1 Introduction / Executive Summary

The term ‘secrets’ has recently been seconded into the IT lexicon. It is being used as a collective noun for passwords, keys, certificates, and tokens that must not be disclosed i.e., they must be ‘kept secret’.

Account take-overs remain the most common mechanism for unauthorized intrusion to protected systems, resulting in cybersecurity compromise. This vulnerability is increased by issues such as poor password management, service account credentials hardcoded in config files, and database passwords kept in shared folders. The problem is exacerbated for cloud development environments where account credentials are held in S3 buckets, Azure DevOps, CI/CD tools and various source-code repositories. In multi-cloud environments the beleaguered CIO has no option but to employ ‘secrets management’ technology to help mitigate the risk of account compromise.

Secrets Management is a wide field. In this Leadership Compass the term refers to credentials that are used by people, systems or devices seeking access to a protected resource such as an application, database, software module or device; the authentication credential may be a password, a token, or a key.

Passwords are a perennial problem and are slowly being replaced by other authentication mechanisms, but while they are still widely used, a mechanism is needed to securely manage them. While passwords are secrets that must be managed their usage is diminishing so this document focuses on token and key management solutions.

Software tokens can be a passphrase stored on a system that is substituted for a password when a complex password, one that a human cannot remember, is required. One-time-passwords are also tokens. These are machine-generated and used in conjunction with an authentication server to validate a possession factor such as an OTP device or smartphone. API tokens are increasingly used to transmit user data to an application. Examples are authentication tokens such as an HTTP file containing a header, payload with identity attributes and trailer, or JSON Web Tokens that can also pass identity data in a JSON array to a relying application for authorization purposes.

Keys include basic API keys used to identify code components, TLS keys for session protection, signing keys used to validate source identities and encryption keys used to protect documents and files. PKI private keys that are used for signing and/or encryption, must be protected. While PKI certificates are not ‘secrets’ a mechanism is required to ensure validity and currency of a certificate.

Secrets management requires a secure storage facility with the capability for approved persons to manage access rights to the stored secrets. The solution will release secrets as required, and as appropriate, for access to applications and supported platforms. It should also provide secrets management functions such as identifying expiring secrets and removal of secrets no longer required.

While legacy operations will continue to use passwords for some time, new deployments should embrace access control solutions that leverage the benefits of secrets management. Vendors featured in this document cover secret storage vaults, credential lifecycle managers and key management tools, as well as DevOps tools for cloud deployment.

1.1 Highlights

Organizations seeking to protect their sensitive resources such as a computer application or corporate documentation should analyze their current requirements and understand the industry direction before committing to a specific solution.

Passwords provide a simple authentication mechanism that is well understood by users and represent a low-friction option for access control.

Increasingly stronger authentication mechanisms such as multi-factor authentication are being adopted to improve cybersecurity.

A software ‘token’, typically stored on an end-point system or a removable device, can provide more complex or longer passwords or passphrases for increased protection. If used in conjunction with a PIN or biometric it can enable multi-factor authentication. Recent developments in this sector include private access tokens for secure access to web services.

Certificates, typically used in asynchronous key models, provide security for a wide range of applications from account access to sensitive document protection.

Secrets management supports popular access control mechanisms including the OpenID Connect (OIDC) federation and the Fast Identity Online (FIDO) Alliance.

The release of the FIDO2 specifications significantly improve the ease with which password-less authentication can be realized.