The banking industry spends about $600B a year on technology, investing heavily in cloud, automation, and digital services. Today, mobile is the most widely used banking channel, making up 55% of all banking transactions. And AI spending is expected to surge in the coming years, as business use cases are refined.
Secrets (passwords, keys, certificates, and more) are ubiquitous in applications and services because they allow automated access to infrastructure, service communication, user access to funds, and general permissions to systems and data.
If a secret falls into the wrong hands, it could lead to a costly breach. This is why secrets management is a business concern, not just a technical challenge.
This post validates the emphasis on secrets management competency in the financial sector with several lessons from financial industry case studies.
»Poor secrets management = higher risk
Bad actors continuously scan public repositories looking for credentials — that means you need to be continuously scanning too. When exposed credentials are found, they can be used for nefarious purposes such as stealing data, implanting malware, accessing unauthorized systems, performing restricted actions, and more. Poor secrets management practices are generally to blame for causing secrets to be exposed. The most common include:
»Hard-coded credentials in code or artifacts
Inserting a credential directly in source code is fast and easy. When developers are under pressure (or simply working on a proof-of-concept), the quickest way to test their work is to hard-code credentials. Unfortunately, these can be easily forgotten and not removed before putting the code into production or storing an artifact in a public repository.
»Long-living secrets
If credentials are valid for a long time or never rotated, the chance of a bad actor discovering and using them increases. It also means they can access the system for months or years exfiltrating data. This typically happens when lifecycle management controls break down or are nonexistent.
»Broad access with excessive privileges
Some organizations lack the tooling and processes to manage secrets effectively. When this happens, they often use a shortcut by allowing many identities to access secrets and giving them excessive privileges. This can lead to significant risk. If a single developer credential is compromised, a bad actor can use those broad privileges to cause severe damage.
»Secrets sprawl
Modern banks often run multiple clouds plus on-premises platforms. When secrets are stored in many places across the technology estate, they are hard to manage. This leads to governance gaps and inconsistent policies, increasing the chance that credentials can become exposed.
»Accidental leakage
If not controlled, secrets can easily leak into build logs, CI/CD pipelines, messaging apps, and documentation without anyone’s knowledge.
»Manual processes
If humans are involved in the management or rotation of secrets, the odds of a problem increase, both in terms of security and availability. High levels of manual rotation is error-prone and can bring down applications as well as cause exposure.
Failure to address these issues can have severe consequences. Once a secret is compromised, attackers can operate as an authorized user, bypassing many traditional security controls. For instance, in the 2019 Capital One breach, a misconfigured cloud environment allowed an attacker to obtain credentials that enabled access to sensitive data for more than 100 million customers. The 2023 data breach at Toyota was caused by human error, but it was made worse by not using the principle of least-privilege access, increasing the attack surface.
»Lessons from the finance & banking sector
Many banking and financial services companies have found solutions to these challenges that strengthen secrets management and adhere to strict regulatory requirements.
»ABN AMRO
ABN AMRO uses dynamic secrets and secure integration patterns to confidently onboard applications to a container platform. By replacing static credentials with dynamic/short-lived secrets and integrating secrets delivery into platform engineering, teams no longer pass credentials manually, simplifying secrets management and reducing risk.
“Secrets management is a business-critical element of our work because if any of the secrets are compromised, they'll have a huge downstream effect. Even a single compromised signing certificate can take an entire system offline, which means possibly losing access to online apps or exposing them to the risk of someone maliciously injecting something into the apps. There's really no room for error.”— Ton van Dijk, Agile Product Owner, ABN AMRO
»BKB
Basler Kantonalbank (BKB) moved to a centralized secrets management platform. By consolidating secrets governance into a central system and aligning controls to banking compliance needs, the company lowered risk and positioned the organization to meet ever-increasing requirements of FINMA.
»Interac
Interac implements infrastructure and connects microservices in a containerized development environment while automating secrets management for enhanced security across the enterprise.
“HashiCorp Vault is an integral part of our security posture because it helps to eliminate the possibility of mistakes in our secrets management that otherwise could occur because of even the smallest error.”— Greg Kliewer, AVP of Architecture and Strategy, Interac
»5 ways to reduce risk
»1. Stop hard-coding secrets
Revise policies and train developers on the risk of using hard-coded secrets. While this may not entirely stop the practice, it will help promote culture change. To further guard against this risk, use a secret scanning tool to search repositories (public and private) on a regular basis and remove any hard-coded secrets that are found.
»2. Centralize secrets in a secure vault
Fragmented credential stores lead to distributed accountability, making secrets harder to secure and control and increasing risk. Placing secrets in a centralized, secure vault (such as HashiCorp Vault) allows for tighter access control, consistent policy enforcement, and easier auditing, decreasing the risk of credential exposure.
»3. Shorten secret lifetimes and automate rotation
Don’t allow secrets to live long. Instead, shorten their lifetimes or TTL (time to live) and automatically rotate them. Where possible, use dynamic secrets instead of static, or automated rotation that uses long timespans. Dynamic secrets are retrieved at runtime via secure API calls to lower risk even further.
»4. Apply least privilege and separation of duties
Make sure to define permissions by role (developers, admins, workloads, etc.) and always grant least privilege access for the job responsibility. If a credential does become compromised, this limits the amount of damage a bad actor can actually do.
»5. Continuously audit usage
Keep track of what is going on through continuous monitoring. Log secret access, alert on anomalies, and monitor compliance. This enables corrective action to be taken before a breach occurs.
»Learn more
Secrets management is more than a technical concern in the banking industry; it directly affects financial risk, operational cost, and regulatory readiness. To learn more about the benefits of centralizing secrets management, read the 5 best practices for secrets management.
For more info info about how AI is going to affect risk management, read the business value study — Banking in the AI era: The risk management of AI and with AI
