Skip to main content

Keep Secrets at Your Organization

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the importance of keeping secrets.
  • Identify secrets vulnerabilities.
  • Protect your organization’s secrets.

Keep Secrets Safe

Every year you see bigger and bigger data breaches. Even the largest data companies have been affected. Millions of social media users may have had their details left open to hackers after a database containing their personal information was left unsecured on the web for weeks. A prominent game publisher discovered multiple vulnerabilities in its code that could have allowed a threat actor to take over game-player accounts, view personal account information, purchase virtual in-game currency, and even record players’ in-game chatter and background home conversations. 

These breaches occur for a variety of reasons, but often originate when attackers access secrets that allow them illicit entry into an organization's systems. Some of your organization’s greatest assets are collections of information. Your reputation is also an asset, and it is one that hinges on your customers’ perception of how effectively you protect that information. By successfully controlling access to your organization’s applications, systems, and data you can minimize the chance that a breach happens to you. 

A burglar attempting to crack a safe that contains organizational secrets

Securely Manage Secrets

There are several best practices you should follow when managing secrets, these include:

  • Confirming credentials are strong and not reused
  • Securing credentials
  • Verifying credentials are not exposed in code
  • Managing the large, complex scale of the number of keys needed to secure data in any given organization
  • Changing secrets on a regular basis
  • Managing secrets in either a centralized or decentralized manner

Let’s take a closer look at some of these practices.

Prevent Credential Reuse

You should take care to avoid reusing credentials across servers and systems. Reusing credentials increases the likelihood that an adversary can gain access to multiple accounts by compromising just one. 

When you generate new credentials, take extra care to use unique passwords that are completely different from the ones you’ve used before. For example, let’s say the password you use for one system is SuperStrongRandomPassword1. If you then use the password SuperStrongRandomPassword2 on another system, it multiplies the chance that a hacker who gains access can penetrate across systems by guessing, or brute forcing, your password. 

Secure Credentials and Prevent Exposure in Code

Secrets management is critical to your organization’s security. You should protect the keys and passwords you use to access systems. When you work with source code, you should take care not to expose keys or passwords in uniform resource locators (URLs) or in your code. Do not keep secrets in cleartext (readable and easily understood by a human) files and be sure to encrypt them at all times.

Protect Your Secrets

Malicious actors target devices or sensors connected to your organization’s network to break into that network. You’ve built great network security to protect those endpoints, but a perimeter is only as secure as its most vulnerable point, and that point of vulnerability is your access credentials.

In addition to making sure you never save secrets or transmit secrets in cleartext, here are some other practices you can implement to protect your secrets.

  • Record all events occurring on your secrets in an immutable audit log, so that it can’t be altered by attackers unnoticed.
  • Configure alarms and alerts for any secret that is used outside of normal operations.
  • Ensure that an authoritative delegator coordinates secrets distribution. An authoritative delegator is a system with authority to securely distribute, track, and revoke secrets according to your organization’s policies.
  • Make secrets easy to update. You want to prevent situations where you set a password once and never update them again due to inconvenience.

Let’s take a closer look at more ways to secure your secrets, including securing secret management, protecting your access credentials, and guarding production secrets.

Secure Secret Management

There are many secret-protection services, targeted at and optimized for different use cases. A good secrets management program has defined goals, baselines, types of secrets used, and rotation schedules, among other features. Using the right management program for the task helps you build secure systems.

Protect Your Access Credentials

Your personal and system credentials are often the first point of vulnerability that hackers seek to breach. Use a password manager like LastPass, KeePass, or Dashlane to protect your passwords.

For administrator credentials, use your organization’s approved vault or isolated location where you can store your secrets, and allow only your service or other privileged entities to access them. Keep your high-value administrator credentials stored separately from the personal or system credentials you use on a regular basis.

Document your secret management plan for projects you are working on. This will help ensure that your secrets will be properly tracked in your organization’s approved manner and won’t get lost at the completion of your project.

Guard Production Secrets

If your code communicates with other services at your organization over the network, do so via transport layer security (TLS) with strong authentication. The secrets you need to set up that authentication should be provided by a public key infrastructure (PKI) service. A PKI service provides an automated way to securely obtain short-lived certificates and private keys for services running in your organization’s data centers. Also, if you’re storing customer data, encrypt it.

Manage Your Organization’s Keys

A key management solution (KMS) is a tool you use to centralize the management of keys for your organization. It makes it easy to create and control keys, administer the full lifecycle of the keys, and protect them from loss or misuse.

Also, remember to minimize the number of systems and humans that have administrator access to your secrets. By locking things down, you can minimize how much damage an attacker who manages to get in can do before they’re discovered.

Have an Incident Response Plan

Know who to call and what to do if there’s a breach. Just like how every organization runs drills in case of a fire, every organization should have a security emergency plan. Security compromises can happen at any level in your organization. This is why it is important for everyone to be able to properly identify and keep secrets.

Sum It Up

In this module, you’ve been introduced to methods for identifying secrets and reasons why they are important at your organization. You’ve also learned how to protect those secrets and what tools you might use to accomplish that responsibility. Interested in learning more about cybersecurity best practices? Check out the Cybersecurity Learning Hub on Trailhead.

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback