Blog

How To Prevent Secrets Sprawl

by
Isaac Madan
,
October 28, 2024
How To Prevent Secrets SprawlHow To Prevent Secrets Sprawl
Isaac Madan
October 28, 2024
Icon - Time needed to read this article

Where are your credentials and secrets, and how are you protecting them? These are fair questions, considering the pervasiveness of secrets sprawl. We recently conducted research over 12 months to determine where enterprises’ secrets were residing within their systems, like GitHub, Confluence, Zendesk and Slack.

  • Passwords represented 59% of all secrets detected, and API keys represented 39%.
  • Enterprises averaged eight sprawled passwords per 100 employees per wee
  • Enterprises averaged 2.3 active API keys per 100 employees per week, equalling 35% of all API keys found.

In addition to API keys and passwords, secrets like SSL certificates, usernames and others are spilling into enterprises’ cloud environments and increasing the risk of a breach. In a report from earlier this year, IBM noted that compromised secrets are the most common attack vector, and there are plenty of recent examples to lend anecdotal evidence to this finding.

In June, for example, the New York Times fell victim to hackers who leaked data and internal source code to the message board 4chan. Around the same time, it was learned that hackers stole a wide array of data from Disney, including API endpoints and credentials.

In April, a compromised Sisense credential discovered in GitLab exposed millions of access tokens in AWS S3 buckets. These incidents echo several similar breaches, from the LastPass breach in 2023 to Uber back in 2016. A common thread connects these breaches: secrets sprawl across the enterprise.

Time is of the essence for enterprises to address secrets sprawl. With that expediency in mind, let’s examine three key areas security teams should address now to slow secrets sprawl.

Address digital and human risk.

Of course, the most direct way to end secrets sprawl would be to tell employees, “Don’t share secrets in SaaS apps,” and have everyone comply. But realistically, no matter how diligent users are, secrets will be shared, whether intentionally or not. Or perhaps there’s a legitimate reason for sharing secrets. With this reality as a backdrop, companies should consider the following steps.

  • Secrets Sprawl Visibility And Control: It’s important to detect the unauthorized presence of secrets in SaaS-based apps in real time. The longer they linger, the greater the risk of exposure. When building processes and systems to address secrets sprawl, consider the potential for false positives and the ability to automate remediation via methods such as deletion or redaction. Companies should conduct regular audits of data-at-rest at least monthly.
  • Strong Security Culture: Technology can only go so far in preventing secrets sprawl. Employees have power in this area, so enterprises should invest in training to ensure users have the most up-to-date information on secret-related best practices. An important component of employee buy-in is equipping them with the tools to self-remediate violations right away. This not only encourages ownership and accountability but also reduces the workload of security teams that can now focus on more complex issues.

Prioritize developer security.

Although all employees can share secrets, the risk can be much greater for developers, who use secrets—security certificates, API keys and other nonhuman privileged credentials—as part of their daily work. Developers can inject risk by embedding secrets into code, storing them in configuration files and sharing them in emails or chats.

One misconception is that secrets sprawl is a code security problem; however, the problem is much greater: secrets aren’t just leaked in source code, and remediation occurs outside of the code repository through key rotation and validation. Organizations can mitigate these risks by prioritizing these developer security best practices.

  • Security By Design: Integrate security considerations into every stage of the software development lifecycle (SDLC). This includes training developers on secure coding practices, utilizing secure libraries and frameworks, and employing secret scanning tools to identify potential secret exposure before code is deployed.
  • Least Privilege: Enforce the principle of least privilege when granting developers access to resources and data. This minimizes the damage caused by compromised credentials or accidental leaks. For instance, a developer working on a specific feature might be granted access only to the required data instead of the entire company dataset. Similarly, the principle of least privilege should be applied when scoping permissions to generate keys.
  • Secrets Management: Implement robust secrets management practices to avoid storing sensitive data like API keys or passwords directly within code repositories or configuration files. In line with this, developers should also use secure vaults or dedicated secrets management solutions. This prevents sensitive information from falling into the wrong hands, even if a developer accidentally exposes their credentials. In short, working with the right technology partner will help create controls to prevent accidental (or malicious) secrets sharing.

Conduct continuous policy reviews.

The growing challenge of secret sprawl requires companies to reevaluate traditional security policies. Here are key areas that require review.

  • Data Classification: Ensure a policy exists to identify and categorize data in SaaS apps. This helps determine the appropriate level of security required for protecting secrets used to access or process that data.
  • Identity And Access Management: Traditional access control models might not be granular enough to address emerging risks. Review data access control policies to restrict access to secrets, and consider implementing role-based access controls (RBAC) and limiting key generation permissions.
  • Secrets Rotation And Validation: Review and update policies for regular rotation of secrets. This includes API keys, access tokens and credentials to access compute resources or data storage. Frequent rotation minimizes the window of opportunity if a secret is compromised. Similarly, build familiarity with validating whether a secret is still active to confirm that rotation was successful.
  • Encryption: If a secret needs to be shared, provide a safe mechanism to do so via data encryption with related time-based destruction controls to discard the data once it’s no longer in use.

There’s no shortage of attackers with creative means for accessing secrets. By finding where secrets reside, coaching employees and conducting continuous policy reviews, enterprises are better suited to face this emerging challenge and reduce the risks associated with secrets sprawl.

This blog was originally published on Forbes Technology Council.

On this page
Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo