I love playing devil’s advocate. It helps with the analysis process.
Here’s your dose of Devil’s Advocacy – just a malicious user story for your secure threat analysis:
Sometimes it seems like we’re just encrypting secrets with more secrets.
Sometimes we’re even centralizing all of our secrets by sending our secrets over a network and then protecting them with a single secret.
A secrets-protecting-secret. A single proverbial key to the kingdom.
Don’t get me wrong; Central management of most things is a great idea. Centrally managing users or assets. Superawesomefuntime! I’m in.
However, I don’t believe that a single secret stored on a single host inside a perimeter, when locked down, implementing least privilege and RBAC and network data flow controls and other mitigations, is necessarily less secure than a secret that’s sent across a network to a central server and stored as cipher text that’s encrypted with a single key (e.g. the key that encrypts the Central Secrets Authority’s*** database).
The problem statement trying to be solved by centralizing anything is essentially ease of management. The solution and choice to centralize secrets comes at a significant cost for confidentiality.
My hypothesis is that a compromised centralized secret authority is more of a risk than the compromise of a single, well-managed secret on a single system.
What do I mean by well-managed secret?
A well-managed secret is a secret that:
- is changed regularly
- is of sufficient bit depth / strength
- is assigned an owner
- is treated and tracked like an asset
- is governed by an organizational key policy and
- has defined processes and procedures for dealing with compromised secrets, changing secrets, distribution secrets, etc
- if a secret is related to a service account (e.g. for SCP transfers), it should have limited access (i.e. sandbox/chroot) on the remote system
In my opinion, centralizing secrets makes them easier to access/gather en masse by a threat actor. Tracking static secrets (e.g. ssh keys, hardcoded passwords) more like an asset (e.g. in a CMDB, spreadsheet, etc) can in many cases limit their possible exposure and the damage that can be caused by the compromise of a single secret (the “master Secrets Authority secret”).
This is not true for all cases, but here is a closing analogy: If you had a lot of cash, like, tons of cash. Millions of dollars in cash. Would you store it all in one place? Or do you think it would be safer by storing smaller amounts in several places and remembering where you kept it?
*** I’m totally going to start calling the “Central Secrets Authority” the “Ministry of Truthiness” because it is both Orwellian and Colbertian.