Lifecycle of Secrets in Cloud Native Application Development

Orchestration of Secrets - Monitoring, Management and Policy Enforcement

Managing identities and authentication has never been more critical. While people need usernames and passwords to identify themselves, machines also need to identify themselves to communicate with one another. But instead of usernames and passwords, machines use keys and certificates (called as secrets) that serve as machine identities so they can connect and communicate securely. Managing the identity of devices/services used in cloud services, SaaS applications, and other systems is perhaps becoming an even bigger problem. And attackers are increasingly abusing unprotected machine identities to launch a variety of attacks.

This survey is intended for InfoSec teams in a mid to large sized organizations.

Question Title

* 1. Does your org have a policy requiring teams to store all secrets in a vault?

No - we are working on setting up a policy for secrets

Yes - a single centralized vault across the organization

No - we dont have an established policy and its not on our roadmap yet

Yes - various groups in the org use their own vault

Question Title

* 2. Do you have a complete inventory of all secrets across your organization?

No - InfoSec team does not have any visibility into secrets

Yes - all secrets are stored in a vault that InfoSec has access to

Partial - some secrets are stored in a vault that InfoSec has access to

Question Title

* 3. If you had to guess, where would the secrets in your organization be spread across?

Vault - some sort of secret vault

Code Repositories - secrets may exist there

DevOps Config Files - secrets may exist there

Spreadsheets - secrets may exist there

I have no idea - all over the place

Other (please specify)

Question Title

* 4. Is managing "secret sprawl" in the organization a priority for InfoSec?

High Priority - in our to-do list

Low Priority - deprioritized for accommodating other higher priority items

Urgent - actively working on it

Not Concerned - no plans as of now

Question Title

* 5. Do you currently use any secret scanning tools to avoid secrets from being exposed in the code repositories?

Yes - we scan our code repositories to ensure no secrets are published

No - we do not have a secret scanner

Question Title

* 6. Do you currently have an active policy for retiring and rotating secret?

Yes

Other (please specify)

Question Title

* 7. Who is primarily responsible for managing secrets in your organization? select all that apply

Product/Application Security Team

Central InfoSec (CISO) team

DevSecOps in each Business Unit

Other (please specify)

Question Title

* 8. Would a centralized inventory of all secrets stored across several vaults (used by different teams) be beneficial for InfoSec team?

Yes

Other (please specify)

Question Title

* 9. Would InfoSec be interested in centralized vault-agnostic policy definition (expiration/retirement, rotation, role-based-access-control, etc.) for secrets stored across multiple vaults? Please describe your thoughts.

Question Title

* 10. Would InfoSec be interested in a solution that provides oversight over secrets with runtime usage analytics to identify misuse, over-privileged, and orphaned secrets? Please describe if and how it would benefit your organization.