Securing Pipelines Through Secrets Management
Secrets management plays a critical role in keeping your pipelines and applications secure. While secrets management tools help, you need to implement best practices and processes to successfully manage secrets in a DevOps environment. Standardizing, automating and integrating these processes also helps secure secrets by reducing the chance of human error.
In this article, we look at secrets management and discuss ways to make continuous integration and continuous delivery (CI/CD) pipelines more secure, ensuring systems are protected and safe.
What is Secrets Management?
In simple terms, secrets management protects non-human identities using tools, practices and processes within an organization. This does involve a little work to get started. Once you have your secrets management system in place, you have a more secure environment without blocking systems that can, and should, run automatically. You ensure that only those you trust access your resources; and revoking access is just as easy as giving permission.
Managing secrets overlaps with privileged user access and management. However, to avoid confusion in the long run, you should not mix their management. Overlapping aspects include: access request authentication; implementing role-based access by assigning the least privilege required; ensuring secrets and credentials are complex and rotated often; auditing use and management of accounts and secrets; and removing secrets from code, configuration and other insecure areas.
Where should you use secrets management? The answer is everywhere you can. However, containers, virtual machines (VMs) and CI/CD pipelines are the best starting points. This enables applications to retrieve and use secrets when scaling or in elastic environments.
Creating Strong Secrets
The first step in ensuring a quality secrets management practice is to ensure the secrets themselves are strong. Like user-based passwords, strong secrets are long, complex and changed frequently. Ensuring that these secrets change regularly — the more often the better — also prevents any accidentally leaked secrets from being useful for long.
Your applications and infrastructure also use secrets like API and SSH keys. Unlike normal user passwords, however, accounts used in applications, pipelines and containers can be siloed and hard to keep track of.
The big factor here is human interaction. People cause secrets to leak, directly or indirectly. This means things like directly putting your secrets into source control on an open source project (yes, developers have done this).
The first step for creating and protecting your organization’s strong secrets is putting processes in place — processes for creating secrets, for keeping track of secrets and for making sure secrets remain secure. For example, you can employ requirements and even test procedures that help protect against putting a plain text password into a configuration file and saving it to an application, VM, server or container that may be accessible in other ways.
Automating Secrets Management
To solve the human-error issue, let’s talk about automating secret management. The aim is to have minimal impact on DevOps resources while introducing policies and automation to eliminate the need for manual retrieval and use. This reduces the risk of inconsistent creation, adheres to policies and protects secrets from leaks.
While secrets management applies broadly, you can, and really should, integrate your secrets management directly into elements of your workflows where you’re probably already employing automation: CI/CD pipelines.
Automation takes the human factor out of secret management. However, computers are not infallible; they rely on a human to use their tools.
Once you have your secrets management, policies and integration in place, secrets maintenance becomes much easier and secrets rotation becomes much more frequent. Automation is particularly important for enterprise-level organizations that would otherwise require entire teams to monitor and manage just secrets alone.
Secrets Management Tools
Now that you are considering automating your secrets management, let’s look at secrets management tools.
All major cloud service providers have a secrets manager, such as Azure Key Vault, Amazon Web Services (AWS) Secrets Manager and Google Secret Manager. These have the distinct advantage of being embedded in their own cloud environments. If you are using solely Azure, for example, then Key Vault is for you. These tools are easy to use out of the box and use the cloud provider’s access provision to get and manage secrets.
However, what happens if you have multiple cloud service providers, complex CI/CD pipelines, a hybrid environment or an environment without a built-in secrets manager? You need a different approach. External tools like HashiCorp Vault, Akeyless Vault, CyberArk Enterprise Password Vault and others enable a single management system across the board.
The majority of CI/CD tools integrate with most, if not all, the secrets management tools today. This enables you to retrieve secrets from your vault during CI/CD processes while managing those secrets separately from the CI/CD process. These integrations can also transfer any secrets your CI/CD pipeline finds out of your code and into your secrets manager.
It is a good idea to cycle your secrets regularly, and depending on your policies and procedures, your policy may be to cycle secrets on release. To do this, you can direct your CI/CD process to generate new secrets in your vault during release. When this is fully automated, not only are you generating a new secret, no one knows what that secret is but you also have full control over the privileges that secret enables. This significantly reduces the risk of that secret leaking and becoming a public token.
Secrets management is a critical part of securing your systems. If you do not have it set up already, the sooner the better. Along with managing your secrets, automating secrets management is a major step in reducing your security risk.
You can automate access to secrets through secrets management, including in your CI/CD pipelines. Your team no longer needs to spend time managing secrets when they could be creating new innovations. There is no need for human interaction once the initial setup is complete, increasing security further.
CI/CD changes developer team culture. When it comes to developer team success, finding the right DevOps metrics to measure is crucial. Learn how to measure DevOps success with four key benchmarks for your engineering teams in the 2020 State of Software Delivery: Data-Backed Benchmarks for Engineering Teams.