What is secrets management?

A secret is an object type that generally holds sensitive information such as passwords, client configuration files, repository credentials, and much more. Items that should remain private and decoupled from pods are best stored as secrets.

Managing these secrets is key to protecting your environment from data breaches and compromised credentials.

Secrets management is a method for ensuring that the sensitive information needed to run your day to day operations is kept confidential. It strengthens security across your organization’s development and production environments without impeding on DevOps or Security Ops workflows. 

Secrets management isn’t a singular item, but rather the application of many different security options such as authenticated access and tracking, principles of privileges, role-based access control, and more. These options ensure secrets are appropriately managed without exposing important data to non-authenticated users. 

There are a number of automation tools that can manage secrets using a single point of credentialed control for protected resources. Some of the tools available include Red Hat® Ansible® Automation Platformwith Red Hat® OpenShift®, CyberArk or several options within Git and GitLab.

Secrets management works by adhering to a security framework and having security options implemented at different key points of the DevSecOps lifecycle.

In the example above, you can see what security solutions can be mapped to certain points of the DevOps lifecycle. For example, Software Composition Analysis can be applied to scan your codebase for open source software in your Integrated Development Environment (IDE), build repository, container registry, and your clusters. This action can guard against downstream vulnerabilities in your code base. Implementing secret vaults and authentication tools combined at key phases of the development cycle, would also reduce the potential windows of opportunity for would-be hackers or bad actors. 

This is just an example of how effective secrets management and security solutions can work. Effective management of secrets doesn’t require implementing every single item listed above, but rather strategically applying security options to reduce the potential for compromised secrets within your specific workload. 
 

It’s important to note that while OpenShift and Kubernetes secrets are encoded out of the box, that may not be enough to keep your data safe. Encoding is a matter of transforming the data into a different format, which can be reversed. Encryption however, transforms the data and requires specific keys in order to be reversed or accessed. This is a much more secure way of locking down your data, which can be implemented as part of your secrets management strategy.

Other than keeping your organization’s data safe, there are a variety of reasons why implementing secrets management can be beneficial:

• Avoiding secret sprawl/security islands: By centralizing your secrets control, you can prevent instances of only a small group within your organization having specialized access that no one else does.
• Identifying bad actors: By implementing strong verification requirements, you can cut off would-be hackers easily and stop their attempts to spoof appearing as a credentialed user.
• Automating credentials: By automating your credential verification and admission, you reduce the amount of manual work needed to authenticate users and allow their workflows to continue unimpeded.

Now that you know the ins and outs of secrets management, dive into more options to strengthen your organization’s workflow security.