Could secrets be the key to more robust security?

GUEST OPINION by Grant Orchard, Field CTO APJ HashiCorp: Secrets. It’s a word that never fails to dredge memories from my past. Vivid flashes of schoolyard crushes, the whispers of confidence shared. As humans, part of building relationships is demonstrating vulnerability with each other. We share little pieces of ourselves and, as we build intimacy, ever larger pieces. We exchange secrets, and trust is born.

I find it interesting that these accepted behaviours among humans run so counter to how we expect technology to behave. Vulnerabilities are to be exploited, relationships are transactional, and trust…well, these days has become zero trust. But what if we accepted that, just like people, software is fallible?

Data beaches are on the rise in Australia – with a 22% increase in the second half of 2022, according to the latest OAIC Notifiable Data Breaches report. In light of these numbers, it makes me wonder why we don’t start accepting breaches as inevitable, and shift the focus to “slowing down the leakage of information” rather than continuing to believe that we can ever prevent them completely.

Why are secrets relevant to cyber security?

Research from Verizon found that 90% of web application breaches involve the use of stolen credentials – or for the purposes of this article, let’s call them secrets. As noted by Ruth Nelson, there are undoubtedly parallels between secrets and data that is held by organisations. Firstly, much like secrets, data cannot remain hidden for long, and usually becomes less valuable over time. The more entities that have access to data, the greater the chance of its misuse, whether deliberate or accidental. This risk is compounded with the fragmentation of technology stacks, and the rise in usage of multi-cloud environments – our most recent HashiCorp State of the Cloud Survey found that 84% of APAC organisations are either already using multi-cloud infrastructures or will be within a year. Plenty of Australian organisations are still struggling to secure their data in these complex new environments.

Using secrets to enhance our cyber security posture
So how can we shift our thinking to accept that any ‘secret’ in our organisation will move through this process of losing its integrity, and eventually become compromised? How can we minimise risk in this ‘new normal’?

The good news is, the technology exists today to let you see how many people and systems have access to specific secrets, and how long since those secrets were last rotated. You can also see which sensitive environments the information would allow access to, and operations that could be performed with it. But some technology allows you to go one step further – and revoke or rotate credentials automatically, in your code, environment variables, or configuration files.

Creating time-bound secrets with automated lifecycle operations for revocation and renewal should be a core principle for your entire application stack. You tell the system how long you are comfortable with allowing a secret to remain valid, and it will generate them on-demand for target systems, rotating or revoking them as needed at an application or system level. Each request results in a unique secret, so secrets – at least those that hold value – are never shared between entities. This process is often described as “dynamic secrets”.

This closed-loop model for secret generation, usage, and expiry is incredibly powerful for Australian organisations looking to enhance security without all the additional man hours often required. When you are impacted by a breach, for example that recently encountered by CircleCI, you won’t need to manually revoke and generate new secrets for a large number of systems, and then pass them back to potentially hundreds or thousands of pipelines. Instead, by embracing this paradigm of short-lived secrets – you generate them at the start of a pipeline run, and then simply revoke those same secrets when the run has finished.

So there you have it – treating technology secrets like we do our personal secrets could provide the key to better securing data. By admitting data protection is imperfect, we can create better models for the cybersecurity environment as it truly exists, rather than how we wish it was.

I couldn’t help but make a link here between the concept of slowing down leakage to an episode of Bluey, where our courageous heroine attempts to stop rainwater from making its inevitable path down and out of the driveway. I won’t spoil the finish – Season 3, Episode 18 – you’re welcome.