Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

According to a recent study from GitGuardian and CyberArk, 79% of IT decision-makers have experienced a secrets leak, a significant increase from 75% the previous year. Alarmingly, over 12.7 million hardcoded credentials can be found in public GitHub repositories alone, with more than 90% of the leaked secrets remaining valid for over five days. This situation is aggravated by the fact that organizations typically take an average of 27 days to remediate leaked credentials.

A critical factor contributing to these delays is the overwhelming number of non-human identities (NHIs) compared to human identities, leading to organizational confusion regarding the security management of these identities. This combination of factors creates a precarious environment for many organizations.

Understanding the Delays in Credential Rotation

The lengthy process required to rotate credentials often stems from unclear permission structures. Permissions dictate which actions or data a specific entity can access, whether it be a service or database. Remediating a secrets leak involves replacing a secret while ensuring that no disruptions occur in the associated access pathways and permissions. If an organization lacks visibility into the lifecycle of its NHIs, remediation becomes a tedious and time-consuming effort, especially if the original developer is no longer available to provide context.

Ownership of Secrets Sprawl

Secrets sprawl refers to the unchecked proliferation of sensitive credentials across different environments. GitGuardian’s report indicates that 65% of respondents attribute the responsibility for managing and remediating secrets to IT security teams. However, 44% of IT leaders also report that their developers are not adhering to best practices in managing these secrets. This division of responsibility highlights the need for a cooperative approach to secure permission management, as many organizations currently struggle with inadequate collaboration between developers and security teams.

Developers’ Perspective on Permissions

Developers are often under intense pressure to deliver features quickly, which can lead to neglecting security best practices in permissions management. Each project carries its own distinct access requirements, complicating compliance with security protocols. This results in permissions being frequently over-allocated, with as few as 2% of granted permissions utilized in practice.

Complex systems, such as AWS’s Identity and Access Management (IAM), add additional layers of difficulty due to their numerous policy types and intricate configurations. Additionally, developers often face the challenge of improperly managing permissions within interconnected services, such as GitHub, where a single API key can grant excessive access across multiple organizations.

Limitations of Security Teams

Although delegating responsibility for secrets management to security teams seems logical, they often lack the specific knowledge required for this task at the project level. A singular change in permissions could inadvertently disrupt services or applications. Moreover, the fragmented approach to managing secrets across various teams leads to an expanded attack surface, allowing for greater opportunity for unauthorized access.

Building a Shared Responsibility Model

To effectively address these challenges, developers and security teams should work together within a shared responsibility model. Developers need to take more accountability for managing permissions and documenting their access needs appropriately. In return, security teams should focus on automating credential rotation, employing visibility tools to monitor secrets, and eliminating long-lived credentials.

Enhancing documentation of permissions will allow security teams to conduct faster and more accurate audits, expediting the remediation process. This collaboration aims to facilitate a smoother workflow, making it easier for security teams to rotate or update credentials without risking service disruptions.

Key Considerations for Permissions Management

Proper documentation should focus on several key questions:

  1. Who created the credential?
  2. What resources does it access?
  3. What specific permissions does it grant?
  4. How can it be revoked or rotated?
  5. Is the credential currently active?

Conclusion

Despite high levels of confidence in their secrets management capabilities, organizations often face significant gaps in practice, reflected in the average remediation time of 27 days. To bridge this gap, there is a pressing need for better communication and cooperation between development and security teams. Adoptive measures include using advanced tooling to track credentials and mitigate risks related to secrets sprawl.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x