Securing Secrets Stores

Authentication has been thrust into the spotlight for many corporations over the past year. Authentication solutions have traditionally focused on human to machine interaction and how to provide secure access to company assets. This is no longer simple because gone are the days of the easily defined perimeter delineating a trust boundary inside which all users reside.

In addition, with the recent increased need to support a majority work-from-home workforce, verifying the identities of users and providing secure remote access has become complex. This changing landscape has led security teams to look for ways to reign-in the “wild west” of secrets management.

With the move towards zero trust architectures and further efforts to prevent lateral movement, human to machine access is no longer the only form of access security teams need to consider. Not only has the perimeter disappeared for user access, but as businesses continue to adopt cloud platforms and move more critical applications to them, perimeters for critical business services are also disappearing.

The adoption of DevOps processes also means that secrets used for authentication are increasingly being integrated into critical applications and pipelines making securely managing them a much more complex challenge.

Authenticating Machine to Machine Communications

For example, most communication pathways between services utilize TLS certificates to encrypt data in flight, but where do those certificates live and what controls are in place to protect them?

Most private keys are probably stored on the filesystem of a host in an unencrypted format, and even if they are encrypted, the encryption keys are most likely stored in a plain-text file within the environment. The same security issues exist for API keys as well, as it is not uncommon for them to be stored in plain-text, source code, public code repositories, or configuration files.

However, plain-text storage of secrets is not the only issue. Ephemeral cloud environments break classic indicators of machine to machine identity like IP address and software hashes as the dynamic nature of the environments means they constantly change.

The result of this complexity is secret sprawl, as access credentials are placed throughout different parts of the environment and build process. Secrets sprawl makes it a struggle for security teams to keep track of credentials throughout the distributed environments and detect which identity is accessing what machine.

Secrets appear in various environments, managed by different administrators, and have no unified management or control leading to poor control and management. This makes it easy for attackers to compromise secrets and use them to move laterally in an environment, examples of which can be seen in the Capital One and Solarwinds breaches.

There is an increased need to manage these secretes in a better way to reduce the risk of secrets sprawl. Security teams need to gain visibility, auditability, and control around secrets access. The team at TAG Cyber recently spoke with Akeyless about their approach to providing secure secret access for both human to machine and machine to machine interactions.

Distributed Fragmented Secrets

Akeyless provides a unified vault platform built to secure DevOps credentials and access to production resources across hybrid cloud and legacy environments. Akeyless is an all-in-one platform that automates many types of machine to machine and human to machine access, such as passwords, API keys, encryption keys, TLS certificate, and signing keys.

Secrets are stored encrypted using Akeyless’ patented NIST FIPS 140-2 certified technology called Distributed Fragments Cryptography which provides a secure secrets store while guaranteeing that Akeyless has no knowledge of customer’s keys and secrets. Secrets are encrypted using a fragmented encryption key and each fragment is stored in different cloud provider regions as well as the customer environment. This allows Akeyless to provide a resilient service as well as providing protection from federal authorities that might, under subpoena, ask for a company’s encryption keyes.

These dynamic secrets are a great way to handle the complexity of authentication in a DevOps environment because they can be short lived and specific to an instance of service. The secrets can be revoked quickly when needed and an audit trail is provided for each secret, providing a complete management solution for security teams. Akeyless also provides analytics around secrets posture and usage as well as integrations with central SIEM platforms which allows the solution to easily fit into most security toolsets.

Secrets storage and management is difficult and complex which means a secrets management platform is a vital part of any security program. Akeyless provides a complete solution that allows security teams to protect their DevOps and legacy on-premises environments while ensuring audit and compliance standards are met. The fragmented approach Akeyless takes requires platform resilience and assurance, and they will need to prove stability to earn the trust of larger corporations to be considered.

There is also a lot of competition with cloud providers and other companies in the secrets management space, but overall the distributed fragmented key approach that Akeyless takes provides a seamless solution for multi-cloud environments and makes them a strong market contender.