The Secret Sprawl - Your Secrets Are Out of Control. Here's The questions you need to ask yourself ?
????Mark Fireman
Entro Security. Transforming Non-Human Identity Management. Director of Business Development ??Secrets protection, designed for security teams. Fastest Gartner "Cool Vendor" in History??
- Do you know many developer secrets are in?use across the enterprise? Developers/Programmers/ Engineering teams struggle to answer this question since historically secret creation and assigning of permissions is done exclusively by the developer team members.
- Do you know how many of these secrets are exposed and where? If an organization is utilizing?"secrets scanners", these scanners tend to be focused exclusively on a single SaaS or ecosystem. Entro is a holistic secrets risk management solution that works across multiple SaaS (GitHub, Confluence, Jira, Gitlabs, Slack, Teams) and cloud ecosystems (Azure, GCP, AWS)
- How many secrets are vaulted and where? In most enterprise environments, security teams have implemented a paper process that says all developer secrets MUST be stored within vaults and that their application/workloads must interact directly with the vault in order to retrieve?the secret to authenticate to other?microservices. In short, DO NOT STORE SECRETS IN CODE. However, security teams have lacked the ability to ensure that their process is being followed directly.
- Do you know how many secrets are idle vs. how many secrets are being?used by current workloads? This is a huge point. Traditional scanners will identify that secrets are exposed but lack the necessary context to tell the difference between an idle secret and an active secret. In our experience, between 30-50% of all secrets discovered are idle secrets that can and should be disabled/revoked. Idle secrets represent a huge risk to the organization. But knowing that they are idle is a quick win for security teams to focus on without fear of removing a production secret.
- Who interacts with what secret to access what cloud service? For many security teams, when a secret exposure is discovered it takes hours/days for security to understand who created the secret, when was it created, whether has it ever been rotated, what it has access to in the org, and what permissions the secret has.?
- Do you know when your secrets have last been rotated for security and compliance requirements? Many compliance regulations like SOC2 have a 90-day key rotation requirement. Entro provides visibility into key rotation for all secrets discovered.
- Can you produce a tokens inventory and identify which tokens have excessive permissions? Developers are able to both create and apply the permissions to a secret with no security oversight. No access, Read-only, or Read/Write. In cloud ecosystems, there are now over 100+ RBACs, it's common that developers have given more permissions to a secret than the application/workload actually utilizes. This creates a huge breach potential if an over-permissioned secret is exposed.
- Do you have the ability to be alerted when a former employee leaves the company and the secrets?they created are still active? Entro's anomaly?detection engine will alert security teams when we notice that an employee has left the company but some of their secrets are still being used by active workloads.
- Are your security teams spending too much / not enough time focused on security issues around exposed secrets? Entro provides deep contextual information and risk severity for each exposed secret. This allows security teams to focus on the biggest risks to the org first and we provide all of the context they need to understand how to resolve the issue. Additionally, incidents involving exposed secrets are now among the Top 3 causes of breaches and have the #1 most expensive impact.
We would love to be able to speak with you more to hear the questions you may be asking and understand the pain points and challenges you are facing. To learn more about Entro Security secret sauce in a live demo/discovery call, Ping me directly to set up a meeting for you and your teams.
#aws #gcp#azure #teams #slack #atlassian #github #gitlab #hashivault #secretmanagement #ciso #applicationsecurity #Devops #apisecurity #cloudsecurity #pragmaticaccess #leastprivilege #devops #devsecops
The big challenge is how they are shared. Jira, Slack, Teams, Git. Those stores expose secrets that vaults and good secret management cannot necessarily detect.
Co-Founder & CEO at Entro Security | CISO | X-Microsoft | Cyber & Cloud Expert | Revolutionize non-human Identity management & Secrets Security for CISOs and security teams at Entro Security
1 å¹´This is a great article and questions that every security leader must ask himself. Secrets attacks are in the top 3 attacks vectors for the past four years in a row. If CISOs would have oversight over secrets and the items listed in your article are being reviewed and taken care of, the organization will be protected against the most destructive and costly attack vector. Great stuff Mark Fireman???? ????????????????
Managing secrets holistically is a challenge, especially in DevOps environments, where the security is done by a centralized team.
Author | Cybersecurity Architect | Evangelist | Consultant | Advisor | Podcaster | Moderator | Visionary | Speaker | Awarded Dad | Outdoor Enthusiast
1 å¹´Good stuff Mark Fireman????, my only comment is let's define "security teams" I think develops/programmers/ engineering teams will be a more accurate representation.