By: Evan Morris
January 13, 2021
Top 7 Platforms to Manage Secrets and Sensitive Information
By: Evan Morris
January 13, 2021
SolarWinds and FireEye hacks are a major catastrophe that could have been avoided with some best security practice. Passwords, API tokens, privacy keys, and other sensitive information are regarded as secrets. They are supposed to be kept hidden but many threats will persistently try to uncover them. Protecting these secrets is not an easy task, especially with volume and when multiple users and agents need to authenticate and gain access to data. That's why secrets management platforms exist. They ensure that attackers won't gain access to users' most precious information and to safeguard them at all times. They help ensure that there are no opportunities for anyone to obtain passwords, tokens, or keys whenever they are used or transmitted. They also offer advantages in terms of reliability, usability, security, and privacy. The secrets management solutions discussed below are arguably some of the best in the market.
Akeyless is a relatively new player in the secrets management field. Still, it offers functions that match those of more established platforms while offering new functionalities that enhance ease of use and security. This advanced secrets manager makes it easy to protect credentials, automate the issuance and revocation of certificates, and audit and simplify SSH access. It is an excellent solution for DevOps platforms, engineering teams, and those who are working with code repositories.
Akeyless ensures seamless integration with containers, configuration managers, code management platforms, and browsers. It provides various plugins to securely deliver secrets into CI/CD pipelines and container orchestration tools. It also eliminates secret proliferation in code through SDKs. Additionally, it supports universal authentication through external identity providers like Okta, Azure AD, and AWS IAM.
In light of the pandemic-induced work-from-home arrangements and the greater reliance on cloud or online solutions, Akeyless helps businesses with its Zero-Trust Remote Access system. Akeyless combines a Just-in-Time-Access approach, least privileges, and a Zero-Standing-Permissions model to protect not just secrets but also access to enterprise assets and resources.
A notable feature of Akeyless is its patent-pending Distributed Fragments Cryptography (DFC) technology, which serves as a virtual HSM that is FIPS 140-2 certified. DFC pre-generates encryption key fragments to be stored in multiple cloud servers and refreshed constantly. One of the fragments is potentially placed on the customer end. This setup ensures that it is nearly impossible for anyone at Akeyless to obtain the encryption keys, not to mention an independent malicious attacker.
Moreover, Akeyless features granular machine identities, enabling the access segregation between identities at different levels such as namespaces, pods, and playbooks. It also comes with analytics to comprehensively evaluate an organization's secrets posture in various environments.
HashiCorp Vault is perhaps the most well-known solution for managing secrets. It is even regarded as the standard for secrets management platforms. This fame and renown is by no means a product of marketing hype and the advantage of being the first in the market. HashiCorp Vault delivers real benefits that earn it good reviews from users.
Flexible and scalable, HashiCorp Vault works for businesses of different types and sizes. It is used to manage database connection strings, metadata, private keys, and many more. It has an HTTP API that can be used to read and write secrets for different applications. It also comes with the ability to seal and unseal the vault on demand, where you'll require an HSM to do so.
If there is something to complain about HashiCorp Vault, though, it is its lack of a graphical user interface. It only has a command-line interface, which is not a problem for most tech-savvy users. However, it will alienate those who are not accustomed to using CLI and those who prefer GUI.
Also, HashiCorp Vault is limited to on-premises deployment, and it requires a significant level of engagement, taking up to several months to deploy in an organization.
AWS Secrets Manager
Organizations looking for a familiar solution that they can use alongside the services and applications they are already using should consider Amazon's AWS Secrets Manager. Its intuitive interface is one of the best solutions for rotating, managing and retrieving login details, database credentials, app keys, and other enterprise secrets.
AWS Secrets Manager effectively removes the need to hardcode any sensitive information in plain text, preventing any opportunity for bad actors to steal enterprise secrets. It also allows the use of fine-grained permissions to control access to protected secrets better. The system supports the use of identity and access management (IAM) as well as resource-based policies. The main drawback is that integration is mostly with AWS resources and services, however, and not for solutions outside of AWS.
Thycotic Secret Server
An enterprise-grade secrets management solution, Thycotic Secret Server, simplifies the management, security, and auditing of privileged account credentials and other secrets. Just like Akeyless, it features on-premises and cloud options. It provides a wide range of features that make it a worthy addition to DevOps environments.
The Thycotic Secret Server is designed to be quick and easy to deploy, scalable, and customizable. It comes with a privileged account discovery feature, which detects specific services and instances when secrets are saved and used. Regardless of an organization's size or the number of databases and applications used, this secrets manager enables efficient secrets management even in large-scale distributed environments.
An open-source system for secrets management and distribution, Keywhiz secures the handling of TLS certificates/keys, GPGP keys, database credentials, API tokens, and other secrets. It is made to be compatible with any service-oriented architecture (SOA).
Keywhiz addresses the security-challenged common practice of embedding secrets in config files and copying files to servers out-of-band. This setup is prone to leaking critical data. With Keywhiz, secrets are encrypted and stored in a central database. If clients need access to these secrets, they have to use mutually authenticated transport layer security (TLS).
One drawback of Keywzhiz is that it can only be administered through a command-line interface (CLI), unlike Akeyless and others with a GUI option. Nevertheless, it features automation APIs over mutually authenticated TLS.
Nike, the world-famous maker of shoes and sports gear, has a homegrown secrets management tool called Cerberus. The company describes it as a solution for the safe storage and management of secrets when running cloud applications.
Nike may be known as an American multinational corporation that specializes in footwear and apparel. Still, its software engineering team has developed the secrets manager to address its complex environment and operations, involving various AWS accounts, technology stacks, and many applications and teams. This platform provides client libraries that can be used by EC2 or Lambda cloud applications to retrieve run-time properties.
Cerberus was created to boost its agility in using cloud applications and providing access to various teams worldwide. It is designed to decrease the risk of using various secrets such as passwords, API keys, and dynamic run-time properties. It comes with a self-service web UI, through which different teams can manage properties and access control without having to worry about cybersecurity risks.
Originally developed by Pinterest to address the challenges of maintaining a large collection of passwords and other enterprise secrets, Knox was created to facilitate the efficient storage and rotation of keys, passwords, and other secrets. Now, Knox is available as an alternative to more expensive and complicated secrets managers.
Knox was developed with ease of use in mind while ensuring the highest levels of confidentiality. It offers a robust mechanism for rotating keys in case the information has been compromised. Additionally, it automatically generates an audit log to monitor the systems and users that have accessed confidential data.
Organizations have varying needs and preferences when it comes to managing their private data. The options described briefly above present the most compelling sets of features along with sophisticated security measures. It is tempting to say that all of the secrets managers above are a good choice. Still, organizations need to examine their needs before deciding which solution to get carefully.
Open source solutions are not necessarily bad or inferior, but many tend to be limited and not suitable for enterprise needs. They also have issues with scalability and availability. SaaS platforms' most practical options address the most extensive use cases and simplify deployment and usability.