CD pipeline tools such as Jenkins, Ansible, Github Actions, and Azure DevOps all use secrets to access databases, SSH servers, HTTPs services, and other sensitive systems. These secrets are either stored in a config file for the deployment system or in one of a dozen different storage vaults – all of which DevOps and IT teams have to somehow manage. This is an uphill battle that hampers productivity while preventing organizations from effectively securing secrets.

Top Challenges to Secrets Management

Organizations attempting to manage their secrets and sensitive information encounter these common challenges.

  1. Secrets Sprawl

By far, secrets sprawl is the biggest obstacle to effectively securing secrets. As organizations expand, so do their IT environments, and the secrets that their systems and apps depend on to function. Before anyone realizes it, the data environment contains an unfathomable number of secrets — SSH keys alone can easily number in the thousands — and they’re stored all over the network, in no particular order, and with no centralized solution to organize, manage or secure them.

  1. No Uniform Secrets Management Policy

Who is responsible for managing secrets? Absent a uniform organizational secrets management policy, individual departments, teams, and even team members are left on their own, all independently managing the secrets under their control. Consider a situation where a new microsite must access a database. The IT administrator already has a configuration file containing sensitive data, so they simply include the database access key in that same configuration file. This laissez-faire approach may seem reasonable and harmless at first – until there are literally thousands of those configuration files, no one is certain where they are or how many exist, and many of them were created by people who are no longer with the company!

  1. No Dedicated Secrets Management Tools

 Some IoT devices and tools include built-in secrets managers, which enable IT administrators to remove or change hardcoded credentials. However, these built-in solutions work only with those particular devices or tools. IT and security administrators need a single, centralized secrets management solution to enforce secrets management policies, prevent secrets sprawl and avert catastrophic breaches of highly sensitive systems.

Keeper Secrets Manager Stops Secrets Sprawl

Keeper Secrets Manager is the first and only cloud-based, zero-trust, zero-knowledge solution for securing infrastructure secrets. Instead of thousands of files and vaults scattered all over the data environment, Keeper Secrets Manager enables all servers, CI/CD pipelines, developer environments, and source code to pull secrets from a secure API endpoint. Each secret is encrypted with a 256-bit AES key, which is encrypted by another AES-256 application key. The client device retrieves encrypted ciphertext from the Keeper cloud, and secrets are decrypted and used locally on the device — not on Keeper’s servers.

  • Remove hard-coded credentials from source code, config files and CI/CD systems.
  • Manage an unlimited amount of secrets, applications and environments.
  • Control employees’ access and permissions with role-based access controls.
  • Fully managed solution, with no additional hardware or cloud-hosted infrastructure required.
  • Out-of-the-box integrations with a wide variety of DevOps tools, including Github Actions, Kubernetes, Ansible and more.
  • Consolidate your secrets in a centralized location with auditability.
  • Set up automated rotation for access keys, passwords and certificates.
  • Integrate secrets into your infrastructure, containers and build systems.

Keeper Secrets Manager is a natural extension of the Keeper enterprise password manager (EPM). It is incorporated into the Keeper Web Vault, Desktop App and Admin Console, with integrations into Keeper’s Advanced Reporting and Alerts module, BreachWatch, Webhooks, SIEM integration, and compliance tools. 
Test out our platform using our 14-day free trial and start protecting your company’s secrets.

Craig Lurey

Craig Lurey is the CTO and Co-Founder of Keeper Security. Craig leads Keeper’s software development and technology infrastructure team. Craig and Darren have been active business partners in a series of successful ventures for over 20 years. Prior to building Keeper, Craig served at Motorola as a software engineer creating firmware for cellular base station infrastructure and founded Apollo Solutions, an online software platform for the computer reseller industry which was acquired by CNET Networks. Craig holds a bachelor’s degree in Electrical Engineering from Iowa State University.