Using Secrets Management to Enhance DevOps
By Chris Riley
As developers gain more autonomy and access to on-demand services, such as self-provisioned infrastructure, they are gaining more flexibility in how they build and deploy applications. But at the same time, they are inheriting some of the aspects of managing and maintaining a greater library of tools. This, in addition to what they already work with on a regular basis, means that yet another class of tools needs to be created to make sure that they are not also inheriting more work. One such tool is secrets management.
Secrets management tools like Alibaba’s Key Management Service give everyone on the development team a secure place to store, share, and access sensitive keys such as passwords and API tokens.
Many development teams don’t acknowledge how much time they spend searching for keys, or the risk posed by shuffling them around to team members in non-centralized ways, like chat clients. You might think that key management is only for large organizations, but it can benefit a single developer team. It also helps the organization fast-track and improve their DevOps objectives.
Secrets Management: Not Just Housekeeping
In modern application development, elements like application testing and key management can seem like simple housekeeping items — the things you do to have good pipeline hygiene. Yet they end up being ways to do even more with your development practices. Here is how key management is helping development teams look beyond security.
1.) Microservices: The application development environment consists of multiple moving parts. There are external APIs, frameworks, application credentials, cloud services credentials, policy tokens, and operating systems, all of which have some sort of associated secret. But when you consider modern architectures like microservices, there are even more. A good microservices-based application architecture means that autonomous services are provisioned on containers automatically, and many more instances with their own credentials can be automatically generated.
2.) Communication: With a centralized key management solution, team members do not need to hunt for secrets, or ask team members for secrets they do not have. They also do not need to participate in the risky behavior of sharing secrets via messaging services — or worse, written notes. A strong key management system means that communication about secrets is eliminated completely. If a developer needs access to a container, they know that as long as they are permitted, the credentials are in the key management system, and they do not need to interact with anyone.
3.) Agile access control: Not everyone gets access to everything. In the old days of IT and development, IT was usually the gatekeeper of credentials — and in many enterprises, they will continue to be. Traditionally, even if IT understood why a developer might need access to a service or compute, they were constantly leaning toward preventing any access. Instead, they would give log data, or other partial access, which created even more snowflake environment variables. This slowed down development of new functionality, and put a lot of extra work on the IT team to field all requests. With a secrets management system, developers can have access to what they need, without access to what they don’t. There is less worry over developers breaking something with broad access. And because the manual aspects of sharing and updating security are eliminated, IT will have less hesitation, and there will be less administration to be concerned about.
Modern key management solutions need the ability to go beyond access control and storing of key-value pairs. They also need to have integration points (either native or custom) via an API that allows DevOps teams to build in the automation they need for modern development teams and application architectures.
Security is Exciting
Security is no longer a foreign topic in application development. Developers now know that they are accountable for advertently or inadvertently disclosing secrets that are used to exploit applications. For this simple reason, a key management solution is insurance for the company, IT, and Dev. It provides an easy solution when disgruntled employees leave a company. It mitigates human error when credentials are shared in a frenzy, and it builds accountability for everyone. Security needs are constantly changing with every new threat, providing teams with new challenges. Security is job security.
There is no organization too small to benefit from secrets management, because secrets related to application development are related to application size and complexity, not organization size. Secrets management is proper hygiene for building and maintaining a healthy software delivery chain, and for many companies, it’s a way to advance their pipeline to the next steps of DevOps practices and principles.