Identify Secrets

Learning Objectives

After completing this unit, you’ll be able to:

Identify three types of secrets at your organization.
Define authentication, authorization, and encryption.
Explain strong key management principles.

What Is a Secret?

Customer trust issues can derail even the best-laid cybersecurity plans. Your customers rely on you to safeguard their data, and to keep that data safe from anyone who does not have a business need to access it, even someone inside your organization’s network. While protections like network segmentation protect data, code, and applications from external and internal threats, it’s still up to you to manage secret information carefully.

So, just what is a secret? You can define secrets in three main ways.

Credentials that authenticate individual identities for systems and services
Private keys used to sign certificates that authorize services to other services
Keys used to encrypt other secret information like customer data

If you start with these definitions, you can sort your secrets into categories. The first category is passwords, or other credentials that you use to protect your laptop, phone, and organizational access. The second category is the private keys that services use to provide access to sensitive systems, services, and information. And the third category is the keys used to encrypt content like customer and organizational data, so that even if it is accessed, it is kept secret.

Password Versus Key

For most computer security purposes and for most users, a key is not the same thing as a password, although a password can be used as a key. The primary difference between keys and passwords is that passwords are intended to be generated, read, remembered, and reproduced by a human user.

A key, by contrast, is intended for use by the software that is implementing the cryptographic algorithm, so human readability is not required. In fact, most users are, in most cases, unaware of the existence of the keys being used on their behalf by the security components of their everyday software applications.

Secrets are never as simple as they seem, and handling secrets well involves several tricky factors. When managing secrets, here are some good questions to ask.

How secret is this secret? How many humans know it? How many places is it stored? How hard would it be for an attacker to learn or guess it? Good secrets should be very hard to guess and obtain if you’re not supposed to have them.

Will this secret always be available when needed? Let’s say your service needs a secret to do its job. If the service storing that secret goes down, your customers are going to have a rough day without access to the system they need. The availability of secrets depends on the availability of your service overall.

As your organization continues to innovate with new technologies, effective secret management becomes even more important.

Authentication, Authorization, and Encryption

There are three main ways to protect secrets: authentication, authorization, and encryption. They are all related, and they often overlap with one another. Sometimes they are used in combination, such as when a system authenticates your identity and then checks whether you’re authorized to access that system. At other times, systems encrypt secrets so that they cannot be understood without being decrypted.

Authentication

Authentication is the process of proving your identity. Let’s say you are trying to log in to your company’s website as yourself. The website asks you to enter your password so it knows it’s you. Authentication assures you that a call is actually coming from a service you trust and not from an attacker.

Authentication can be single-factor or multi-factor (MFA). A factor is what you use to authenticate, and it falls into one of three categories.

Something you have: Examples include a proximity key like a wireless key fob, or a magnetic strip card like your personal debit card
Something you are: Examples include a fingerprint or facial identification
Something you know: Examples include a password, passphrase, or personal identification number (PIN)

Single-factor authentication is when you use just one of these factors to authenticate, such as when you type in your username and password (something you know) to log in to your email. MFA requires two or more of these items, like when you use your credit card (something you have) and enter your PIN (something you know) to complete a transaction.

Authorization

Authorization is the next step after authentication. Now that you have verified your identity, what are you allowed to do? One user shouldn’t be authorized to change another user’s password, for example.

Another example of authorization, are the resources you have access to for your job. If you work on the Finance team, you shouldn’t be able to access a Human Resources database, and vice versa. You only see the resources that you are authorized to use.

For high-security processes, you may need to demonstrate that you’re authorized by more than one group in order to gain access. This is known as quorum authorization. For example, if you’re an auditor and need temporary access to a secure financial system, you may require approval from both the business owner of the system and a senior administrator. This method prevents any one group from providing access to secure systems without sufficient authorization.

Encryption

Encryption uses mathematical equations to scramble data so that they appear to be random. Only parties with the right secret key can decrypt the contents. Even if attackers can intercept the data your service sends or stores, encryption prevents them from understanding the true contents of the data without the secret key.

All of these techniques require secrets, and they require those secrets to be stored securely. If an attacker knows the password or the decryption key, it doesn’t matter how sophisticated your authentication or encryption schemes are.

Let’s take a look at some best practices for managing these keys.

Manage Your Encryption Keys

Just as there are questions you should ask yourself about secrets management, there are also factors to consider when you manage keys.

Make It Durable

If you permanently lose a key used to encrypt data, you’ve effectively lost the data no matter how many backups you have of the encrypted bits. This situation can be especially challenging with secrets, because the usual response (make lots of backup copies!) conflicts with the first principle of secrets management, which is to keep the secret secret. You can make your keys more durable by backing them up and storing them in an additional secure location to ensure that you still have access to the keys in case one location is destroyed in a disaster. This can be performed by using the native backup options provided by your application or by using a dedicated encryption key backup system.

Change It

It’s best to use an automated process to change keys regularly. Doing so allows you to test your key management process of changing secrets to prevent unauthorized access. It also allows you to take action if an attacker is able to steal a secret. By changing the key, the attacker might have the data, but they would be unable to unlock it, rendering it useless.

Declare Cryptoperiods

A cryptoperiod is the lifetime of a key. When you generate a key, you should declare a cryptoperiod. It’s then tracked throughout the usage of the key. For some scenarios, like transport layer security (TLS) certificates used for secure web communication, the protocol directly supports this concept, and using it as designed automatically sets a cryptoperiod expiration limit. The cryptoperiod for TLS is designated by the notBefore and notAfter fields specifying the validity period.

When a cryptoperiod expires, copies of the key material are destroyed or rendered useless, and this process is logged. In the case of data encrypted at rest, take care to ensure the data is reencrypted with an active key or keys prior to discarding the key material. Also, once key material has reached the end of its lifetime, do not reuse it for other purposes. Be sure to generate new keys for any needs beyond the expiration date.

A stopwatch with digital keys instead of hour and minute hands

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work! You now understand more about different types of organizational secrets, and how authentication, authorization, and encryption help you protect them. In the next unit, let’s dive deeper into the nitty-gritty of protecting secrets.