The pop group The Romantics’ 1983 hit “Talking in your Sleep” told the story of secrets revealed. Organizations today keep lots of secrets, and as more enterprise applications offer their own repositories to store these secrets, organizations are uncovering silos holding different sensitive assets with varying lifecycle management and protection policies. Not knowing where these secrets are maintained and applying independent and inconsistent management policies creates security and compliance audit risks.
In this blog, we look at the growing challenge organizations face in applying consistent security policies across secrets management and examine how cloud migration, DevOps, and regulatory compliance may influence how an organization approaches the problem.
What are secrets, and what is the problem?
Organizational secrets include many types of credentials, such as access tokens, passwords, PINs, certificates, and API and encryption keys. These secrets ensure controlled and authenticated access to many applications and protect the sensitive data they process. But, enterprise computing environments have become increasingly diverse through on-premises, cloud, and hybrid deployments. In these environments, data needs high-assurance secrets management.
The secrets management “problem” has been on cybersecurity professionals’ radar for some time now: as early as 2017 InfoSecurity reported that: ”The modern IT landscape was filled full of secrets: There are certificates, SQL connection strings, storage account keys, passwords, SSH keys, encryption keys and more. And no matter what role one plays in the group—developer, admin, PKI manager—managing these secrets can become a high-stakes management headache.”
Just as you and I struggle to manage the many passwords and PINs we use, organizations face the same problem but at an enterprise-level order of magnitude.
Is anyone doing something about it?
Yes, innovative companies like HashiCorp have developed a vault capability that protects diverse organizational infrastructures and applications. By centrally storing, accessing, and distributing secrets, such as dynamic tokens, passwords, PINs, certificates, encryption keys, and other credentials, HashiCorp Vault keeps application data secure and facilitates the process of enforcing consistent security policies to reduce risk and simplify auditing and compliance.
Integration of HashiCorp Vault with nCipher nShield hardware security modules (HSMs) establishes a root of trust to protect the HashiCorp Vault master keys that secure the centralized secret management application. nShield HSMs are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates. HSMs are tested, validated and certified to the highest security standards including FIPS 140-2 and Common Criteria.
The way forward
As organizations migrate to the cloud and, through DevOps, accelerate their developmental processes, they will need to manage more and more secrets. Likewise, as evolving data security regulations force organizations to more proactively protect their data in evolving IT environments, high assurance security that establishes a hardware-based root of trust for associated cryptographic processes will enable change. Specifically:
- For cloud migration, secrets management offers the capability to secure, store, and control access to the credentials that protect data across multi-clouds. This will continue to facilitate fast and secure customer access to modern, multi-cloud computing environments.
- For DevOps, security is required to make secrets management transparent and allow rapid application development. This will enable consistent workflows to connect and run in different infrastructures for any application, in a trusted manner.
- And lastly, for compliance, security ensures that the confidentiality and integrity of data in transit and at rest is maintained and reduces the risk of exposure by enforcing a centralized and consistent security policy that eliminates secrets sprawl.
Organizations don’t “talk in their sleep,” but hackers can “hear the secrets that they keep,” if the organizations don’t follow consistent security practices. HashiCorp and nCipher can help ensure secrets are centrally managed with an integrated solution that enables the encryption and decryption of secret assets. The solution mitigates the risk resulting from their aggregation by protecting the key used to seal Vault. With a robust integrated solution that provides a FIPS 140-2 Level 3 and Common Criteria EAL4+ root of trust, HashiCorp and nCipher also address the market’s need for solutions that facilitate regulatory compliance.
To learn more about HashiCorp and nCipher, and how they support your organization’s computing needs across a myriad of infrastructure environments including on-premises, cloud, and hybrid deployments, download our joint solution brief.
If you’d like to learn more about nCipher, please follow us on Twitter, LinkedIn, and Facebook