How to bring secrets under management

From IC Insider HashiCorp

How Vault Radar can detect credentials not in your secrets management platform.

HashiCorp

What is a secret? A secret is a privileged credential or sensitive data that you want to tightly control access to, such as API encryption keys, passwords, and certificates. This post will look at the state of secrets management and show how HCP Vault Radar can help you find and account for unmanaged secrets.

Secrets management

One of the main challenges with secrets is secret sprawl.  Secret sprawl happens when there are unaccounted-for secrets across environments without a plan to manage the lifecycle of those secrets. The solution is secrets management. Secrets management is a strategy for securely storing, rotating, and transmitting secrets to the systems that need to use them. Let’s dive deeper and understand the strategies of secrets management.

Centralization versus decentralization of secrets

It’s just a matter of time before someone gets on your network, behind your castle and moat. It happened in the Target breach, the Neiman Marcus breach, the Google breach, the Equifax breach, the list goes on. From an offensive perspective, it is just a matter of time before an unmanaged secret is compromised.

An unmanaged secret is a secret that does not follow all of your information security best practices and is generally a one-off that must be accounted for post-breach. A common example is a cloud service API key that has been accidentally committed into version control in plaintext.

A managed secret is ideally managed in a centralized platform so if a credential is compromised it can quickly be rotated without having to find the right secret storage location. There are two main types of secrets:

1). Dynamic secrets can be rotated with a lease

2). Static secrets which involve some manual imperative approaches to rotate

So the first step is to conduct periodic secret scans and create an environment where secrets are not owned but leased.

 A fundamental change in thinking

Secret sprawl grows exponentially in a multi-platform hybrid world, leading to a larger attack surface. This occurs because each cloud service provider, third-party service, or provider has a distinct workflow. Multi-platform hybrid workflows all involve secrets and credentials and places they need to interact. As the environment and complexity grow so does the secrets management overhead. Streamlining the value chain of reducing the time, risk, and operational overhead with managed secrets is essential to a successful secrets management program.

How to account for unmanaged secrets

HCP Vault Radar is an exciting new addition to HashiCorp Vault’s secrets lifecycle management functionality. Vault Radar facilitates automated scanning and ongoing detection of unmanaged secrets in various code repositories and other data sources. This critical functionality further differentiates HashiCorp Vault’s secrets management offering by allowing organizations to take a proactive approach to remediation before a data breach occurs.

Vault Radar is a powerful tool for detecting and managing secrets sprawl in your organization. To learn more or be selected for the beta program, sign up to receive updates.

• Vault Radar Updates
• Vault Radar’s product documentation

Trying out Vault Radar

Prerequisites:

• GitHub account (Note we also support Bitbucket, Gitlab, and Azure)
• GitHub repository
• HCP account (https://portal.cloud.hashicorp.com/sign-up)

 

1. Navigate to the HCP Portal (https://portal.cloud.hashicorp.com).
2. Navigate to “Get started with Vault Radar.”

3. Navigate to Settings > Add data source.

4. Select “GitHub Cloud” (or any other available data source you’d like to scan).
5. For Organization, either enter your GitHub Organization or your GitHub username (username preferred).
6. Click “Generate a GitHub token…”

7. Copy the generated token and paste it into the configure GitHub cloud form in Vault Radar.
8. Select desired repositories to be scanned by Vault Radar or allow all repositories to be scanned.

 

Once you have completed the setup, Vault Radar will scan repository contents. You will be presented with a dashboard that includes all detected risks uploaded into the overview dashboard so you can quickly see where you have issues. The dashboard reports high-level metrics and analytics on your code security risks.

 

Developers and code security analysts will gain the greatest benefit by navigating to the events tab, where every finding is cataloged with a recommended remediation workflow. Each event provides valuable information regarding when the risk presented itself, who the author was, and the ability to click a link that takes you directly to the location of the data that was found. This information is vital for security teams who require a real-time window into risk within their organization.

Vault Radar encourages bringing the secret sprawl under control by migrating the data into a secrets management tool such as HashiCorp Vault. By migrating secrets into Vault, your risk can continue to decrease as tighter-knit controls and policies can be applied to secrets.

The missing piece of secrets management

Secrets management encompasses the full lifecycle of a secret. By leveraging HCP Vault Radar to detect these secrets, and HashiCorp Vault to store and manage these secrets, your organization can dramatically decrease the risk associated with secret sprawl down to the moment of risk detection.

About HashiCorp

HashiCorp is the leader in multi-cloud infrastructure automation software. The HashiCorp software suite enables organizations to adopt consistent workflows to provision, secure, connect, and run any infrastructure for any application. HashiCorp open source tools Vagrant, Packer, Terraform, Vault, Consul, and Nomad are downloaded tens of millions of times each year and are broadly adopted by the Global 2000. Enterprise versions of these products enhance the open source tools with features that promote collaboration, operations, governance, and multi-data center functionality. The company is headquartered in San Francisco and backed by Mayfield, GGV Capital, Redpoint Ventures, True Ventures, IVP, and Bessemer Venture Partners. For more information, visit www.hashicorp.com or follow HashiCorp on Twitter @HashiCorp.

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.