What does secrets management and data security have in common?
Brian Grant
Helping clients to secure their data, protect all paths to it, and secure all users of it - to prevent cyber attacks, reduce business risks, and meet cybersecurity compliance - by making data security simple.
Recently Anthony Bodin , from the local Thales Data Security team in Australia, shared a a blog post by our Thales Cybersecurity Products colleague Krishna Ksheerabdhi . This post explored the difficulty associated with understanding what is meant by secrets and, by association, the challenges with achieving effective secrets management. It is a great summary and worth the few minutes to read.
So the obvious question is what does #datasecurity have to do with #secretsmanagement?
Secrets management is this crazy set of credentials, keys, passwords, certificates etc. that are used for digital authentication and authorization, for people, processes, apps, codes, scripts, machines, devices...
Whereas data security is all about preventing harm to data through the appropriate enforcement of confidentiality, integrity and availability of data itself...
So let's take the red pill and turn the world upside down.
Just More Data
The ode to the Matrix is entirely intentional and not just because the original movie was the best.
For most of the people who were living in the Matrix, the world was as it seemed. Yet the truth was this world was just a simulation and it was a construct of data delivered to create a digital equivalent of reality - sounds a little like large language models and machine learning doesn't it?
For the world of secrets, the truth is they are still just data represented in a form that is relevant to the task they are assigned to achieve. Secrets are all at their root a set of data that is MUCH MORE sensitive because of the role they play in a digital world.
领英推荐
If you could deconstruct any secret referenced in this and any other article or discussion paper, you will find at their heart just bits and bytes.
Secrets - Just More Sensitive Data to be Secured (correctly)
So secrets are at their heart just more data. Yet very sensitive data that if compromised could be catastrophic to any digital organization. And just like any sensitive data, it is critical that secrets data itself is effectively secured and enforces strong access control over who, what, when and where secrets data can be consumed (data read), changed (data write), shared (data copy) or deleted.
Secondly, secrets cannot be left exposed or on the digital equivalent of the back room shelf just because it makes them easier to use. Truly hiding the intelligence contained within the secret is also critical. So secrets need to also be secured through either encryption, tokenization, masking, anonymization or pseudonymization.
Lastly, the people or processes consuming secrets cannot be the same people or processes who define and control how they are secured. Yes they have a role to play in ensuring the availability of secrets are functional to their use. Yet just like you would not put a child in charge of a candy store, you cannot put those who want to use secrets in charge of their security - when pushed by deadlines or managers, they will always default to ease of access over acceptable security.
Conclusion
In a digital world everything is build on data. From manufacturing and telecommunications, to defence and government services, nothing can operate in a data vacuum.
So the next time your team, your developers, your tribe or your technology partner starts to talk about how to make secrets management easier, take a few moments to ask what are we doing to keep the secrets data itself safe and secure. If you get some blank looks, be worried. Be very, very worried...
If you had One shot or one opportunity to seize everything you ever wanted.
1 年Great article and post
Enterprise Architect, SAP Solution Architect - S4HANA, BTP, SuccessFactors, Fieldglass, Ariba, Solution Lead, Techno-Functional SME and Project Manager. Recreational Drone CASA Certified Pilot.
1 年Indeed we need to work together to secure some sensitive data, for example the radiation measurements. We just won the third place ?? in the global SAP Tech Ed Demo Jam competition to use Drones for monitoring radiation ?? levels in the real time and streaming Geolocation and Measurements above thresholds to SAP S4hana incident’s management system https://www.dhirubhai.net/posts/eddiemogilevsky_synctegral-story-sap-global-tech-ed-demo-activity-7128905743419805696-p-R1?utm_source=share&utm_medium=member_ios
Secrets management.. it’s an interesting topic, the more speak to people the more I see it slipping through the gap.