What Is Secrets Management?

• IAM Glossary
• What Is Secrets Management?

Secrets management is the process of organizing, managing, and securing IT infrastructure secrets. A secrets manager is a secure storage system and single source of truth for privileged credentials, API keys and other highly sensitive information used in IT infrastructures.

Keep reading to learn more about secrets management and what you can do to protect your company's data environment.

What Is a Secret?

In an IT data environment, secrets are non-human privileged credentials, most often those used by systems and applications for authentication or as input to a cryptographic algorithm. Secrets unlock applications, services and IT resources containing highly sensitive information and privileged systems.

Common types of secrets include:

• Non-human login credentials
• Database connection strings
• Cryptographic keys
• Cloud service access credentials
• Application programming interface (API) keys
• Access tokens
• SSH (Secure Shell) keys

Why Is Secrets Management Important?

Secrets management is a cybersecurity best practice for consistently enforcing security policies for non-human authentication credentials—ensuring that only authenticated and authorized entities can access resources.

As organizations grow, IT and DevOps teams Encounter a problem called secrets sprawl, where infrastructure secrets are scattered in multiple locations, with different departments, teams, and even team members independently managing the secrets under their control. Meanwhile, IT administrators lack visibility, auditability and alerting on the usage of these secrets.

Secrets Management Best Practices

Because secrets are so numerous – SSH keys alone can number in the thousands – using a secrets management solution like Keeper Secrets Manager is a must. According to the 2021 Global Encryption Trends Study by the Ponemon Institute, 28% of organizations use secrets management solutions to protect secrets, and 33% plan to deploy the use of a secrets management solution within the next year.

However, a technical tool can only do so much! Couple your use of a secrets management tool with the following best practices:

Establish Proper Access Control

After centralizing and securing your secrets with a secrets management solution, the next step is to ensure that only authorized people and systems can access them. This is accomplished through role-based access control (RBAC) combined with privileged access management (PAM) and least-privilege access.

Rotate Secrets and Use Just-In-Time Access

Many secrets, such as keys and certificates, require periodic rotation, usually every 30 to 90 days. A tool like Keeper Secrets Manager can automate this process for you.

In addition to secrets rotation, use just-in-time access whenever possible. This grants human users and applications access to privileged systems on a need-to-know basis for a specified duration. This is a failsafe to prevent privileged credentials from being compromised.

Differentiate Between Secrets and Identifiers

An identifier is how an identity management system or other entity refers to a digital identity. Usernames and email addresses are common examples of identifiers. Identifiers are often shared freely within and even outside of an organization.

Secrets, conversely, are highly confidential. If a secret is compromised, threat actors can use it to access highly privileged systems, and the organization could sustain major or even catastrophic damage.