Business and Enterprise
Protect your company from cybercriminals.Start Free Trial
Secrets management is the process of organising, managing, and securing IT infrastructure secrets. A secrets manager is a secure storage system and single source of truth for privileged credentials, API keys and other highly sensitive information used in IT infrastructures.
Keep reading to learn more about secrets management and what you can do to protect your company's data environment.
In an IT data environment, secrets are non-human privileged credentials, most often those used by systems and applications for authentication or as input to a cryptographic algorithm. Secrets unlock applications, services and IT resources containing highly sensitive information and privileged systems.
Common types of secrets include:
Secrets management is a cybersecurity best practice for consistently enforcing security policies for non-human authentication credentials—ensuring that only authenticated and authorised entities can access resources.
As organizations grow, IT and DevOps teams Encounter a problem called secrets sprawl, where infrastructure secrets are scattered in multiple locations, with different departments, teams, and even team members independently managing the secrets under their control. Meanwhile, IT administrators lack visibility, auditability and alerting on the usage of these secrets.
Secrets Management Best Practices
Because secrets are so numerous – SSH keys alone can number in the thousands – using a secrets management solution like Keeper Secrets Manager is a must. According to the 2021 Global Encryption Trends Study by the Ponemon Institute, 28% of organisations use secrets management solutions to protect secrets, and 33% plan to deploy the use of a secrets management solution within the next year.
However, a technical tool can only do so much! Couple your use of a secrets management tool with the following best practices:
Establish Proper Access Control
After centralising and securing your secrets with a secrets management solution, the next step is to ensure that only authorised people and systems can access them. This is accomplished through role-based access control (RBAC) combined with privileged access management (PAM) and least-privilege access.
Rotate Secrets and Use Just-In-Time Access
Many secrets, such as keys and certificates, require periodic rotation, usually every 30 to 90 days. A tool like Keeper Secrets Manager can automate this process for you.
In addition to secrets rotation, use just-in-time access whenever possible. This grants human users and applications access to privileged systems on a need-to-know basis for a specified duration. This is a failsafe to prevent privileged credentials from being compromised.
Differentiate Between Secrets and Identifiers
An identifier is how an identity management system or other entity refers to a digital identity. Usernames and email addresses are common examples of identifiers. Identifiers are often shared freely within and even outside of an organisation.
Secrets, conversely, are highly confidential. If a secret is compromised, threat actors can use it to access highly privileged systems, and the organisation could sustain major or even catastrophic damage.