What is Secrets Sprawl & How to Avoid It with Secrets Management

Secrets sprawl, as the name suggests will grow out of control and become a tangled mess when it is not properly maintained. The key to preventing it is effective secrets management. Keep reading for a primer on what secrets sprawl means, why it creates dangers for your organization, and how to address it.

What is secrets sprawl?

Secrets sprawl is what happens when your organization stores secrets — meaning passwords, encryption keys, and other types of sensitive information that is required for digital authentication — in lots of different places.

Secrets sprawl has a tendency to creep up on organizations without their realizing it. As your IT infrastructure grows, so does the number of secrets associated with it. And unless you planned to manage your secrets efficiently from the very start, you end up with secrets spread across a variety of locations.

Some of them may be configuration files that have secrets hard-coded in. Some may be password managers used by certain employees or teams. Some may be removable storage devices that someone thought would be a good place to keep encryption keys.

If this sounds like your organization, you have secrets sprawl. Secrets sprawl is problematic for several reasons:

● Security: Perhaps most obvious is the fact that it’s harder to ensure that all of your secrets are secure when they are spread across multiple storage locations. It’s more difficult to keep all of those locations encrypted and protect access to them.
● Access: Finding secrets is also obviously more difficult when they are spread across a wide area and you don’t know where to look for a specific secret that you may need.
● Dependency on certain employees: If you have secrets in lots of different places, chances are that only a few employees know where they all are. Or, each department or team might think that it “owns” the secrets it stores, making them difficult for others to access when necessary. As a result, your organization becomes dependent on certain employees to help meet its IT needs; this leads to problems when they leave.
● Long-term scalability: Secrets sprawl is a problem that only gets worse over time. Even if it is not posing major issues at present, you’ll likely find that, without a better secrets management solution, the sprawl will eventually become an obstacle to your ability to continue scaling your infrastructure and team.


Fighting secrets sprawl through better secrets management

The first reaction of many organizations to secrets sprawl is to turn to password managers and cloud-based key management services that help to centralize their secrets management. Those tools are better than leaving your secrets inside far-flung configuration files or USB drives, but they’re not sufficient on their own for fully containing secrets sprawl.

That’s because they don’t allow you to manage all of your secrets from a single location. Password managers only manage your passwords. Key management services only manage your encryption keys. As a result, you end up needing multiple tools to manage all of your secrets.

A better solution is a comprehensive secrets management tool, like Conjur. Conjur offers several key features for combatting secrets sprawl:

● Comprehensive secrets management: Conjur can securely store all types of secrets. No matter how many different types of systems or authentication methods you use, Conjur will work with them, allowing you to make your secrets management truly centralized.
● Auditing: Conjur provides robust auditing features to help you keep track of authentications. This is useful for a variety of reasons, and one of them is to maintain visibility into all of your systems (and therefore fight secrets sprawl) by being able to track authentications through a single lens.
● Declarative, policy-based management: Using the Conjur policy language, you can write configuration files to manage secrets in a declarative, uniform, and highly scalable way across all of your systems — no matter how different they are from one another.
● Integrations: Conjur integrates with a range of common DevOps tools. No matter which tools you use to build out your CI/CD pipeline or which cloud vendors you work with, there is a good chance that Conjur integrates with all of them, making it easy to manage secrets across all of these systems using a single tool.

By adopting a secrets management strategy oriented around these features, you can turn your secrets sprawl into a tightly regulated, consistent, and efficient secrets management process. You can, in turn, free yourself from the danger of having secrets that are hard to find and manage, difficult to secure, and that eventually become roadblocks to long-term growth and scalability.

Join the Conversation on the CyberArk Commons
If you’re interested in this and other open source content, join the conversation on the CyberArk Commons Community. Secretless Broker, Conjur, and other open source projects are a part of the CyberArk Commons Community, an open community dedicated to developers, engineers, cybersecurity researchers, and other technically-minded people. To discuss Kubernetes, Secretless Broker, Conjur, CyberArk Threat Research, and related topics, join us on the CyberArk Commons discussion forum.