What is a secret?

A secret is a privileged, non-human credential, such as API keys, passwords, tokens or certificates, that systems and applications use for authentication and authorization. Secrets enable secure communication between applications, services and resources by verifying identities and granting appropriate access to sensitive data. Properly managing secrets ensures secure interactions between systems while protecting privileged data from unauthorized access.

What is secrets management?

Secrets management refers to the secure handling, storage and governance of privileged credentials within an organization’s IT infrastructure. It enables organizations to centrally manage, store and audit secrets while minimizing the risk of unauthorized access. The goal of secrets management is to maintain secure system operations, reduce security risks and enhance operational efficiency.

Types of secrets

There are several types of secrets that organizations use to protect privileged information, including passwords, cryptographic keys, tokens, API keys, SSH keys, certificates and privileged user credentials.

Passwords

As the most common type of secret, passwords are widely used to authenticate users and grant access to systems, data or applications. Passwords consist of a combination of uppercase and lowercase letters, numbers and symbols known to both the user and the system. A password verifies a user’s identity and protects sensitive data from unauthorized access. To be strong, a password should be long and complex; otherwise, it risks becoming more vulnerable to password-based attacks such as brute force.

Privileged user credentials

Privileged user credentials grant elevated access or administrative control over systems, networks or applications. These credentials belong to users who can perform important tasks such as configuring system settings, accessing sensitive information or managing privileged accounts. Since they provide access to critical data, privileged user credentials must be closely monitored and protected to prevent unauthorized actions.

Secure Shell (SSH) keys

Secure Shell (SSH) keys enable secure, passwordless authentication over networks. Commonly used by system administrators for automation and Single Sign-On (SSO), SSH keys consist of a public key, stored on the server, and a private key, kept secret by the user. When a connection is initiated, the server verifies the public key and grants access if it matches the private key.

Application Programming Interface (API) keys

API keys are unique identifiers used to authenticate and authorize applications or users when accessing APIs. They help ensure secure interactions between software systems by verifying the identity of the calling application. API keys are often used to control access, automate workflows and manage usage limits. Because they can grant access to sensitive information, API keys must be kept secure to prevent unauthorized use.

Cryptographic keys

Cryptographic keys are used in encryption and decryption processes to maintain data confidentiality and integrity. These keys are essential for securing data in transit and at rest. There are two main types:

Symmetric keys, where the same key is used for both encryption and decryption
Asymmetric keys, which involve a public key (for encryption) and a private key (for decryption)

Cryptographic keys are fundamental to secure communications, digital signatures and data protection in modern IT systems.

Tokens

Tokens are used for authentication and authorization, usually in modern web applications and APIs. They are temporary and generated to grant access to specific resources after a successful login or authorization process. Tokens contain encoded information that verifies a user’s identity without needing a password to be transmitted with each request. Since tokens can grant access to sensitive resources, they have to be stored and shared securely.

Certificates

Digital certificates are used to secure internet connections and communications over a network. These certificates are often referred to as SSL/TLS certificates, with Transport Layer Security (TLS) being a more modern, secure version of the now-outdated Secure Sockets Layer (SSL) protocol. TLS certificates authenticate the identity of a website and create an encrypted connection between the server and a client. Certificates contain a public key and other information, including the domain name and issuer, that allow clients to verify the server’s credibility. Certificates are important for ensuring data privacy, preventing Man-in-the-Middle (MITM) attacks and building user trust.

Secrets management challenges

Without proper secrets management, each team in an organization may handle secrets independently. This can lead to secrets sprawl and insecure sharing of secrets.

Secrets sprawl

Secrets sprawl is the chaotic distribution of secrets across an organization. As organizations grow, secrets can become dispersed across cloud environments and various tools, increasing the risk of unauthorized access. Without centralized secrets management, this can lead to security vulnerabilities and compliance challenges.

Hardcoded secrets

Hardcoded secrets refer to sensitive credentials, like passwords or API keys, embedded directly within source code or configuration files. This may happen if developers store secrets in code to simplify development or testing. However, storing credentials directly in source code introduces security risks, making it more difficult to update secrets and contain potential exposure.

Manual secret sharing

Manual secret sharing is the practice of sending or distributing sensitive information through manual processes, including email or messaging systems. Relying on email, messaging applications or spreadsheets to distribute secrets increases the risk of human error and unauthorized access. If a user shares secrets through an unencrypted email, that sensitive data is vulnerable to interception by an unauthorized user.

Cloud computing privileges

Cloud computing privileges determine user access to cloud-based resources, such as servers and databases. If an organization grants excessive privileges to a user, it can increase security risks since human error or cyber attacks may lead to data breaches. Organizations often struggle to track access to cloud applications, which may result in privilege creep and unmanaged credentials.

Third-party accounts and remote access

If not properly managed, third-party accounts and those with remote access can introduce security vulnerabilities, especially if vendors or contractors have excessive privileges or outdated credentials. Unauthorized access can lead to data breaches or system compromise through external vendors or remote employees connecting to critical systems with sensitive data.

Secrets management best practices

To mitigate common secrets management challenges, organizations can secure their secrets by managing privileges and authorized users, automatically rotating secrets and regularly updating secrets management policies.

Manage privileges and authorized users

Organizations should manage privileges and authorized users by following the Principle of Least Privilege (PoLP), which grants users and systems access only to what they need to perform their tasks. Role-Based Access Control (RBAC) helps enforce PoLP by assigning permissions based on roles rather than individual users, minimizing the risk of excessive privileges. Multi-Factor Authentication (MFA) should also be enabled for all privileged accounts to add a layer of security and prevent unnecessary or unauthorized access over time.

Rotate secrets

Automated secret rotation is a practice that organizations should follow to reduce the risk of unauthorized access to sensitive information. Frequently updating secrets limits exposure if a secret is compromised. With a centralized secrets management system, organizations can track and update credentials automatically on a predetermined schedule, saving time and reducing the chances of human error.

Differentiate between secrets and identifiers

To protect secrets and improve security, organizations must differentiate between secrets — passwords, encryption keys and tokens — and identifiers, such as usernames, email addresses and device IDs. Secrets must be confidential and closely monitored since they grant direct access to sensitive information, while identifiers should be managed carefully to prevent misuse, but can remain public. Organizations need to store secrets securely and enforce strict access controls to prevent unauthorized use and minimize the risk of exposure.

Regularly review and update secrets management policies

Organizations must regularly review and update their secrets management policies to prepare for more advanced and evolving cyber threats. Updating these policies should include determining who has access to sensitive credentials, revoking outdated or unnecessary secrets and enforcing compliance with regulatory standards. With a centralized secrets management system, organizations can automate policy enforcement to maintain consistency and minimize human error.