Why secrets management is key to securing your systems [Q&A]
The shift towards cloud and hybrid models of IT along with containerization has placed greater emphasis on the need for secure authentication, whether it’s via passwords, certificates or keys.
Managing these 'secrets' effectively is therefore key to keeping systems secure. We spoke to Oded Hareven, co-founder and CEO at Akeyless Security to find out more.
BN: What is driving the need for secrets management and why is this happening now?
OH: Three key trends have contributed to the current need for secrets management: the move to the cloud, the dominance of containerization in development, and new DevOps methodology. These have led to a rise in machines -- processes, scripts, applications, containers and databases, among others. These machines require authentication and authorization continuously via secrets -- credentials, certificates and keys -- which must be continuously accessible for the applications that power organizations to run.
Because of this need, these secrets were initially embedded in vulnerable code, scripts, configuration files and CI/CD tools where they could be easily accessed -- a phenomenon called 'secrets sprawl'. This sprawl led to a rise of increasingly prominent hacks and leaks of credentials and keys, such as those experienced by Uber, Nvidia, and LastPass. It is no surprise, then, that secrets management has become a top priority of security professionals and teams.
BN: How does secrets management work?
OH: Secrets management includes the secure storage, access, rotation, and monitoring of secrets (credentials, certificates, and keys) used for machine and application access in an organization. These solutions typically offer features such as encryption, access controls, auditing, and automation. Proper secrets management also involves the regular rotation of secrets to mitigate the impact of potential breaches or unauthorized access, and the generation of dynamic or temporary secrets, which ensure that there are no standing privileges left as an open door to hackers.
In the past, secrets have typically been stored in a vault or repository that may be restricted to self-deployed or on-prem environments. However, this 'vault-based' secrets management was more appropriate for the ‘old world’ of physical perimeters. As computing and development environments have evolved to include microservice-based applications spread over multiple cloud environments and regions that require highly accessible, secure machine-to-machine communications, second-generation vault solutions has not kept up. This has hindered the adoption of secrets management even in the face of growing hacks, particularly of machine identities and credentials.
Today, more organizations are moving to 'vaultless' secrets management. The Vaultless approach is built on cloud-native SaaS architecture, which is more appropriate for multi-cloud, multi-region environments that require constant access to secrets. At the same time, it uses technological solutions to ensure that only the organization has access to their secrets.
BN: What's important for organizations to look for in a secrets manager?
OH: When selecting a secrets manager, organizations should consider the following aspects:
- Cloud-native, SaaS architecture: SaaS-based secrets management significantly reduces engineering time and computing resources required for secrets management, while ensuring the high availability and data recovery that enterprises require for mission critical secrets. A SaaS solution is quick to deploy and easy to maintain, with high availability and data recovery guaranteed by the vendor.
- Support for different types of secrets: The secrets manager should be capable of handling various types of secrets, including static secrets, regularly rotated secrets, and temporary dynamic secrets for Just-in-Time access.
- Connectivity and integration: The solution should easily integrate with existing DevOps workflows and tools to ensure seamless adoption by different teams. DevOps teams shouldn’t be slowed down by their need for secrets management. The secrets manager should support automated processes and provide APIs for easy integration.
- Scalability and flexibility: The secrets manager should be able to handle the scale and complexity of the organization's secrets management needs, including hybrid and multi-cloud infrastructures. It should support growth across regions and business units and be adaptable to evolving requirements.
- Zero knowledge, security and compliance: The secrets manager should provide robust security features, such as zero knowledge, which ensures that only the organization itself, and not the vendor, has full access to encryption and decryption keys. Other key security functionality includes encryption of stored secrets, access controls, and auditing capabilities. The solution should also comply with relevant security and privacy regulations.
And of course, superior usability and an intuitive user experience, with a user-friendly interface, easy configuration, and efficient workflows, will ensure that the solution is actually used.
By considering these factors, organizations can choose a secrets manager that meets their specific requirements and effectively addresses their secrets management challenges.
BN: What makes Akeyless unique as a secrets management platform?
OH: Akeyless stands out in that it offers comprehensive SaaS-based, vaultless Secrets Management, based on a distinctive architecture that prioritizes control and security for its customers. This provides 3 key benefits:
- Ease of deployment, management and use: The Akeyless Vaultless approach is built on Cloud-Native SaaS Architecture, so that no engineering time is needed to keep the secrets manager running and available in any region, any cloud, any time. Vaultless secrets management is also light and frictionless, with zero deployment, because there are no vaults to install, zero maintenance, with no software to maintain or updates to download and zero scalability issues, allowing organizations to seamlessly scale without adding new clusters.
- Low Total Cost of Ownership: One of the advantages of a SaaS-based, Vaultless solution is that high availability and data recovery are available out of the box, with no need for computing or engineering resources in-house. It is also less expensive to scale with the organization, with no costs for additional clusters.
- Advanced security: The Vaultless approach is secure and 'key-less' by design, using the Akeyless DFC technology. With DFC, Distributed Fragments Cryptography, we are able to encrypt, decrypt and sign secrets using completely separated fragments that are created as such and are never combined: simply put, keyless encryption. Additionally, we’re able to provide a true zero knowledge cloud service by locating one fragment in the organization’s workload environment.
The combination of Akeyless as a SaaS solution and its unique architecture positions it as the leading enterprise-ready SaaS-based secrets management platform on the market. By providing a simplified user interface and removing the complexities associated with traditional solutions, Akeyless expedites deployment and enhances adoption rates, leading to a more efficient and secure secrets management process.
BN: What upcoming trends would you point to in this area?
OH: There are two main trends to consider:
- Secrets sprawl: The number of machines (scripts, containers, applications, processes and more) continues to grow at an exponential rate, and so we expect the problem of secrets sprawl described above to become even more acute.
- Convergence of Identity and Cryptographic Management: We expect to see the convergence of Identity and Access Management (IAM), Public Key Infrastructure (PKI), and Cryptography Infrastructure, establishing a unified approach to securing and managing credentials, certificates, and keys. Historically, PKI and IAM have been managed separately, leading to silos and fragmented processes. But both technological (the rise of DevOps and automation) and philosophical (the recognition of the need to secure both human and machine identities) developments have reinforced the need for convergence.