Machine Identities and Secrets

Keeping Secrets Is Hard

Tom McNamara

July 8, 2023

When it comes to security and privacy in our digital economy, people and businesses rely on many different techniques and tools. The most prolific of these for people is the password. It's a secret that we create, and it’s supposed to keep our digital information secure. But sometimes that doesn’t work out too well. Once a password loses its secrecy we may not even know it, and then the security that it provided vanishes and leaves us vulnerable. A loss of secrecy makes our digital information seem secure when it's really not.

For many years, the mainstay of secrets of all types has been entropy and mathematics. Security professionals know all about entropy; many believe that it is the most important quality of a strong secret. And there is merit to this view, the theory and the math suggest that the more random and long the secret the greater it’s security strength. 

Another type of secret that is becoming more prevalent in our digital economy are encryption keys, and keys that control access to the machines and workloads that run in the cloud. These secrets are easy to identify. They are usually a long string of random characters. The growth of the cloud is creating many more of these types of secrets than there are human passwords.

But, whether the secret is a password or a key, its promise of security is built on the assumption of secrecy. In fact, a secret’s security strength is only as good as their secrecy. And both passwords and machine secrets suffer from the same problem: leakage.

Leakage

Leakage occurs when a secret is not protected from disclosure and its secrecy is lost. In some cases it is lost slowly like water erodes the earth, and in other cases it is a dramatic instantaneous loss. Leakage can occur through many ways, including theft, sharing, improper storage, exposure during transport, and human error. Any of these causes for leakage are likely to occur at some point in time, and it doesn’t matter how strong the digital secret may be, its secrecy will eventually be lost. It's guaranteed. 

And it doesn’t matter if the digital secret is for a human or for a machine. Many of the avenues to leakage occur for secrets in the cloud as well as for human passwords. For example, “ghost” secure shell (SSH) accounts may exist without a business’ knowledge or control and they put its critical infrastructure at significant risk because an intruder can scan file for them and then misuse the elevated privileges they provide. And for APIs, developers often embed API keys in their code to speed development. But if they are left in production code, configuration files, or environment variables, then attackers can easily identify them there and misuse them. 

Vaults Reduce Leakage

One method to block several paths for leakage is to remove machine secrets from workloads, configuration files, and environment variables and store them in an encrypted digital vault. If you use a Password Manager or digital wallet, then this concept is very familiar to you. Secrets Managers exist for storing secrets for machines and workloads that operate in the cloud or within large enterprises with their own data centers. They limit access and provide secure interfaces and code tools (such as APIs) to let authorized workloads access the vault only when they need the secret (e.g. and API key). Secrets Managers typically include a secure digital vault that must be unsealed for use (to add a secret or change a secret) and resealed by business employees with appropriate authorizations. Secrets are often stored as as “key-value pairs” (i.e., keyName=keyValue). And with the proper SM credentials a workload can programmatically gain access to the vault and the stored secret that it needs using an API. While vaulting improves secrecy because it reduces the potential for leakage with stronger storage protection, it also creates a new problem. There are now new secrets to protect: one for unsealing the vault and one for API that the workload must use to retrieve the vaulted secret. This adds two new possibilities for leakage, and those new secrets must also be securely stored in yet another vault. (You can guess where this is headed.) Some Secrets Managers approach this problem by “sharding” the vault secret and distributing the pieces among several privileged users. While this seems secure it actually increases the attack surface area because it increases the number of humans involved (often the weakest security element) and it increases the number of separate vaults needed to store a sharded key.

But there is one particular characteristic of secrets that makes them most vulnerable to leakage: they’re static. Even vaulted secrets have a severe security problem because they seldom, if ever, change. If leakage occurs from human error or vault misconfiguration, or unauthorized vault access, or when the secret is used outside the vault, then secrecy is lost. Static secrets are a main reason why attackers are so successful in breaking through security. 

Rotation to the Rescue

The easy fix for static machine secrets is to automatically rotate them so they change frequently and become invulnerable to leakage. Secrets Managers have begun to implement ways to replace secrets in their vaults on a time schedule so they have a short useful life. One way they do this is to treat static secrets as a ‘lease’ that must be renewed before the lease expires. Secrets with leases are still static - they have to be configured to rotate, but they have additional parameters such as Time-To-Live (TTL) that lets developers control their rotation. Secrets rotation prevents potential damage from leakage, but rotating a secret in a vault must also consider how the workload endpoints that need the secret actually get the right secret at the right time to successfully authenticate the workloads. Within a single cloud, such as AWS, synchronization is easier because the AWS Secrets Manager has access to internal AWS cloud endpoints. But it is very difficult to synchronize secrets at workload endpoints at operational cloud scale and across clouds (e.g Azure to AWS). Most Secrets Managers that rotate secrets across cloud boundaries have to schedule the rotation for maintenance periods when machine services would be offline. 

Better Secrets Rotation 

What Secrets Managers really need is a way to rotate a secret naturally without a lot of developer configuration each time one is needed (i.e., avoid the DevOps burden to configure lease times and TTLs). And even better, the workload endpoints that needed the rotated secret would get it instantly and at the same time so their work would not be interrupted. And still better, the solution would work across cloud boundaries; so a workload endpoint in AWS could interoperate with one in Azure just as if they were in the same cloud.

To realize this vision of better secrets rotation and management, we innovated a different approach to secrets management. Our patent pending technology uses dynamic ephemeral secrets that self-rotate and self-synchronize. The secrets are built from dynamic Internet elements that change frequently and naturally. Our solution also uses  “sidecar” code (installed with each workload) to enable and manage secrets synchronization with the hopr secrets manager. This improves usability and speed for DevOps and improves security, too. 

Keeping secrets is hard because they have to stay secret to deliver security. And for machines and workloads the consequences to lost secrecy can ripple through the entire business and bring down many digital operations in an instant. As a tech innovator hopr works with leading cloud security practitioners to ensure digital secrets and machine identities remain secure and operational.

Keep Reading

Machine Identity - Avoid the Crisis

Machines operating across the Internet outnumber humans by a ratio of three-to-one. This will rise dramatically as more Internet of Things (IOT) devices arrive. Existing approaches for managing identity and trust for a massive number of machines rely on centralized and legacy solutions that won't work for the machine era. A decentralized solution capable of speed, trust, and agility is needed to avoid a crisis and enable a graceful transition to high trust machine identities.

Author Avatar
Tom McNamara

December 9, 2023

IAM in a Box

Containers are an important part of modern cloud engineering. They evoke the idea of portability and relocation. But in the cloud this is often inhibited because they become anchored to external services within a particular cloud environment, and it becomes difficult to relocate them to a different environment. This article describes how containers can be freed and portability restored.

Author Avatar
Tom McNamara

July 8, 2023

An Unintentional Secret - Automated TLS and its Zero Trust Fallacy

Transport Layer Security (TLS) and its companion, mutual TLS (mTLS) are stalwart security protocols known for encrypting communications over the Internet. When they are applied to root domains (such as is the case for Web domains and browsers) they represent identity trust. However when they are implemented with automated PKI certificates, they lose an important security quality: identity trust. Due to the speed and scale of cloud automation, the intermediate certificate authorities that issue PKI certificates eliminate vetting of the receiving identity (a containerized workload).

Author Avatar
Tom McNamara

July 8, 2023

Machine Identity - Who’s Who in the Cloud?

Identities for machines operating in the cloud, like humans in the natural world, are an important quality that is essential to trust, authorization, and authentication. Machines are identified by cryptographic material that takes the form of a certificate. But in the cloud, it is challenging to find, track, and manage the many certificates that are dynamically assigned and used. New approaches to managing machine identities in a zero trust cloud environment are needed to realize secure business operations in the cloud.

Author Avatar
Tom McNamara

July 8, 2023

When Zero is a Good Thing

As businesses migrate more of their critical processes and data to the cloud and procure SaaS solutions, their attack surface grows significantly. This makes it harder to achieve a zero trust posture, and more risk occurs for employees with the Secret Zero to everything. While tools such as Machine Identity Managers and Secrets Managers (vaults) are improvements for today, they do not solve the growing problem of competition between zero trust and ever-scaling attack surfaces. A strategic solution that responds to the challenges in new ways is needed. (click to read more)

Author Avatar
Tom McNamara

July 8, 2023

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Use CasesHow It WorksUnique FeaturesHopr ConnectHopr Connect GatewayPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr enables on-demand, verified-trust, ultra-secure application networking across clouds, organizations, and ecosystems.

Our patented technology and  protocols form Cloud Native Automated Moving Target Defense (AMTD) around workloads, API endpoints, and data in transit.

Hopr's AMTD disrupts threat actors and proactively prevents cyber attacks to increase cyber resilience.
copyright 2021-2023 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ technology the MAID and SEE™ protocols
are protected by US Patents and patents pending.