Secret Management: Learn the Basics

Hi Grzesiek, we spoke last year, has anything changed?

Hey dudes! I'll start by saying that I'm very happy to be able to share information from the world of IT and cybersecurity with you for another year in a row.
It's definitely changed in both my private and professional life, the first of which is probably the fact that I have a new feline companion - Elvis. On the professional side, of course I'm still a part of Leon and I feel that I've learned more of the company's "how-to" and in fact, over the next year I've become more effective in my duties.

Can you explain what hides under “secret management”?

A secret manager statement can hide a variety of things, starting on practices, going on by tools and ending on different technologies. It mainly involves securely storing and managing sensitive data - like passwords, API keys, certificates and encryption keys - so only the right people, applications or systems can access them. It’s all about keeping your secrets safe from prying eyes 🔒😉

How does implementing secret management improve a company?

Among the advantages, we can definitely mention the obvious security, but among the less obvious ones, we have good accountability/reporting for audit purposes, because many of these systems closely monitor all secrets - their reading, changes, deletion - and build a log based on this.
It is also worth mentioning automation, because many of these systems have an API, thanks to which we can automate many things, such as password rotation, granting/revoking access, or checking whether given credentials have not fallen victim to a data leak.

How does secret management simplify the process of rotating and updating secrets?

Oh, I see that in the previous question I managed to predict the future 🔮😄
As I mentioned, we mostly have available APIs, they are a programming alternative, for example to graphical interfaces that we see in a web browser. API is a place where we can interact with the application using code. As for a good example of how these solutions make work easier, there is, for example, the fact that one of the password managers can, after changing the password in it to a new, randomly generated one; enter a given website and change the old password to the new one without our interference. For us, it is one click and the rest of the work is done by itself. And I think it is great, because most of the neglect, e.g. with passwords, results from the fact that in order to protect ourselves after a leak (where we have used the same password everywhere so far), we have to go to every website, log in, change the password, confirm it, e.g. by e-mail, and then log in again. A lot of steps, right? Isn't it more convenient to click one icon 🔄 and get it over with? 😉

Are there any performance issues associated with using secret management procedures?

Current devices have no problems with this, although of course we can tighten up the security so much that the decryption itself will actually make quite a big difference for the computer or phone, but with a bit of common sense it is more likely that securing passwords so that cracking them will take tens of millions of years, and then their "unlocking" by an authorised person will be lightning fast.

Are there any specific tools that I can use?

Bitwarden - we currently use it in Leon and I use it privately. Organizationally, it is a bit difficult to manage, but for private use it is great. However, you may wonder why, despite this drawback, we use it in the company? And this is a very simple answer - security. Bitwarden is open source, so it is closely checked by eyes from all over the world, additionally it works in the cloud, but what is crucial, everything there is encrypted with a key to which we have access only after logging in, additionally, this key uses a key derivation function (KDF) with a very large number of iterations, which makes it difficult to break the key using the brute-force method.

KeePassXC - also a great password manager, its big difference from Bitwarden is that it does not use the cloud, so to have the same passwords on your phone, another laptop, or another device, you have to do a little more tinkering. But honestly, if you haven't used a password manager yet, it's worth starting with that.

Here we really have to break it down into two main categories, namely, who is going to use it? A person or an application?

For our "meat" colleagues, it is worth mentioning tools such as:
I also forgot to mention that both solutions are free 💸

LastPass - I'll add that it's also free, but the latest leak from this application, for me, ruins it.

1Password

Dashlane

And for our "tin" colleagues, each cloud provider has its own solutions, so it's worth mentioning:

AWS Secrets Manager

Azure Key Vault

Google Cloud Secret Manager

However, there is also one solution, not related to any cloud provider, and honestly, it's my favourite, namely: HashiCorp Vault.

For What can I use Bitwarden and Vault?

Logins - and with them the password, TOTP key, notes and websites to which the password is to be suggested to us.
Cards - all information about credit/debit cards to make online shopping easier and at the same time do it safely.
Identities - information about us and our loved ones, from the basics like name, surname, e-mail address, phone number, to home address, ending with even the insurance number, passport number or ID number
Secure notes - whatever we wish for, and it does not include the previous options 😉

It is in Bitwarden that we can store things like:

HashiCorp Vault, on the other hand, is designed for managing secrets and protecting sensitive data across complex infrastructure. It’s used by organisations to securely store and control access to API keys, encryption keys, certificates, and other secrets. Vault provides advanced features like dynamic secrets, secret leasing, and access control, making it suitable for securing a wide range of applications, services, and environments.

In summary, Bitwarden is best for personal and team password management, while Vault is a robust solution for enterprise-level secret management and security.

How do they work?

Bitwarden, like I said, operates as a password manager by securely storing credentials in an encrypted vault placed in the cloud. When a user saves a password, Bitwarden encrypts it using strong encryption (typically AES-256) before storing it on their servers. Only users can decrypt this data using their master password, which Bitwarden never stores. Also Bitwarden offers keeping your data synchronised across devices.
HashiCorp Vault functions as a centralised system for managing secrets. It uses a combination of encryption and access control policies to protect and manage secrets. When a request is made to access a secret, Vault authenticates the requester, checks the access policies, and then provides the secret if the request is authorised. Also, good to mention, that Vault can dynamically generate secrets on-demand (e.g., temporary database credentials) and automatically revoke them after a set period, enhancing security by limiting the exposure of sensitive data.

But what about company documentation?

Always encrypt sensitive documents, both at rest (when stored on servers or in the cloud) and in transit (when being shared or transmitted).
It's a good idea to implement role-based access control (RBAC) to ensure that only authorised personnel can view or edit specific documents. This can be done using file permissions in your document management system or through dedicated access control software.
Use secure storage solutions designed for sensitive data, such as encrypted cloud storage services or on-premises solutions with strong security protocols. These solutions often come with features like multi-factor authentication (MFA) and audit trails.
For particularly sensitive documents, consider using digital watermarking to trace any unauthorised distribution or leaks.
Data Loss Prevention (DLP) tools can detect and prevent the unauthorised sharing of sensitive documents, whether by email, cloud storage, or USB drives. These tools can block or flag attempts to move sensitive information outside the company’s secure environment. In my humble opinion, it’s quite an important thing.
And like always - educate employees on the importance of handling company documentation securely. Training should cover best practices for storing, sharing, and accessing sensitive documents, as well as recognizing phishing attempts and other security threats.
In this case, both - Bitwarden and Vault are not valid solutions.
Good point is that company documentation often contains sensitive information that needs protection and many didn’t see it. To secure documentation, good idea is follow these few tips:

So now I need a separate software for keeping my passwords can’t I just store them in my head?

Of course you can in your head, if you are Robocop 😛 Because probably no human can invent and remember different passwords for different services, which will additionally contain upper and lower case letters, numbers and special characters... and preferably at least 12 characters long 😀
Let me show you some iconography that gives you something to think about. These are the times needed to crack a password hashed with the MD5 method.

You may think that only hackers in movies do this. Unfortunately, that's not true, because a child with more knowledge of computer science will be able to do it. I may not be a child anymore, but I played with it myself and believe me, the password "P@ssw0rd" and even more so "12345678" is not safe 😉
Additionally, apart from complexity, we have the advantage that each password is different. Here too, I will use a comparison. Do you have one key for everything? To your house, to your car, to the office? Exactly, so why are you doing it in the virtual world? 😉

What security risks do we face if we do not implement a dedicated secret management solution?

Unauthorised Access: Sensitive credentials might be stored in insecure places, making them easy pickings for unauthorised users.
Data Breaches: Poorly managed secrets can lead to data leaks, causing serious financial and reputational damage.
Insider Threats: Employees could accidentally or intentionally misuse sensitive information without proper controls.
Human Error: Manual secret management is prone to mistakes, like sharing the wrong information or failing to update passwords.
Lack of Auditability: Without a clear record of who accessed what, investigating incidents or ensuring compliance becomes a nightmare.
There are a lot of things that can happen, but among the most important ones let me mention:
In short, skipping secret management is like leaving your front door wide open - you’re just inviting trouble.