Secrets are fundamental to cybersecurity. They comprise the secret data that allows individual authorization and access to or between systems. But if secrets are not secret, they are threats.
Secrets are also known as credentials. They either provide human access to systems and software, or they provide machine access to other machines. Both categories need to be managed and protected. Although the technology to do this has similarities, human credential protection systems are generally categorized as password managers or privileged access management (PAM) systems, while machine to machine credential protection systems are known as secrets management.
Over time, PAM and secrets management will grow closer, either with single products providing both functions, or single vendors providing both products. This is already happening, but here we will focus on secrets management.
“In cybersecurity, secrets are non-human privileged credentials, most often used to unlock applications, services and IT resources containing highly sensitive information and privileged systems,” explains Craig Lurey, CTO and co-founder at Keeper Security. Attackers see them as keys to the kingdom.
The problem for organizations is these credentials can become distributed and stored in insecure locations. “They may be hard-coded directly into software, stored in plain-text config files, or sitting on a developer’s workstation,” continues Lurey. Since the beginning of cloud migration, the need machine to machine secrets has grown massively. Hybrid and multi-cloud environments can further spread these secrets and lead to duplicated or outdated credentials.
“The lack of central management not only expands the potential attack surface, it also puts the network in a position where an outdated credential can take down the entire production system,” he warns. Keeper Security provides a Secrets Manager solution for dev teams.
Secrets management is a necessary evil, according to Erik Gaston, VP global executive engagement at Tanium. “Unfortunately, attackers often find their doors and windows into your organization through weak and over-used passwords, or poor management of these.” he explains. “This problem becomes worse with siloed organizations and manual processes and was exacerbated during the pandemic as developers began working remotely and taking weakly authenticated ‘secrets’ out into the public domain where they were easily available to attackers.” This is known as ‘secrets sprawl’.
Secrets management therefore implies two separate roles: the protection of secrets’ secrecy, and the management of their distribution (that is, the prevention of secrets sprawl). But there is a third fundamental requirement for a secrets management product.
“Secret management becomes difficult if something is designed in a manner that assumes a secret can be kept forever which, unfortunately, is quite common,” comments Casey Ellis, founder and CTO at Bugcrowd. It is best to assume a secret will eventually become known: guessed, cracked, found in the wrong place, socially engineered, etcetera. “If security is dependent on that secret, the consequences are disastrous if that assumption fails.” The third fundamental requirement for secrets management is consequently the maintenance of secrecy – something that can be achieved by regularly changing (rotating) the secret – or using dynamic secrets.
It is against this background that Akeyless has launched a new SaaS-based secrets manager. “It is based,” co-founder, chairman and president Shai Onn told SecurityWeek, “on three pillars: economic efficiency, simplicity of use, and high degree of security.”
The first two pillars stem from the system’s SaaS basis. It effectively provides a single cloud-based vault for all secrets, eliminating the need for siloed secrets management dependent on their source. As a SaaS service, it requires no new infrastructure, and no specialist staff nor secrets management team. It also offers a 99.99% availability and supports a configurable caching period in case of short term total internet failure. When a new app is developed, the developer replaces the secret with a link to the SaaS service, eliminating the need for local secret storage altogether.
While secrets rotation is an available option, the security of the system is primarily based on the Akeyless patented version of dynamic secrets. A dynamic secret is one that is generated at the time of use and discarded at the end of the session.
The secrets are encrypted. This is not new, but the method of encryption is new. “We have developed a patented technology which we call DFC – distributed fragments cryptography,” said Onn. “We have two patents that allow us to do very secure cryptographic operations on data in a zero knowledge manner.”
By zero knowledge, he means nobody other than the customer, neither Akeyless nor the cloud provider, can gain access to the keys – secrets will remain secret. It eliminates the concern some companies still retain over storing highly sensitive data in the cloud. Technically, the mathematics involved resemble multi-party computation (MPC) without the requirement for multiple parties nor the usual associated costs.
“We found a way to do encryption of data, using fragments of encryption keys without ever combining the fragments,” he continued. “Those fragments are placed in different locations. They are never combined. They never leave their location – and they make our solution a zero knowledge solution.” An attacker would need to simultaneously gain access to all the distributed encrypted key fragments, and the secret and make use of the secret during the course of the current session usage.
The product, named External Secrets Manager (ESM), was launched on June 14, 2023. In the announcement it is also called ‘Bring Your Own Vault’.
Tel-Aviv based Akeyless was founded by Shai Onn, Oded Hareven (CEO), and Refael Angel (CTO) in 2018. It raised $65 million in a Series B funding round in November 2022, bringing the total raised so far to $79 million.