Rising Credential Leaks: A Crisis in Identity Security

cta banners

Secrets Sprawl: Understanding the Challenges and Solutions for IT Security

In a rapidly evolving digital landscape, the issue of secrets sprawl has emerged as a critical concern for IT security teams. A recent report from GitGuardian and CyberArk reveals that a staggering 79% of IT decision-makers have encountered a secrets leak, a noticeable increase from 75% in the previous year. Alarmingly, over 12.7 million hardcoded credentials can be found in public GitHub repositories, highlighting the urgent need for organizations to address this escalating crisis.

The Rising Tide of Credential Leaks

The same research indicates that more than 90% of valid secrets discovered remained in circulation for over five days. On average, organizations take 27 days to remediate these leaks. The situation is further complicated by the fact that non-human identities (NHIs) now outnumber human identities by a ratio of at least 45:1. This discrepancy emphasizes the necessity for organizations to develop robust strategies to combat secrets sprawl while navigating a machine identity crisis. Unfortunately, confusion over ownership regarding the security of these identities exacerbates the risk.

Understanding the Delays in Credential Rotation

So, why does it take organizations so long to rotate credentials, particularly when they are a known attack vector? One significant factor is the lack of clarity around permissioning. Permissions dictate what actions specific entities—like Kubernetes workloads or microservices—can perform on other services or data sources.

Remediating a secrets sprawl incident involves safely replacing a secret without disrupting existing systems or inadvertently granting overly broad permissions. If an organization has clear visibility into the lifecycle of its NHIs and associated secrets, this process can be straightforward. However, without that insight, it becomes a time-consuming challenge, especially if the original developer is unavailable to provide context.

Who is Responsible for Secrets Sprawl?

The term secrets sprawl refers to the widespread distribution of access keys, passwords, and other sensitive credentials across various environments and services, including platforms like Slack and Jira. GitGuardian’s Voice of the Practitioners report highlights that 65% of respondents believe IT security teams should bear the responsibility for remediation. However, 44% of IT leaders acknowledge that developers often neglect best practices for managing secrets.

Without a collaborative approach, the issues stemming from over-permissioned, long-lived credentials will continue to pose significant risks.

Developer Challenges in Permissions Management

Developers are under immense pressure to deliver features quickly, which often leads to shortcuts in managing permissions. Each project has unique access needs, and the time required to research and implement these properly can feel overwhelming. Unfortunately, best practices for permissions management are inconsistently applied, poorly documented, or entirely forgotten once an application is operational.

Moreover, many developers default to granting overly broad permissions to machine identities. Research shows that only 2% of granted permissions are actively utilized, raising concerns about unnecessary vulnerabilities.

The Complexity of Permissions in Popular Platforms

Platforms like Amazon Web Services (AWS) and GitHub exemplify the challenges developers face with permissions management. AWS’s Identity and Access Management (IAM) is both highly flexible and notoriously complex, requiring precise configurations across various policy types. Similarly, API keys in GitHub can inadvertently grant excessive access across different organizations, complicating access boundaries.

Why Security Teams Alone Cannot Solve These Issues

While it may seem logical to assign security teams the task of monitoring and rotating secrets, they often lack the detailed project-level knowledge necessary for safe changes. A minor permissions modification could inadvertently disrupt critical processes, such as CI/CD pipelines or production environments.

Additionally, fragmented secrets management across teams increases the attack surface, making it difficult to maintain consistent access controls and audit trails. This lack of clarity can lead to excessive, outdated credentials remaining active indefinitely, amplifying security risks.

A Shared Responsibility Model for Effective Secrets Management

To effectively tackle secrets sprawl, developers and security teams must collaborate through a shared responsibility model. Developers should take ownership of managing their permissions using tools like CyberArk’s Conjur Secrets Manager or HashiCorp’s Vault, while also documenting their permissions requirements. Meanwhile, security teams can automate secrets rotation and enhance visibility into the state of secrets across the organization.

By clearly documenting necessary permissions, developers can help security teams conduct faster and more accurate audits, speeding up remediation processes. When security teams streamline the path for updating credentials, it reduces the likelihood of emergency rotations, benefiting the entire organization.

Key Questions for Improved Permissions Management

To facilitate better collaboration, consider the following questions:

  • Who Created the Credential? Understanding ownership is vital for effective credential management.
  • What Resources Does It Access? Limit permissions to the essential minimum to enhance security.
  • What Permissions Does It Grant? Be aware of the varying permissions based on roles and policies.
  • How Do We Revoke or Rotate It? Streamline revocation processes to reduce exposure time.
  • Is the Credential Active? Regularly assess whether credentials are still in use to avoid persistent risks.

Conclusion: Moving Forward Together

Despite 75% of respondents expressing confidence in their secrets management capabilities, the average remediation time of 27 days suggests a significant gap between perception and reality. It is crucial to rethink how organizations implement and communicate about secrets and their permissions.

By fostering collaboration between developers and security teams, organizations can effectively manage permissions, reduce security risks, and enhance overall operational efficiency. GitGuardian is at the forefront of developing advanced secrets security solutions to help organizations combat secrets sprawl.

If you found this article insightful, we encourage you to share your thoughts and explore more related content on our blog. Follow us on Twitter and LinkedIn for updates on the latest in IT security!

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *