In its recent CIO report, Gartner suggests that new security threats are among the biggest pain points for CIOs across businesses. With global cybercrime now costing more than USD 6 trillion a year, all emerging technology adoptions find themselves with a target at their backs. Therefore, businesses engaging with multi-cloud setups, where services across multiple vendors process critical data, must also be prepared.
Secrets management is an essential part of cybersecurity strategy for multi-cloud infrastructure. No business would like to have critical information breached like Uber, leaving its secrets vulnerable. So, let’s look at the different ways to handle secrets and maintain security on multi-cloud setups.
Securing multi-cloud with secrets management
Multi-cloud infrastructure offers many appealing benefits, such as cost optimization, service flexibility, and elimination of vendor lock-in. However, with multiple cloud vendors, the security parameters are less reliable than those of an on-premise setup. Secrets hold sensitive information, including encryption keys, API tokens, and security certificates. Unauthorized access to secrets can pull down the drawbridge for all business-critical data. Here are the challenges that make secrets vulnerable and multi-cloud prone to cyber threats:
- Secret Sprawl: Secrets are often distributed across the multi-cloud environment to allow different services to access required business-critical resources. This level of exposure can lead to a larger attack surface for secrets in this setup.
- Identity Management: Machine or non-human identities like automated applications, containers, cloud services etc. make it difficult to manage access to secrets by their sheer scale. Complexity in identity management can lead to ignorance in secret handling and multi-cloud security.
- Multiple secrets management platforms and services: Different vendors have tools and services to ensure secrets management and cloud security. This non-uniformity can lead to an inconsistent security approach across the multi-cloud.
Secrets management can offer ways to navigate these challenges while ensuring a reliable approach to multi-cloud security. With methods like rotating, auditing, and access-controlling secrets, businesses can maximize the benefits of a multiple-cloud infrastructure.
Ways to manage secrets
Managing secrets requires ways to protect them from breaches and unauthorized access and monitor their usage. Three main methods—rotation, auditing, and access control—can ascertain such proactiveness and vigilance in secrets management. Collectively, we will discuss nine ways to implement these techniques and contrast them for different cloud vendors, namely AWS, Azure Cloud, and GCP Cloud.
Secret rotation
The first line of defense is ensuring that the secrets are consistently rotated or updated to minimize, if not eliminate, any breaches. Secret rotation is usually initiated at the policy level to ensure better security and compliance management on multi-clouds. Here’s how it can be implemented on multi-cloud:
- Automated Secret Rotation: Some cloud vendors offer automated tools for secret rotation. The rotation can occur at regular intervals and can be implemented either by a readily available feature offered by the cloud vendor or by integrating multiple services. Some cloud vendors also offer ways to customize the rotation logic for different types of secrets.
- Custom Scripts: If automated rotation is not feasible or the business wants to customize the process, rotation can also be done using customized scripts. These scripts may be created using lambda functions, specific applications, or schedulers.
- Versioning: An additional way to conduct rotation is to do it along with versioning. This is a recommended approach with or without automated rotation because it allows the stakeholders to roll back to an earlier secret version if needed. Depending on the cloud vendors you are dealing with in your multi-cloud, you can automate versioning or pin certain versions to ensure rollback.
Secret auditing
While secrets are rotated regularly, it is also important that their usage is vigilantly monitored across the different cloud services. Secrets auditing allows security teams and cloud management experts to track when API tokens, encryption keys, and other such secrets were accessed and used for any services. The idea is to ensure constant monitoring of the secrets throughout their lifecycle.
- Secret Logging: Cloud vendors offer tools that automatically log secret access and usage. These logs can include information like the machine ID that accesses the secret, the corresponding timestamp, and the cloud service from where the access was made. Logging tools also record any updates in secret under headings like creation, rotation, deletion, or modification, among others.
- Security Information and Event Management (SIEM): SIEM tools can enable auditing with their capabilities in collecting and analyzing security events. These tools easily integrate with popular cloud vendors and help the stakeholders with log collection on secret access, log data correlation, and flagging any unusual event.
- Manual Reviews: Often done in tandem with the above methods, manual reviews rely on the collected access logs for auditing any unusual activity. When done at regular intervals, these ensure an extra layer of security for secrets management in multi-clouds
Access control
Access control is, of course, the ultimate defense strategy meant for secrets management. Regulating authorized and avoiding unauthorized access is critical for multi-cloud-based secrets management as it helps implement the principle of least privilege on the secrets. Here’s how access control can be carried out on multiple cloud settings:
- Identity and Access Management (IAM): A set of policies collectively known as IAM defines very strict permissions around secret access. All popular cloud vendors, including AWS, Azure, and GCP, offer IAM tools that can help offer user, role, and service-based access controls and restrict any read, write, or delete access as and when necessary.
- Automated Identities: Authorized apps or VMs may require hardcoding the access credentials to access secrets, leaving them vulnerable to breach. Automated identities are specially managed identities that allow such cloud services to authenticate secure access without hardcoding credentials.
- Segmentation: Another big concern from an access control point of view is the cross-accessing of the secrets. Sometimes, shared credentials among multiple teams can also lead to unmonitored leakage. Segmentation of these credentials at different levels plugs into this leakage. This segmentation can be done at the app, team, or even environment levels, and the access to secrets can be limited to their respective scope.
Here’s how Amazon Web Services, Azure, and Google Cloud support these nine methods:
| Secret management methods | Azure | AWS | GCP |
| Automated secret rotation | Supported by Azure Cloud Key Vault tool | Supported by AWS Secrets Manager tool | Supported by the Google Cloud Secret Manager tool |
| Custom scripts | Implemented using Azure Functions | Can be implemented using Lambda Functions | Implemented using Cloud Functions |
| versioning | Supported by Azure Key Vault tool | Supported by AWS Secrets Manager tool | Supported by GCP Secret Manager tool, but previous versions need to be pinned to ensure rollback |
| Secret logging | Offered by Azure Monitor and Log Analytics | Offered by CloudTrail and CloudWatch | Offered by Cloud Logging |
| SIEM integration | Supported via Microsoft Sentinel | Supported via AWS Security Hub | Supported via Chronicle and Stackdriver |
| Manual reviews | Supported with Log Analytics | Supported with CloudWatch/CloudTrail | Supported with Cloud Logging |
| IAM | Offered by Azure RBAC. Azure can Key vault also helps with this feature. | Offered by AWS IAM | Offered by GCP IAM |
| Automated Iidentities | Ensured using Managed Identities | Ensured using IAM Roles (e.g., EC2, Lambda) | Ensured using Service Accounts |
| Segmentation | Scretes scoped by Key Vault Segmentation | Secrets Scoped by IAM Roles | Secret scoped as per Service Account |
Conclusion
Multi-cloud infrastructure is one of the most sensible choices for businesses when dealing with cloud computing. These setups bring all the benefits of cloud computing while eliminating the restrictions of having to abide by a single vendor and their services. Therefore, Secrets management is necessary to maximize multi-clouds potential while ensuring top-notch security and compliance. With the right methods and tools, businesses can provide nuanced cloud-based services and uncompromised customer experiences.
