Secrets are your weakest link
Getty Images

Secrets are your weakest link

What is “secrets” security??

Secrets security refers to the practice of protecting secret keys and credentials from unauthorized access, disclosure, or use. These secrets are programmatic access keys (such as API keys, access tokens, connection strings, etc.) in use by applications to access sensitive data and cloud services.?


As cloud services are on the rise with ever-growing workloads and more and more secrets being created by R&D teams, the number and variety of secrets per organization is exploding. There are a minimum of 500 secrets per organization scattered across at least five different vaults/secret stores. These secrets are exposed across various locations such as code, Wiki, Slack, and others. In addition, the R&D teams that are responsible for creating the secrets are not the ones responsible for securing them. There is no security oversight or standards. It is evident that there is a high demand for a solution as organizations face a higher risk than ever before. Secret-based attacks are among the top three attacks with 19% of breaches happening due to compromised secrets (IBM 2022, Verizon 2022). Failure to properly secure secrets can lead to devastating consequences, including financial loss, reputational damage, legal liabilities and regulatory non-compliance.


What security risks does Entro help enterprises mitigate??

A game changer in the secrets management and protection vertical, Entro is the first and only holistic secrets security platform that detects, safeguards and enriches with context, secrets stored across vaults, source code, collaboration tools, cloud environments and SaaS platforms. Entro was designed specifically for CISOs and security teams, providing them with full oversight and the ability to govern any secret from a single pane of glass, integrating into all places in which secrets can be found including “BYOV” (Bring your own vault).?


Teams can track activity, in real-time, of any and all secrets including enhanced secret lineage correlation and in-depth visibility to secret owner, enablement status, permission or cloud services privileges, as well as risk level.


Entro provides a deep secrets analysis and metadata enrichment as well as identifies abnormal or malicious secret activity.?


Entro is R&D agnostic. It seamlessly integrates with R&D teams’ workflows and empowers organizations to use their preferred tools, without sacrificing security or development time/efforts.?


How do organizations face these challenges today? And what differentiates Entro?

There are a number of solution buckets. However, each tackles only a small fraction of the solution needed. None of the existing solutions provide an end-to-end solution that continuously monitors and protects secrets and programmatic access to cloud services and data.?

  • Vaults: Databases in which secrets can be stored by the R&D teams. These solutions do not provide context per stored secret. There is no secret risk severity and no usage insight. Furthermore, a user can't understand if the secret is enabled, who is using it, what cloud service it can access, and with what permission. In addition, they do not integrate with other vaults. And there are a minimum of five vaults per organization (e.g., AWS secrets manager, Kubernetes secrets, GitHub Action Secrets...)
  • Secret scanners: Scan secrets, actively searching for leaked and exposed secrets. These solutions above lack context, and exposed coverage, do not integrate with vaults, nor do they monitor or provide details about the cloud tokens, provide usage insight, abnormal behavior, or any correlated risk per secret.


  • SDLC: Secret scanners for CI/CD. Provide no usage insight other than exposure, no context, lack exposed coverage, do not integrate with other vaults, and can fail the build for a disabled secret.


Secrets are created at the cloud service level (e.g., database). They are programmatic?keys (similar to a human user and password) that hold two main abilities: (1) access/login to the cloud service and (2) grant privileges within the cloud service (e.g.: read/write/delete/owner/ ...).


Sometimes developers write those secrets into the code itself or into those CI/CD pipelines. It's a practice that can publicly expose a secret.


SDLC solutions?scan the code and the pipelines in order to determine if there are any secrets there. If they find a secret they will fail the build (fail the translation of a code into the runnable program) until?that secret is deleted from the code or the pipeline. They act as guardians that make sure no secret can be found in a production system (which is a runnable program translated from code to computer language).


Since SDLC solutions only find secrets by patterns, it has no context for the secrets found. It can’t tell if the secrets still exist in the cloud service, or perhaps a secret was written into code but then deleted from the cloud service (e.g., database).


Think about it as if you exposed your Google username and password and then deleted your Google user. I guess you don't care about the exposed Google credentials?because your user is deleted and so your exposed username and password can't be used. It’s the same with secrets.


One of our pillars is to find exposed secrets, but Entro not only finds exposed secrets, but it also determines if those secrets are relevant. By contrast, SDLC will assume those secrets are relevant and will fail the build process until someone deletes the exposed secrets from the code, even if that secret is already disabled or deleted at the cloud service level.


What value does Entro offer beyond security?

Entro provides CISOs and security teams full secrets oversight, reducing secrets risk, and automating and accelerating remediation thus saving the security and R&D teams time and money. R&D teams are not slowed down in any way on the one hand and security is not compromised on the other.?


Within minutes of deployment, organizations receive full oversight and insights which gives them control and governance over the secrets sprawl. Moreover, regulations (e.g., SOC 2) require secrets protection such as rotation which can be easily achieved with Entro Security.


What makes Entro’s approach unique?

It is the first and only holistic cybersecurity platform that provides full end-to-end monitoring and secret key protection over programmatic access to cloud services and data.?


How easy is it to deploy Entro?

Entro is completely out of the band. With its frictionless and agentless approach, organizations can integrate the platform and get full secrets protection in minutes without any R&D team onboarding and zero interference to the customer's cloud.


Ping me to learn more about Entro's secret sauce and to schedule a deeper dive into the Game Changing World of Secret Security Management.

要查看或添加评论,请登录

????Mark Fireman的更多文章

社区洞察

其他会员也浏览了