The 18-point secrets management checklist

Some organizations are only beginning the cloud journey — we call that the Adopting stage. Others have moved beyond adoption into a phase of standardization and automation (the Standardizing stage). The most advanced organizations are embracing multi- and hybrid-cloud strategies to rapidly scale (the Scaling stage).

Regardless of where you are in your journey, account compromise is a leading cause of breaches in the cloud. So much so, in fact, that Gartner issued a strategic planning assumption saying, “Through 2027, 99% of records compromised in cloud environments will be the result of user misconfigurations and account compromise.”

Effective secrets management is essential to protect against the risk of account compromise. Therefore, your secrets management approach should evolve as your cloud environment becomes more complex. This post provides a 9-step, 18-point checklist of secrets management best practices to use as a guide for your journey.

»Adopting stage

In this phase, organizations are just getting started in the cloud and learning how to utilize its benefits to improve operations. Provisioning is typically ad-hoc, often performed manually, and organizations are sorting through a variety of different tools and operational strategies. This is where you lay the foundation for your secrets management process.

»1. Manage static secrets

✅   Store secrets in a secure, central location

At this stage in your cloud journey, your DevOps tools and workflows likely use static (unchanging) secrets. But if they are not managed, you can lose control of them and create a security risk. Protect your secrets by storing them in a secure, central location. This reduces the risk of secret sprawl and protects secrets from being stolen or misused.

»2. Authenticate and authorize secrets

✅   Enable identity-based access and security

Prevent unauthorized access to secrets by using identity-based access controls (IBAC). With IBAC, you can secure access to secrets with trusted identities for human, machine-to-machine, and human-to-machine access.

✅   Enforce least-privileged access to secure resources

Allow only least-privileged access to resources. Consider using an identity provider, such as Okta, Ping, or Microsoft Entra ID to aid in this process.

»3. Establish visibility

✅ Track and monitor secrets

Lack of visibility is one of the biggest challenges in securing cloud environments, especially as they become more complex and distributed. Use tools (typically in your central secrets management system) that will help you to track and monitor secrets across environments.

✅   Scan for unsecured secrets

Credential exposure is a big risk. Scan your environment for any unsecured secrets so you can mitigate vulnerabilities before a problem occurs.

✅   Integrate with third-party monitoring solutions (if applicable)

If you use third-party tools for monitoring, integrate them with your secrets management solution to strengthen security.

»Standardizing stage

At this point in the journey, organizations focus on standardizing platforms and workflows while automating processes. Environments begin to expand, often encompassing different cloud providers, elevating the focus on compliance across various clouds.

»4. Automate secrets management

✅   Modernize secrets management for legacy applications

As you move into this stage of your cloud journey, automation is essential to modernize secrets management for legacy applications and to standardize platforms, workflows, and tools.

✅   Automatically generate dynamic secrets

Deploy a secrets manager that will automatically generate dynamic secrets, including short-lived, JIT secrets.

✅   Auto-rotation of secrets

If some systems can’t handle the speed of dynamic secret rotations yet, implement a longer auto-rotation timespan. Auto-rotation schedules will also prevent secrets from lingering and creating a vulnerability.

»5. Ensure security compliance across all environments

✅   Automate workflows to detect and prevent unsecured secrets

Configure ongoing, automated workflows to detect and prevent unsecured secrets from getting loose where they could be exploited.

✅   Automatically scan CI/CD pipelines

Prevent unsecured secrets from going undetected in development workflows by automatically scanning CI/CD pipelines.

✅   Provide separate secrets management groupings/namespaces

Give teams, departments, and application groups the ability to manage their own policies, secrets, and other configurations separately in their own administrative zones with access controls and guardrails in place for protection.

✅   Detailed audit logging

Enable detailed audit logging to track secret usage activity end-to-end and alert you to suspicious behavior or breaches.

»6. Protect continuity of secrets

✅   Standardize application and service continuity

As your cloud environment grows, so does the number of users and secrets. Put solutions in place to replicate secrets and policies across different regions to ensure continuity.

✅   Protect against the loss of a secrets management cluster

Implement high availability and use snapshots backups to ensure secrets are available and workflows continue to function in the event of a network or server outage.

»Scaling stage

Organizations at this stage have built a solid cloud operating model and begin to scale out — often rapidly — to accommodate growth and to drive new software development. This often means authenticating on-premise systems as well as multi-cloud environments, which adds complexity and requires advanced capabilities.

»7. Manage keys and certificates

✅   Standardize PKI management

As cloud environments scale, there is often a need for the use of in-house public key infrastructure (PKI) certificates and keys. Organizations can end up using multiple key-management systems, such as AWS KMS, Azure Key Vault, and Google Cloud’s key-management service. But managing PKI keys and certificates manually or through the use of multiple tools can lead to errors, allowing long-lived certificates to linger and create a vulnerability. Standardize PKI management into a single platform where you can enhance visibility to multiple systems, automate, and secure the process.

»8. Protect sensitive data

✅   Support advanced data transformation to protect data in transit and at rest

The more complex your cloud environment becomes, the more you need to apply advanced data protection techniques. Use encryption methods such as format preserving encryption (FPE), tokenization, and data masking to safeguard secrets and other sensitive data both at rest and in transit.

»9. Scale out

✅   Extend secrets management workflows to more platforms, including hybrid cloud environments

At this point in the journey, organizations begin to rapidly scale, which means secrets management workflows must extend across the entire digital estate, including private datacenters and private clouds.

»Take the next step

Cloud adoption requires a new way of thinking and working. As your cloud journey progresses, make sure your approach to secrets management matures and evolves to ensure you are protecting your organization from threats and maintaining compliance. Research what solutions other enterprises are using.

If you’re looking into a more modern, holistic approach to security, governance, and compliance, share our solution brief with your colleagues: Securing and governing hybrid and multi-cloud at scale.