All Companies Have Them—And Need To Secure Them
Alon Jackson is the CEO and cofounder of Astrix Security, a leading enterprise solution securing app-to-app interconnectivity.
In modern development environments, “secrets” are authentication keys that are created by research and development teams to allow access to and between different resources and data. Secrets also allow services and non-human identities, such as third-party apps, to connect to your system, enhancing overall productivity and operations for the business.
To keep pace with the competition, it’s essential—and also inevitable—that we continue integrating non-human identities and generative AI tools into our systems, ones that will help with everything from email writing to lead generation insight.
Secrets are created almost on a daily basis, but securing them is a difficult task. In fact, wondering whether these secrets are actually safe and not exposed can keep security teams up at night.
Internal Vs. External Secrets
Secrets are typically bucketed into two categories: external and internal.
• External secrets are secrets (API keys, OAuth tokens, SSH keys) that you don’t own or have possession of, usually used by operating systems, i.e., plug-ins, add-on extensions and third-party applications that are connected to core critical systems like Salesforce, GitHub, and Microsoft365.
• Internal secrets are API keys and other tokens created by R&D teams within the organization. These “internal” secrets are sometimes shared, however, with external entities that often haven’t gone through proper security vetting and now have the same access to sensitive information—without your security team’s knowledge.
Securing secrets is difficult to understand, and ultimately manage. Oftentimes, DevOps and R&D teams own them but are not responsible for securing them. This leaves ample room for missteps, which results in secrets being leaked by human error, such as if an employee unintentionally shares a secret through a different channel or portal, a ticket or a Slack message.
The latest Microsoft breach, for example, occurred when a key was leaked in between processes. Ultimately, this allowed the attackers to download the memory and the secret key…
