Secure what matters to your business.
There’s a lot to think about while working with containers, Kubernetes, cloud, and secrets. You have to employ and relate best practices around identity and access management and choose and carry out various tools.
Whether you’re a developer or a sysadmin professional, you need to make clear that you have the right choice tools to keep your environments secure. Applications need access to configuration data in place to operate correctly. And while most configuration data is non-sensitive, some needs to remain confidential. These strings are known as secrets.
Well, If you’re building a reliable application, the chances are that your functions require you to access secrets or any other types of sensitive information you’re keeping.
These secrete may include:
- API keys
- Database credentials
- Encryption keys
- Sensitive configuration settings (email address, usernames, debug flags, etc.)
However, taking care of these secrets securely may later prove to be a difficult task. So here are few tips for Developer and Sysadmins:
Patching function dependencies
Always remember to track the libraries used in the functions and flagging the vulnerabilities by monitoring them continuously.
Employ API gateways as a security buffer
Don’t expose functions precisely to user interaction. Leverage your cloud providers’ API gateway capabilities to include another layer of security on top of your function.
Secure and verify data in transit
Be sure to leverage HTTPS for a secure communication channel and verify SSL certificates to protect the remote identity.
Follow secure coding rules for application code.
With no servers to hack, attackers will turn their minds to the application layer, so get extra care to protect your code.
Manage secrets in secure storage
Sensitive information can readily be leaked, and out-of-date credentials are apt to rainbow table attacks if you neglect to adopt proper secret management solutions. Remember not to store secrets in the application system, environment variables, or source code management system.
Key management in the cooperate world is very painful due to, among other reasons, a lack of knowledge and resources. Instead, some companies embed the encryption keys and other software secrets directly in the source code for the application that uses them, introducing the risk of exposing the secrets.
Due to the lack of too many off the shelf solutions, many companies have sought to build their own secrets management tools. Here are a few you can leverage for your requirements.
HashiCorp Vault is a tool for securely storing and accessing secrets.
It provides a unified interface to secret while maintaining tight access control and logging a comprehensive audit log. It is a tool that secures user applications and base to limit the surface space and attack time in a breach. It gives an API that allows access to secrets based on policies. Any user of the API needs to verify and only see the secrets they are authorized to view.
Vault encrypts data using 256-bit AES with GCM.
It can accumulate data in various backends such as Amazon DynamoDB, Consul, and much more. Vault supports logging to a local file for audit services, a Syslog server, or directly to a socket. Vault logs information about the client that acted, the clients IP address, the action, and at what time it was performed
Starting/restarting always involves one or more operators to unseal Vault. It works primarily with tokens. Each token is given to a policy that may constrain the actions and the paths. The key features of the Vault are:
- It encrypts and decrypts data without storing it.
- Vault can generate secrets on-demand for some operations, such as AWS or SQL databases.
- Allows replication across multiple data centers.
- Vault has built-in protection for secret revocation.
- Serves as a secret repository with access control details.
AWS Secrets Manager
You expected AWS on this list. Didn’t you?
AWS has a solution to every problem.
AWS Secrets Manager lets you quickly rotate, manage, and retrieve database credentials, API keys, and other passwords. Using Secrets Manager, you can secure, analyze, and manage secrets needed to access the AWS Cloud capabilities, on third-party services and on-premises.
Secrets Manager enables you to manage access to secrets using fine-grained permissions. The key features of AWS Secrets Manager are:
- Encrypts secrets at rest using encryption keys.
- Also, it decrypts the secret, and then it transmits securely over TLS.
- Provides code samples that help to call Secrets Manager APIs
- It has client-side caching libraries to improve the availability and reduce the latency of using your secrets.
- Configure Amazon VPC (Virtual Private Cloud) endpoints to keep traffic within the AWS network.
Akeyless Vault is a unified, end-to-end secrets management SaaS-based platform, protecting all types of credentials, both static & dynamic, including certificates automation and encryption keys. Besides, it provides a unique solution to secure remote access (zero-trust) to all the resources across legacy, multi-cloud and hybrid environments.
Akeyless protects secrets & keys using a built-in FIPS 140-2 certified and patented technology; it has zero-knowledge of its customers’ secrets & keys.
The key features include:
- Globally available, SaaS-based platform that offers a built-in high availability (HA) and disaster recovery (DR) by leveraging cloud-native architecture on top of a multi-region and multi-cloud service.
- Advanced secrets management provides a secure vault for static & dynamic secrets such as passwords, credentials, API keys, tokens, etc.
- Akeyless Vault enables provisioning and injection of all types of secrets to all your servers, applications, and workloads, providing a wide variety of plugins that allow you to connect to all your DevOps and IT Platforms such as CI/CD, configuration management, and orchestration tools such as Kubernetes & Docker.
- SaaS – no deployment, installation, or maintenance necessary
- Instant onboarding with automatic migration of secrets from known existing secrets repositories
The platform supports two more pillars:
- Zero-Trust Application Access (AKA Remote Access) by providing unified authentication and just-in-time access credentials, allowing you to secure the perimeter-less applications and infrastructure.
- Encryption as-a-Service, to allow customers to protect sensitive personal & business data by applying advanced FIPS 140-2 certified app-level encryption.
Square Keywhiz helps with infrastructure secrets, GPG keyrings, database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. Keywhiz is a tool for handling and sharing secrets.
The automation in Keywhiz allows us to seamlessly distribute and set up the essential secrets for our services, which requires a consistent and secure environment. The key features of Keywhiz are:
- Keywhiz Server provides JSON APIs for collecting and managing secrets.
- It stores all secrets in memory only and never recurred to disk.
- The UI is made with AngularJS so users can validate and use the UI.
Confidant is an open-source secret management tool that maintains user-friendly storage and access to secrets securely. Confidant stores secrets in an append way in DynamoDB, and generate a unique KMS data key for every modification of all the secret, using Fernet symmetric authenticated cryptography.
It provides an AngularJS web interface that provides end-users to efficiently manage secrets, the forms of secrets to services, and the record of changes. Some of the features include:
- KMS Authentication
- At-rest encryption of versioned secrets
- A user-friendly web interface for managing secrets
- Generate tokens that can be applied for service-to-service authentication or to pass encrypted messages between services.
Strongbox is a handy tool that handles, stores, and retrieves secrets such as access tokens, private certificates, and encryption keys. Strongbox is a client-side convenience layer. It maintains the AWS resources for you, and it also securely configures them.
You can quickly check your entire set of passwords and secrets instantly and effectively with the deep search. You have an option to either store the credentials locally or in the cloud. If choosing a cloud, you can choose to store in iCloud, Dropbox, OneDrive, Google Drive, WebDAV, etc.
Strongbox is compatible with other passwords safe.
Azure Key Vault
Hosting your applications on Azure? If yes, then this would be a good choice.
Azure Key Vault enables users to manage all secrets (keys, certificates, connection strings, passwords, etc.) for their cloud application at a particular place. It is integrated out of the box with origins and targets of secrets in Azure. Applications outside Azure can further utilize it.
You can also improve performance by cutting down the latency of your cloud applications by storing cryptographic keys in the cloud instead of on-premises.
Azure can help to achieve data protection and compliance requirement.
Docker secrets let you easily add the secret to the cluster, and It is only shared over the mutually authenticated TLS connections. Then data is reached to the manager node in Docker secrets, and it automatically saves into the internal Raft store, which ensures that data should be encrypted.
Docker secrets can be easily applied to manage the data and thereby transfer the same to the containers with access to it. It prevents the secrets from leaking when the application uses them up.
Knox, developed by the social media platform Pinterest to solve their problem with managing keys manually and keeping an audit trail. Knox is written in Go, and clients communicate with the Knox server using a REST API.
Knox uses a volatile temporary database for storing keys. It encrypts the data stored in the database using AES-GCM with a master encryption key. Knox is also available as a Docker image.
I hope the above gives you an idea about some of the best software to manage application credentials.
Next, explore digital assets inventory and monitoring solutions.