Navigating the Complexity of Decentralized Secrets Management

Adam Ochayon

Adam Ochayon

Solution Architect

Published on

October 2, 2024

The modern IT infrastructure landscape has become ever more complex, with the rapid growth of distributed environments across multiple clouds and environments. As businesses adopt more SaaS applications and embrace hybrid setups, the sprawl of technologies used by different teams grows with it. This leads to an increasingly fragmented infrastructure landscape, where maintaining holistic visibility, security, and governance is becoming a greater challenge for security teams.

At the heart of this infrastructure lie the secrets – sensitive information such as API keys, credentials, and tokens, scattered across various systems and applications. These secrets are critical for enabling access to different integrations and services, but also pose the risk of granting privileged access to the wrong people. Managing these secrets efficiently is critical to the security of any modern enterprise. The logical solution to storing these secrets securely is to put them in vaults.

Cloud-Native Vaults: Developers’ Choice

In today’s cloud-driven environments, cloud-native vaults have emerged as the preferred choice for developers. This is due to their seamless integration with the native ecosystem, offering convenience and efficiency. By being tightly coupled with the respective cloud providers’ stack, these vaults allow developers to securely store, retrieve, and manage secrets without leaving their preferred environment and the overhead that might introduce.

For example, AWS offers SSM Parameter Store and Secrets Manager, two different managers that tie neatly into the AWS ecosystem and allow securely storing secrets and granularly managing access, without dealing with the overhead or price of maintaining your own secure vault. 

In Azure, Key Vault offers similar features with tight integration into Azure workloads.

These cloud-native vaults simplify secret management for developers, allowing them to focus on coding and delivering features rather than wrangling with infrastructure. They are also often cost-effective compared with dedicated vaulting and secrets management tools, which typically costing an order of magnitude more per secret. 

However despite these benefits, this model carries with it the same challenges that are present in other cloud and hybrid environments - how to holistically manage it without losing track.

The Challenge: Sprawl, Visibility, and Governance

As cloud adoption continues to accelerate and organizations spread workloads across multiple platforms, an inevitable phenomenon is “secrets sprawl”. With developers being rightfully opinionated about using native tools that best fit their workflow, the idea of a centralized vault becomes more difficult to implement comprehensively and effectively.
This problem gets exacerbated further by the rapid increase in identity sources - in addition to cloud access, many PaaS and SaaS applications have their own internal identity mechanisms and credentials, such as Snowflake, Salesforce, and Github.

This sprawl introduces significant challenges:

  • Lack of centralized visibility: Security teams struggle to gain insight into where secrets are stored and how they are managed across multiple clouds and platforms.
  • Governance issues: Enforcing consistent policies and standards becomes a major pain point as secrets are stored in different vaults, or potentially not even vaulted at all.
  • Risk of security lapses: Without a single source of truth, secrets can go stale, remain unrotated, or be forgotten entirely, increasing the risk of security incidents.

Some of the cloud-native vaults provide solutions to these challenges, however as is often true the devil is in the details - auto-rotation, for example, will typically require configuring your own lambda, which creates additional overhead and may leave you open to unsafe flows leading to business disruption. 

This leaves security organizations with a difficult tradeoff -

  • Attempt to centralize all secrets management in a single vault, leading to high implementation and maintenance costs and fighting an uphill battle with their development team, or use cloud native vaults;
  • Allow your development team to move fast and use native tools, leading to incomplete visibility and hard-to-enforce policies around vaulting standards, secrets rotation, etc.

The Ideal Solution: Centralize Policies, not Vaults

The ideal approach would be to leverage the native vaults that developers already love and the organization is often already paying for, while layering on a centralized governance system to provide visibility and policy enforcement. This allows for the best of both worlds: developers can continue to use the tools they prefer, and security teams can maintain control and oversight across the board.

This is where Oasis comes in. Oasis helps supplement the existing cloud-native vault capabilities by providing:

  • Centralized visibility: Oasis offers a unified view into all the secrets across cloud environments, regardless of where they are stored. This includes deep context around the usage itself, the identity being authenticated into, and the permissions tied to it.
  • Posture management: Oasis continuously monitors the state of secrets, flagging exposed and unvaulted secrets, stale or unused secrets or out-of-policy vaulting solutions.
  • Unified policy enforcement: With Oasis, you can set configure policies in one place while consistently enforcing them across your entire environment. This includes cloud providers, PaaS / SaaS, and On Prem accounts.
  • Lifecycle management: Oasis enables streamlined and safe-by-design management automations, such as secret rotation and decommissioning. These automations ensure that security best practices are followed consistently, while retaining business continuity and preventing breakages, without requiring any additional work.

Optimizing Secrets Management Through Seamless Migration

One of the key advantages of Oasis is its ability to help organizations optimize their secret management strategy, by enabling seamless migration between third-party vaults and cloud-native solutions. Whether you’re looking to take advantage of dev-friendliness and lower costs in cloud-native vaults like AWS SSM Parameter Store, or move sensitive information from a cloud-native solution to a more specialized third-party vault for enhanced security or compliance, Oasis makes the process effortless.

Thanks to our cloud-agnostic and vault-agnostic approach, paired with robust automation capabilities, Oasis allows you to move secrets without interrupting workflows or causing business disruption. The ability to automate migrations, rotations, and decommissioning gives customers a powerful tool to continuously improve their security posture without sacrificing agility or efficiency.

In an age where multi-cloud and hybrid environments are the norm, it’s critical to balance the needs of both developers and security teams. A centralized policy enforcement layer like Oasis, sitting atop the cloud-native vaults, provides this balance, ensuring security without compromising developer agility.

More like this