In today’s digital world, businesses run on secrets. Not just trade secrets, but credentials, application secrets, and secret keys that unlock access to – and control over – some of the most valuable technical systems in your business. Protecting those secrets is crucial to preventing malicious attackers – internal or external – from stealing intellectual property, injecting software with malicious code, compromising personal data, and ultimately damaging your business.
As your business grows, so too does the number of people who need to use and manage those secrets. And of course, the day-to-day demands faced by sys admins, developers, DevOps engineers, and others can sometimes tip the scales in favor of convenience over burdensome security. They find ways to share secrets (often insecurely) so they and their teams can work quickly. Even if they don’t intend to expose the company to risk, thoughtless handling of secrets can have devastating effects.
Passwords Don’t Belong in Software Code
In March 2019, reports surfaced that engineers at the computer company Asus had improperly published passwords on Github. A security researcher found that the credentials exposed in the Github repository could be used to “access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners.” The researcher concluded a simple phishing attack from there could have given him much greater access to the corporate network.
The problem isn’t a new one. Back in 2013, several incidents were reported of passwords, private cryptographic keys, and other sensitive data being made public (and at the time, searchable on Google).
Storing secrets in the codebase in plain text certainly makes it easy on developers. After all, no special deployment steps or server configurations are required. But the short-term convenience can clearly put a company at risk.
Trello, Slack, and Other Places Secrets Don’t Belong
Don’t get us wrong – we love a good productivity app as much as the next person. Project management apps like Trello and chat apps like Slack make it easy for teams to stay in sync and share important information. But that information shouldn’t include credentials and other technical secrets.
In 2018, news broke of hundreds, perhaps thousands of open (publicly-accessible) Trello boards containing usernames and passwords. Passwords for servers, blogs, domain hosting, and other accounts were easily accessible.
Though we doubt the employees intended to expose their company to any risk, it’s just one more example of how poorly managed secrets can be damaging to a business.
Finding Better Ways to Store and Share Secrets
With so many credentials, keys, PINs, and other secrets to use and manage at work, teams need a secure way to store and share those details. A mixture of better technology and clearer company policies can help employees securely store company secrets and prevent exposure to cyberthreats.
An Enterprise Password Manager is ideal for storing usernames and passwords, WiFi passcodes, even software and API keys. With encrypted, team-based sharing features, it’s also an ideal way for multiple people to share access to accounts and resources, without losing accountability and security.
Businesses should also consider strengthening user access with Multifactor Authentication. By requiring additional factors to prove a user’s identity before access is granted, Multifactor Authentication can mitigate the effects of compromised credentials.
When access to accounts and resources is simplified for employees, they won’t need to resort to insecure ways of storing and sharing credentials and other secrets. You’ll regain the control you need to keep the business more secure, and employees will have the day-to-day efficiency they need to do their jobs well.