Who can keep your secrets?

Ritesh Shergill
5 min readJul 9, 2023

--

Every application tells a story but while it tells it’s story, it has secrets and skeletons in the closet.

At the end of the day, every application needs to keep secrets — to store passwords, API keys, etc.

But where should we keep these secrets?

❌ In the Code?

❌ In the Database?

❌ In a storage bucket?

NO!

Secrets should remain secrets to protect against unauthorized access from outside the organization as well as inside. So how can we keep our secrets?

WITH A SECRETS MANAGER TOOL

Traditionally, a Secret Manager tool is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data.

A Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across several applications and environments.

A secret manager generally provides the following benefits -

✅ The principle of least privilege — Control who has access and what level of access

✅ Secrets management — Creation, updating, disabling/deletion as well as rotation

✅ Auditing and logging capabilities

✅ Versioning to support multiple versions of the same secret

✅ First class encryption

Thus, a secrets manager is the perfect location in which to store application sensitive information like database passwords, API keys, SSH keys, etc.

Gone are the days when sensitive information like database connection passwords, API keys etc. would be stored in constant files, environment files, etc. right within the codebase. With a secrets manager, it is easy to integrate secrets injection within the CI/CD pipeline so that as the application gets deployed, its secrets are already available to it and it alone.

There are some amazing tools out there to manage secrets but the noteworthy ones are (not an exhaustive list)

🔒AWS Secrets Manager

🔒GCP Secrets Manager

🔒Azure Key Vault

🔒Hashicorp Vault

🔒1Password

🔒CyberArk Conjur

🔒BeyondTrust Cloud Vault

🔒 Confidant

🔒 Knox

Across these tools there are some that have more features than the others but largely, they are capable solutions to manage your application secrets.

How do I choose a secrets manager?

💲Pricing

Most of the tools charge for

— The number of passwords being stored

— The number of times the passwords are accessed

— The number of versions of a secret being stored

— Storage space to store sensitive files

There could be variations on these charges but most of the time you should be more worried about how many and how often. Almost all of these tools offer a free tier which is good enough for smaller applications. So you can store secrets almost for free.

🔗The number of integrations supported

Integrations with CI/CD Tools like CircleCI, Bitbucket pipelines, Github actions, etc is beneficial to include secrets from your secrets manager when building your project. So it is imperative to choose a tool that supports

— All the tools you already use

— Tools you might want to use in the near future

Of course, you aren’t clairvoyant so you won’t be able to guess if you would need to use a tool in future; In such cases, choose a secrets manager that supports the most integrations.

🌐Do you need to build an on-premise solution?

Some secrets manager provide cloud only solutions and as such if you want an on-premise solution then choosing a tool that does provide an on-premise package installation makes sense.

📄 Documentation and APIs

Definitely check the documentation for each tool. Choose a tool that provides easy to use APIs, SDKs, Code samples and enough documentation to become productive as soon as possible. Sometimes, it’s a matter of instinct and as you browse through documentation, you subconsciously make a decision to use a tool based on how easily you find documentation and how legible you find it.

☁️☁️☁️Supporting multi cloud access

If you want to store secrets for tools or services across multiple cloud providers then you should choose a tool that supports multiple clouds. For eg, some of the above tools support multiple cloud platforms like AWS, GCP and Azure

🆗 Regulations and compliances

You have to make sure that if your organization will be gunning for compliance, the tool you choose supports regulations such as HIPAA, GDPR, etc. If this isn’t a priority for your organization then you can ignore this facet but I would recommend erring on the side of caution and choosing a compliant tool.

🔥🧱Access management

Secret manager tools follow principles of least privileges as in, only people that have been given access to the secrets can access them and manage them. If you need overly sophisticated RBAC and access management then choose a tool than supports multiple approaches to control access to secrets.

Although these pointers can help you choose a cloud platform, here is something that will make your choice much easier!

What’s that you ask?

You don’t have to choose a single platform to store secrets

Yes, that’s right.. you can choose multiple secrets management tools to save on costs and get the best of all worlds.

Need to store some secrets in the cloud? — Choose a Cloud platform secrets manager

Need to store secrets offline? Use a tool that allows on-premises installation

Need to support multi-cloud access? Choose multiple cloud platforms to store secrets but write your own service to manage secrets across these cloud platforms. Yes, that’s an option too — you can write your own service as well to manage secrets.

Today, cybersecurity has become a primary concern for organizations to protect their IP, their user data and most importantly, their secrets. As hardware has become more capable and security mechanisms are becoming more lax and prone to human error, hackers are having a field day.

Hard coding secrets or insecurely sharing them can lead to vulnerabilities both in terms of external attacks and internal mishandling. Practicing secret management becomes even more crucial as team sizes, request loads, and cloud services scale.

Moreover, it is a deal breaker for any organization that wants to be compliant with privacy and security standards such as PCI DSS, HIPAA, and GDPR.

Thus, companies must do whatever they can to hide their secrets and most especially — the skeletons in their closets.

Follow me Ritesh Shergill

for more articles on

— Tech

— Career advice

— User Experience

— And other interesting stuff

--

--

Ritesh Shergill
Ritesh Shergill

Written by Ritesh Shergill

Senior Data and Systems Architect | AI ML and Software Architecture Consultations | Career Guidance | Ex VP at JP Morgan Chase | Startup Mentor | Author

No responses yet