A Forrester study showed that as many as 57% of IT security and business leaders experienced a security incident related to exposed secrets from insecure DevOps processes, and 71% of respondents wanted to centralize automated secrets management solutions into tools that developers can directly use.
DevOps services encourage automation in order to achieve scale, but security is traditionally manual, gate-driven, and process-heavy.
Enterprises want fast results. They need to make coding easier and faster, and towards this, some corners may be cut – often at the cost of security. One example is the hard-coding of credentials/passwords, which can make coding easier and faster at the cost of healthy secrets management.
What are secrets in Devops ?
Secrets in DevOps are essentially digital credentials such as usernames and passwords, SSH keys, encryption keys, or API tokens. These digital identifiers, if mismanaged, can result in data breaches and intellectual property theft.
As organizations move to cloud-based development environments, privileged secrets are shared across business ecosystems using automation tools. While this accelerates the pace and agility of computing environments, new security gaps are opened at the interconnections of these systems.
If adequate care is not taken, developers can accidentally leak confidential information through APIs or cryptographic keys on code repositories such as GitHub. In a report from a few years ago, a scan of billions of files from 13% percent of GitHub’s public repositories over six months revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets daily.
The problem is not on code repositories alone, but an overall lack of security hygiene, especially when it comes to secrets which are key to the entire project. There is a risk of secrets sprawl and blind spots, where too many developers have privileged access to key secrets, and/or the DevOps team is not aware of who all have that privileged access.
The solution is to use user-friendly, inexpensive, and well-integrated secrets management tools – which, currently, are used by only 5% of Forrester respondents.
Best Practices to Manage Secrets in DevOps
- Using the right tools
First of all, use a secrets management automation tool. All major CSPs provide secret storage in their environment, for example Azure has Keyvault, AWS has AWS secrets management and GCP has Secret Manager. Your secrets management tool should function as an extension of your Privileged Access Management (PAM). Ensure the tool is centrally managed and developers cannot opt out! Make it as low-effort as possible.
- Leverage automation for convenience and safety
Instead of using hard-coded credentials in a particular application code base, secret management within the CSPs environment allows you to call on the required credentials through an API which allows for convenient access to the credentials wherever necessary. There is no risk of loss or corruption of these credentials as they are maintained and stored within the CSPs and following the security and encryption protocols, placing the responsibility of their safe storage with the CSP.
SecDevops projects have been handled and carried out by the team at CloudNow on several of it’s projects. Call our DevOps experts to find out how this can benefit your next development effort.