Originally published by New Context.
If you’ve ever played a game of rock-paper-scissors, you may not have even realized that you were also learning one of life’s greatest lessons. The fact that paper is an adequate defense against the rock, yet will not protect from the scissors, accurately demonstrates the truism that choosing the best security for one threat does not mean we are, in fact, completely secure. Effective security management means that we apply the best defense to counter a specific threat. Multiple threats means multiple defenses, which is why you often hear security experts talk about “layers” of protection. This is the core concept of “defense in depth.”
This lesson directly applies to protecting your enterprise’s computing resources, and there is no aspect of cloud computing that is more important than secrets management. After all, all your well-planned layers of security are immediately rendered moot if an attacker gets a hold of the keys. Managing your cloud architecture and its resources depends upon knowing what security vulnerabilities there are and devising a plan to deal with the threats. In order to secure your data and resources, it is imperative that you employ secrets management which controls the credentials needed to access your system. Doing so effectively means exploring the secrets management tools that are available and choosing the best ones based upon your cloud architecture and needs. The information presented in this article will help you perform this critical task.
It would be virtually impossible to list all of the possible secrets management tools that are available. However, it is possible to take a look at a representative list of options of the types of capabilities and functionality that exist—this will give you an idea of the types and range of features that can help you solidify your security practices. Here are 10 representative tools to start with:
Amazon Web Services (AWS) Secrets Manager is a highly utilized tool for protecting your IT resources and applications from unauthorized access. One of the highlights of this tool is the virtually unlimited secrets size.
Berglas is a command-line tool that works easily with Google Cloud services. Application secrets such as certificates, passwords, and API keys are the primary focus. Encryption is done using a GCM cipher and data is limited to 64GB.
Google’s tool, Cloud KMS, provides cryptographic key management. Both automatic and manual key rotation are available, but the greatest assets of this tool are its availability and scalability.
Developed by Lyft, Inc.—better known for their transport services—Confidant is intended to be a user-friendly tool for managing secrets. It integrates with AWS Key Management Service (KMS) and Identity and Access Management (IAM) to generate authentication tokens that are verified by Confidant.
Docker, an application development platform, provides an easy way to create and deploy secrets to containers. However, this service is not available for standalone containers.
Another tool for handling secrets that focuses on user-friendliness is Keywhiz by Square. The tool supports multi-cloud environments and multiple applications.
Knox is a development of Pinterest. The tool uses the REST API framework for user communication and temporary and volatile storage for keys. The tool can also be used with Docker.
Another well-known and highly implemented tool is the Azure Key Vault. With this tool, there is no direct access to keys by applications. SSl/TLS certificate tasks are automated and utilize FIPS 140-2 Level 2 and Level 3 validated HSMs.
Strongbox allows you to access tokens, private certificates, and encryption keys. As a client-side convenience, layered authentication can be faster. The tool supports cloud storage using iCloud, Dropbox, OneDrive, Google Drive, WebDAV and other platforms.
Many developers consider Vault to be the best secrets management tool available. Vault is API-driven and integrates with many cloud architectures and platforms. A highlight of the tool is auto-rotation of secrets, which is recommended as a standard for the highest quality in security management.
The best options available for most enterprise operations fall into one of two categories:
1. Store secrets using native management features built into your tools.
Most application development platforms offer some form of secrets management. For example, container-based Kubernetes includes the capability to manage secrets, while Ruby on Rails can natively encrypt your credentials. However, security best practices may dictate the use of a separate third-party tool, such as those listed above, to raise your security posture to the level that you require.
2. Use a dedicated secrets management service.
Although, the secrets management tools list above is not exhaustive; it does illustrate the breadth of options that are available to secure access to your IT resources. Most of these tools can be integrated directly into your cloud architecture, living natively within the confines of your company’s application space. This commonly considered the “most secure” option since it removes third party hosting; however, in some cases converting to one of the preferred externally hosted platforms for your tool of choice may provide even greater security. Remember, your corporate environment is the attackers primary target; by moving your secrets to an external location, you add multiple layers of security between the attackers and your secrets management.
Secrets management is not only critical for the security of your operations and resources, it can be quite complex due to the many considerations that should inform your choice of tool. Therefore, deciding to partner with an experienced and proven DevSecOps provider that is committed to the highest level of security in the cloud may be the best choice for your secrets management.