Secrets Management is about the methods and tools used to keep critical information secure. For most people, they think this just includes managing their passwords. For a Sysadmin, this is managing passwords, secure information such as access keys, SSL certificates, and being able to confidently control who has access to this information.

Secrets must be kept secure, and there must be a high confidence that secrets can’t be exposed accidentally. These secrets must also be kept in such a way that if they are exposed, they can quickly be made secure again. Because no security is 100% foolproof, a layered approach to security needs to be in place to protect your secrets.

You have to store your secrets somewhere, and Encryption at Rest is what protects your stored secrets from being exposed if someone is able to get ahold of where you stored your secrets. For example, imagine that you are storing your passwords on a hard drive, and that hard drive is encrypted. If a thief steals your hard drive, they will be unable to use your passwords because that data is encrypted when not in use.

Even if your secrets are encrypted at rest, you will eventually need to decrypt those secrets for use. While the secret is ‘in transit’ it should be encrypted. The decryption of the secret should happen as close to where the secret is being used as possible.

The goal here isn’t just to prevent man in the middle attacks. If you can keep the secret encrypted you can also prevent the user of that secret from knowing what it is. This is a great advantage from a security standpoint because a user can’t expose a secret if they don’t know it themselves. With this in place you don’t have to worry about a user writing it down and exposing that secret.

Automatic Secret Rotation is the ability of a secrets management solution to automatically change a secret. For example, you may store an SSL certificate in your secrets management solution. You will also want to update this SSL certificate every few months. Your Secrets Management Solution should be able to handle this for you automatically so that you never have to make this change yourself. This feature can also be used as part of removing a user’s access to a shared secret. In this example you would want your system to automatically update a password after you remove a user’s access to that password. This lets you ensure that user no longer has access to a valid password, while any users who still need that password can still get to it through your secrets management solution.

It is not enough to secure your secrets. You must also be able to prove that your secrets are secure and being used properly. This includes the ability to Audit your setup. An audit can take multiple forms, this should include the ability to view what users have access to which secrets, as well as a record of when secrets were changed, who has used those secrets, what operations have  been performed, and who performed those operations.

These logs are your protection against authorized people doing things they shouldn’t, as any changes are now a matter of record.

It is important to know how to choose a secrets management solution. Any security expert should be able to explain best practices for secrets management, and provide a solution that is extremely secure against a wide range of threats.

However,

It isn’t always reasonable to deploy the absolute best solution every time. In a business environment, you also must weigh the costs of deploying a system along with its usability for end users. This starts by assessing what threats you are likely to face, and prioritizing a solution that will protect against those threats. You will also need to determine what the costs are for such a solution and how end users will interact with a system. Sometimes, you only need to examine a system and provide options for how to increase the security posture for a system that is already in place.

As an example, a multi-billion dollar company will need a geographically distributed, high availability security solution with absolutely everything built in. This can include multiple servers spread across the globe and highly specific access control.

However, if you are trying to help a family member manage their passwords on their local computer you may want to suggest a free browser extension instead of a massive and complex security solution.

It is not enough to secure your secrets. You must also be able to prove that your secrets are secure and being used properly. This includes the ability to Audit your setup. An audit can take multiple forms, this should include the ability to view what users have access to which secrets, as well as a record of when secrets were changed, who has used those secrets, what operations have  been performed, and who performed those operations.

These logs are your protection against authorized people doing things they shouldn’t, as any changes are now a matter of record.

Security isn’t something you can achieve once and not have to worry about again. A good secrets management solution will update itself to protect against threats as they are discovered, and do its best to keep users from exposing secrets, but you can’t expect even the best software to do everything for you.

You should always be considering your security posture, and ways you can improve it.

Similarly, anyone you are sharing secrets with should also have at least a basic understanding of security. Not everyone can be expected to be a security expert, but at the same time you should be looking for ways to help others improve their security postures.