Overview
Secrets management is the process of controlling IT credentials, such as passwords, application programming interface (API) keys, and configuration files. IT organizations use secrets management to keep sensitive information confidential and up-to-date, while making controlled resources available to the people and systems that need them.
Secrets management is a broad concept. In an enterprise environment, good secrets management typically means having a centralized place to store secrets and integrating that secrets repository with IT automation tools. For software development teams, secrets management can be a part of DevSecOps workflows. In this article, we’ll go into more detail about how enterprise secrets management works and the benefits it can deliver.
How does secrets management work?
Secrets are valuable. That’s why you don’t write your passwords on a sticky note affixed to your computer. (If you do, we strongly recommend better secrets management!) Disclosing a secret can let an attacker access sensitive data or even let them access more secrets and move laterally through your systems.
The alternative to secrets management—the old way—is keeping track of secrets using manual processes. At a basic level, imagine everyone on your team needs access to various accounts from time to time, so you paste all the login credentials into a document and share it with everyone. That might work for a little while, but you’ve granted more access than necessary.
There are many ways this could cause confusion and introduce unnecessary risks. Maybe someone changes a password but forgets to update the list. Or someone copies the list, and now there are multiple versions of it. Or someone erases the list by mistake. Or someone hard codes a password into a script and pushes it to a public repository, exposing a secret to the public. Or someone’s work account gets hacked, and now a bad actor has access to the list—and everything else the list enables access to.
Secrets management offers ways to prevent these problems. It isn’t necessary to maximize every security control all the time. Rather, effective secrets management involves strategically applying security options to reduce the potential for compromised secrets in specific areas. Some of the foundations of good secrets management include:
- Identity and access management (IAM). With IAM, you can handle user authentication through 1 system, then connect the user to other systems from there. Centralized authentication management relies on standards such as lightweight directory access protocol (LDAP) and Security Assertion Markup Language (SAML).
- Encryption of access credentials. Encryption changes a secret into a string that’s unreadable without a decryption key. The Secure Shell (SSH) protocol, widely used for remote access, relies on encryption keys. You can choose from various strengths of cryptographic encryption and adopt standard practices, such as rotating encryption keys, on a weekly schedule. Encryption stands in contrast to encoding, which changes a secret in a standard way anyone can easily change back.
- Role-based access control (RBAC). RBAC provides access to resources based on the user’s role within a team or a larger organization. This allows IT administrators to group users by job function and manage permissions for the whole group at once, rather than 1 user at a time.
- Certificates management. Certificates are cryptographic protocols that protect communication across networks. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) certificates are the standards for internet communication. To establish trust, a server needs a digital certificate issued by a Certificate Authority (CA). SSL certificates need to be renewed on a regular basis, and a secrets management system can automate and control this process.
- Zero trust principles. Gaining popularity in recent years, zero trust is an approach to security architectures that assumes every interaction begins in an untrusted state. Access to sensitive resources is only granted on a granular basis. Zero trust builds on the concept of least privilege, which maintains that users should only get access to the resources they absolutely need.
Secrets management doesn’t rely on any 1 concept or practice. Rather, it’s about unifying a variety of common strategies into a centralized, automated process.
CyberArk centralizes security and secrets management
What are the benefits of secrets management?
Secrets management doesn’t just protect your data, it also improves your overall operations in other key ways:
- Avoiding security islands: By centralizing secrets control, you can prevent instances of only a small group within your organization having specialized access no one else does.
- Identifying bad actors: By implementing strong verification requirements, you can easily cut off would-be hackers and stop their attempts to appear as a credentialed user.
- Automating credentials: By automating your credential verification and admission, you reduce the amount of manual work needed to authenticate users and allow their workflows to continue unimpeded.
What are some approaches to enterprise secrets management?
In an enterprise computing environment, risks are higher and secrets management is more complex. Administrators have to responsibly allocate access to many different systems and data sets, and many users need access to various resources for different periods of time. Enterprise secrets management is a well-developed discipline with many choices, including open source solutions.
Red Hat® Ansible® Automation Platform and Red Hat OpenShift® rely on open standards and provide integration with many secrets management tools. Ansible Automation Platform’s secrets management capabilities include integrations with other major platforms including HashiCorp Vault, CyberArk, AWS Secrets Manager, Azure Key Vault, and more.
HashiCorp Vault
HashiCorp Vault is a centralized platform for IAM and secrets management. Vault provides dynamic, time-limited credentials and helps you maintain a single source of truth for sensitive data. Vault agents can integrate with Red Hat Ansible Automation Platform and Red Hat OpenShift to manage access credentials and certificates across custom IT environments.
Together, Vault and Red Hat Ansible Automation Platform can help you enforce access control as well as compliance auditing and remediation. You’ll gain the benefits of centralized governance, including reduced risks, simpler audits, and assurance that your infrastructure changes are compliant and traceable.
CyberArk
Keep credentials and data safe with Red Hat and CyberArk (2:03)
CyberArk offers an IAM and secrets platform to manage user access to resources. Red Hat Ansible Automation Platform integrates with CyberArk Conjur to help you apply security policies and manage secrets in your application environments, including for use in DevOps and continuous integration and continuous delivery (CI/CD) tools.
You can automatically embed secrets management best practices throughout the DevOps process. This can include provisioning secrets for use by applications, rotating secrets based on organizational security policies, monitoring privileged user access, improving visibility, maintaining compliance standards, and more.
Secrets management in Kubernetes environments
In Kubernetes deployments, such as Red Hat OpenShift environments, applications are organized in fleets of containers, which need access to secrets to communicate with other systems and perform their intended functions.
The 2 primary ways to manage secrets in Kubernetes are as environment variables and volume mounts.
- With environment variables, the secret’s key-value pairs inject directly into the container as environment variables.
- With volume mounts, the secret mounts as a set of files into the container’s filesystem. The application code reads the secret data from these files.
Volume mounts offer various security advantages and are the recommended approach for Red Hat OpenShift. The Red Hat OpenShift security model offers a baseline of protection for environment variables, but defaulting to volume mounts is a step that helps keep secrets as secure as possible.
A related idea, Kubernetes Secrets, uses objects to separate confidential data from an application's code so secrets aren’t exposed in the code itself. This aligns with security architecture practices in GitOps.
Why rely on Red Hat for your approach to security?
Red Hat applies open source security principles to protect communities of customers, contributors, and partners from digital security threats. This includes support for secrets management built into products, as well as integrations with other secrets management solutions.
Red Hat Enterprise Linux® provides a foundation for centralized identity management, authentication, and authorization in highly dynamic and scalable environments.
Red Hat OpenShift offers built-in security controls for container-based application development, including secrets management strategies that align with a DevOps approach.
Red Hat Ansible Automation Platform can help establish centralized automation of secrets management alongside integrations with common secrets repositories.
Security automation with Red Hat Ansible Automation Platform
Red Hat Ansible Automation Platform integrates IT security teams and automates their solutions to investigate and respond to threats in a coordinated way.
