Introduction to Secrets Management

By, Bryan Krausen: Author, Instructor, and VP, Consulting Services at RPT

So why is secrets management so important? Regardless of the type of environment you work in, there will be privileged credentials needed by applications, users, or other software platforms to manage your environment. Secrets can be anything your organization deems confidential and could cause harm to the company if shared or exposed. Examples could be database credentials to read customer data, a private key used to decrypt communications to your app server, or domain admin creds used by your vulnerability scanner during nightly runs. Managing these privileged credentials is an essential process that is critical to an organization’s security posture.

Secrets are used EVERYWHERE in organizations. Think about the credentials that were required for the last application or deployment you participated in, regardless of how basic or complex it was. As a human user, you likely need privileged credentials to provision resources in your production environment, like gaining access to VMware vCenter to deploy virtual machines, requesting a TLS certificate for your application, or logging into Terraform Cloud to provision Amazon EC2 instances. Moving over to the application side, they need access to additional services within your organization, like an internal API, a file share, or the ability to read/write to a database server to store data. The applications might need to register the service within your service catalog (service mesh) or execute a script that traverses a proxy and pulls down packages from Artifactory. These actions all require some privileged credential or secret that needs to be managed appropriately.

Consolidation of Secrets

So where should all these secrets live? Most organizations understand these secrets should be managed in some secret management solution. However, that doesn’t always reflect what is actually in practice. I’ve worked with countless organizations that keep credentials in an Excel sheet, a OneNote document, or even a text file on their desktop. That strategy provides absolutely no security and exposes these companies to security breaches. Other organizations have taken a step further and used a consumer-based solution, like 1Password or LastPass, to store these long-lived credentials. It’s better than nothing, but it doesn’t provide the organization with complete visibility and management of credentials. Plus, we’re talking about the practice of DevOps here, so it doesn’t offer much in terms of automated retrieval or rotation either.

Ideally, organizations need to adopt a proper secret management tool that can be used to consolidate secrets and provide features such as role-based access control, rotation and revocation, expiration, and auditing capabilities.

Long-Lived Secrets vs. Dynamic Secrets

Let’s talk about the difference between long-lived secrets and dynamic secrets.

Long-Lived Credentials

Not all secrets are created equal. Most organizations default to creating long-lived, static credentials that are often shared among teams and applications. Creating these credentials usually requires a long process, such as ticket creation, security approval, management approval, etc. Because obtaining credentials is often tedious, engineers and administrators will reuse or share these credentials among different applications rather than repeat this process. Be honest, how many times have you clicked this button in Active Directory? I know I have done it 100s of times in the past….

These reused and often shared credentials are hard to audit, can be impossible to rotate, and provide very little accountability. Additionally, these static credentials offer 24/7 access to the target system, even though access might only be needed for minutes per day.

Dynamic Secrets

In contrast with static credentials, many organizations realize the benefits of migrating to dynamically generated secrets. Rather than create the credentials beforehand, applications can request credentials on-demand when needed. The application uses dynamic credentials to access a system or platform to perform work, and the credentials are then revoked/deleted afterward. If these dynamic credentials are accidentally written to a log file or committed to a code repository, it no longer becomes a security threat because they are already invalidated. And because dynamic credentials are accessible to applications (with proper authentication, of course), each instance of an application can generate its own credential to access the backend system.

For example, let’s assume we’re using Terraform to deploy our infrastructure to our favorite public cloud platform. If you were using static credentials, you would log into the cloud platform, create static credentials (probably highly privileged ones), and provide those credentials for Terraform to provision and manage your infrastructure. Those highly privileged credentials are valid 24/7, even though you only run Terraform a few times daily. On the other hand, if you were using a dynamic credential, Terraform could first obtain a credential, provision, or manage the infrastructure, and the credential would be invalidated after. When Terraform isn’t running, there is no credential that can be exposed or misused. Even if the dynamic credential were written to logs or accidentally committed to a public GitHub repo, it wouldn’t matter since it was revoked when the job was completed or after a minimal TTL.

Access Control and Auditing of Secrets

Access to secrets should be tightly controlled, and only authorized personnel should be able to access them. Ideally, two-factor authentication or a multi-step approval process should be in place for highly-privileged credentials, such as domain access, root credentials, or secrets used to obtain confidential data. Access should be limited to secrets based on an employee’s role within the organization or an application’s requirements to fulfill its duties.

It is important that access to secrets should be closely monitored, and a log should be maintained of all actions taken of them. Logs should be ingested into a SIEM or log correlation systems, like Splunk, SumoLogic, or DataDog, to create dashboards and alert on specific actions. This can help quickly detect and respond to potential security threats within the organization.

Common Secrets Management Solutions

In a DevOps and automated world, secrets management solutions must be centered around a fully featured REST API. With such, access to the platform can be automated entirely by any orchestrator or pipeline tool the organization uses, simplifying company-wide adoption. Secrets Management tools such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault can provide organizations with features such as encryption at rest, role-based access control, and auditing capabilities to help protect secrets. From my experience, the most popular tools used by organizations are:

1. HashiCorp Vault
2. CyberArk
3. AWS Secrets Manager
4. Azure Key Vault
5. GCP Secret Manager
6. Thycotic Secret Server

###

How safe is your cloud infrastructure? The team at River Point Technology consists of top experts who are the IT industry’s best at securing, storing and controlling secrets in the cloud. Our approach is centered around helping our clients achieve maximum value out of their technology investments.  Contact us today for a security assessment.

Professional basketball—especially March Madness– has always been at the forefront of innovation and technology. It has become a high-tech industry, and the use of automation and cloud computing has become an essential part of the game.

The National Basketball Association (NBA) and its teams are always exploring new ways to gain a competitive edge. One of the most significant technological advancements in recent years has been the integration of automation and cloud computing into the sport. 

Cloud computing has become a crucial part of March Madness’s infrastructure, as it allows them to store and analyze vast amounts of data, including player statistics and game footage. The best part is that they can access this data from anywhere and collaborate with other teams in real-time. 

Automation has been a game-changer. 

The league uses automated software to handle many operations such as scheduling games, managing ticket sales, and advertising campaigns. This automation saves time and money, making their operations more efficient and accurate. 

One of the most exciting things about automation and cloud computing is how they’re used in AI (artificial intelligence) and ML (machine learning). These technologies analyze player data and game footage to identify patterns and make predictions about player performance and game outcomes. Coaches and managers use this information to develop training programs and game strategies that give their teams a competitive edge. 

Fans also benefit from automation and cloud computing, as the league uses chatbots to answer their questions and provide them with the information they need. Cloud-based systems deliver streaming video and other content to fans, making it easier for them to stay connected with their favorite teams from anywhere in the world. 

These technologies have enabled coaches and analysts to gain new insights into player performance and game strategy, and have led to the development of new training tools. As the use of automation and cloud computing continues to grow in basketball, we can expect to see even more innovation and advancement in the sport. 

When the NBA took on new technology, to enhance the experience for fans, players, and teams. they needed to accomplish a cloud-first approach—and a cloud partner that allowed it to scale up dramatically when needed. “Being able to spin up more compute when we need it during games is crucial,” Sarachek says in an article written about the experience.

Using Cloud Data to Deliver Personalized Data On Demand

“In 2020, NBA CourtOptix was launched with a primary focus on enhancing the fan experience. The platform delivers post-game analysis that combines video with previously challenging-to-track statistics, such as identifying players who get double-teamed more frequently. But now, with the help of Microsoft Azure, the NBA can share advanced stats that enrich journalists’, teams’, and employees’ understanding of the game which can transform how the game is experienced.

Every game night, NBA teams receive a cache of data on each game, a detailed breakdown that is changing team strategies. Teams that have signed up to receive data get it after each contest, helping them make adjustments on the fly—all thanks to a seamless backend data flow created by Microsoft Azure developers. As soon as a game ends, Azure Cosmos DB is used to check metadata to ensure the system should process the matchup. Then, Azure Kubernetes Service kicks off various pipelines running on Azure Databricks, which leverages ML and AI to process information (like the aforementioned defensive metrics). After being stored on Azure Data Lake Storage, the data is automatically synced to teams’ Azure Storage Containers using Azure Data Share. This cloud-first approach helps the NBA save money by being able to scale resources up and down as needed while ensuring data is seamlessly processed and shared with teams.

“With Azure Data Share, we can go into the Azure console and invite a new team or partner to receive the data,” Sarachek says.  “Once they accept the invitation, they receive updated data in their Azure environments without having to build workflows or processes to pull it in themselves.” ” (read the full article here).

Automation and cloud computing have become essential tools for the NBA and its teams. They help improve player performance, streamline their operations, enhance the fan experience, and explore new innovations. It’s exciting to think about what’s next for the NBA as they continue to embrace these technologies and take the game to the next level! 

As you probably know, HashiConf Global ’22 is right around the corner. Like anybody attending a technical conference, I’ve been busy planning my week with sessions I want to attend, networking opportunities, and local events I want to catch. Since HashiCorp’s products make up a large part of my day-to-day job as a consultant and content creator, getting the most out of the conference is very important to me. This year will be my 5th HashiConf in a row (and the 4th in a row to present), and lately, I’ve been reflecting on my expectations from the conference as compared to my first one. Fundamentally, HashiCorp is now a completely different organization than it was five years ago, which has naturally impacted how I interact with customers and HashiCorp as an organization. It also has drastically changed how I think about the conference itself and what my goals are for attendance.

If you think about the state of HashiCorp five years ago, there were probably around 300 employees, HCP didn’t yet exist (although I knew about it…shh), there were still only four primary products in its portfolio, and HashiCorp didn’t yet offer a certification program for practitioners to prove their skills.

My first HashiConf was in 2018 in San Francisco, and it was terrific. Even though I had only been working with HashiCorp products for a year or two, I was incredibly excited to attend a smaller conference where I could focus on learning technical skills and gaining knowledge I could use for my current and future projects. Back then, HashiCorp had a smaller catalog of offerings, and it was easy to focus on its core products and see how customers used them to solve real-world problems. I was also fortunate enough to know a large majority of employees. Hence, the conference was also an opportunity to meet and network with folks I’ve only met through conference calls. It was vastly different from the enormous conferences I was accustomed to attending, such as VMworld and AWS re:Invent.

One of my favorite memories of HashiConf ’18 was the keynotes. I can still replay the excitement, the announcements, and the ambiance of the overall conference in my head. I was so excited that I live-tweeted the keynotes as well. I specifically remember being excited about the announcements for my favorite products (Vault & Consul) and even remembering the colors of the lights changing depending on the product Mitchell and Armon were discussing. At the time, nothing could have topped this.

Fast forward to the upcoming HashiConf ’22, and I’m probably even more excited for the conference this year. First and foremost, I’m finally attending an in-person conference after the worldwide pandemic was responsible for turning HashiConf into a virtual event for the last two years. In a world full of Zoom meetings and virtual consulting work, I’m incredibly excited to see everybody in person. In the last few years, through content creation and consulting,

I’ve trained close to 40,000 people on HashiCorp products, and I’ll finally get to meet and network with many of those people in person. Very exciting!

But putting the social interactions aside, I’m looking forward to the broad range of technical sessions at HashiConf. HashiCorp is a much bigger player in the industry and offers its customers so much more these days. With eight different products in its arsenal, there’s truly something for everyone. So much, in fact, that I think HashiCorp could easily expand the conference by another day or two and still be valuable for attendees.

The Announcements

Powerhouses like HashiCorp tend to announce new features and products in the keynote, and it’s something I’m here for. As a techie at heart, the hour-long presentations about how the big, name-brand organizations use their technology don’t appeal to me. While important in its own way, that’s just not something that excites me.

I’m here to catch a glimpse of product roadmaps, new features I can use to further help customers solve problems and understand what’s next for the HashiCorp organization as a whole.

During the morning keynotes, HashiCorp’s massive Terraform community will closely watch for any announcements. Considering how many organizations have standardized on HashiCorp’s flagship product, Terraform, for Infrastructure as Code, it’s always a hot topic for any HashiCorp event. Even though Terraform v1.3 was just announced, I’d be willing to bet that HashiCorp still has something up its sleeve for the keynotes. Vault Enterprise customers will watch for improvements and new features to their favorite security platform. And, of course, there are bound to be updates to the cloud-based solutions hosted on the HashiCorp Cloud Platform.

Sessions and Hallway Tracks… read the full article here!