Why protecting ‘secrets’ is fundamental for good security
Today’s IT manager is responsible for a vast amount of data, and keeping it secure needs to be one of his highest priorities. Financial records, customer details and sensitive documents must be kept safe while also accessible to those who need them.
Often the best approach involves encryption. Even if stolen or compromised, encrypted data is of no use to a criminal without the key that unlocks it. But therein lies another challenge for the IT manager: The encryption key itself then becomes a “secret” that needs to be kept from unauthorized eyes.
Another type of security secret is the certificate used by a web server for authentication. These ensure visitors to a site can be confident that sight is legitimate and not a fake designed to trick them into parting with passwords or credit card details. Keeping these certificates secure is also a priority.
A long-term task
Proper management of security secrets is no small task with many remaining in use for extended periods. Management revolves around sharing them with authorized people and protecting them from everyone else.
It’s also important to ensure people’s access to them is revoked if their circumstances change. A staff member may shift to a different role in the company or leave altogether. Their access to security secrets needs to be carefully reviewed and changed as required. Regular audits of access are vital.
Maintaining security around the storage of security secrets is also important. There’s little point in locking up your house if you then leave the key on the front doormat.
A classic example occurred in a U.S.-based business called Sally Beauty. Back in 2014, the company was approached by law enforcement officials who told management that credit cards used by customers had appeared on the black market. On investigation, it was found that the laptop used as the entry point to the company’s network was adorned with a sticky note showing the username and password to the account. This had given an unauthorized person access to every single point-of-sale system in the business. This made it easy to scrape details of credit cards as they were used.
A growing challenge
Today, organizations are taking wildly different approaches when it comes to secret management. For some, it’s almost a case of head in the sand. For others, it’s the deployment of sophisticated protection mechanisms which can reduce the likelihood that secrets will fall into the wrong hands.
The importance of effective secret management is going to grow as trends such as the internet of things evolve in the business world. As more and more devices are connected to the internet, the need to ensure their credentials are secure at all times becomes paramount.
Industry commentator Jack Singleton, software developer at ThoughtWorks, explained, “It all means more keys and more things to manage, which will vastly increase the overhead and the strategies that we need to employ in order to manage all of this. IoT devices are often in the hands of customers, not sitting in a safe data center somewhere. It also complicates the management of the strategies that you have in place to provision new software; to roll out new deployments become really key.”
Examples of ineffective management of IoT devices are already appearing. One involved a flaw in internet-connected lightbulbs which allowed hackers to take over their operation. It seems every bulb was using the same key for authentication so, if one is compromised, hackers can access them all.
Awareness is the key
IT managers need to be mindful that their infrastructures are now perimeterless. The old days of protection by firewall are long gone.
It’s critical to have in place the tools and techniques needed to keep security secrets safe. For these to be effective, they must be simple to deploy and, often, automated to reduce the need for ongoing maintenance.
As Singleton explained, “Usability in general, will be critical. People don’t use tools that make them go out of their way in order to use them. They will work around them. We do this all the time. We need to get things done and we work around things that stop us from getting things done. We’re going to need to start seeing tools that enable people rather than making them jump through hoops and hoops and hoops. If they have to jump through seven different hoops every time they have to access a secret, what’s going to happen is they’re going to ignore that tool and they’re going to write it on a sticky note, or they’re going to keep it in a spreadsheet. At the same time, better support for end-to-end encryption in regular applications will lessen the importance of secrets that administrators need to track in order to protect that data.”
Security secrets will remain at the very heart of IT infrastructures, and their effective protection and management is critical to an organization’s ongoing operations.
How secure are your secrets?
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.