You would think that the safeguarding of customer passwords and other credentials would be a top priority for IT professionals, but as we all know from repeated reports of data breaches, hackers time and again have outwitted the cyberguardians.
To understand why, think of it this way: A car thief enters a parking garage and walks right into the booth where ALL the keys are hanging on hooks. The attendant? Nowhere to be found.
The mass movement of company and personal data to the cloud has only complicated things. Hackers are sending bots to scour GitHub, the source code management system, looking for digital access keys to Amazon Web Services and other cloud systems. In 2015, one careless developer woke to find his stolen keys being used to run 140 AWS servers mining bitcoin.
Companies have uploaded VPN and cloud access credentials to cloud storage systems that are easily accessible. Even U.S. intelligence secrets, including security keys to connect to “distributed intelligence systems,” were apparently left accessible to the public, Bay Area security firm UpGuard disclosed last fall.
And even when credentials aren’t left where anyone can find them, security breaches are routinely made worse when hackers who enter one system are then finding the keys to another lying around unencrypted.
Despite the risks, developers are still regularly storing the digital keys to company assets and even user data in source code, configuration files, and other miscellaneous, unencrypted locations. Unlike typical users who can memorize their passwords or store them with a secure password manager, developers and IT workers often need to keep security credentials in places where automated software can find them.
And even everyday users can still leave sensitive data lying around in unintentionally public documents or in insecure locations on a company network where a hacker might quickly look after wrangling access.
Securing the cloud
Cloud managers are playing catchup to close the door on the critical data left out in the open. Sophisticated new cybersecurity tools designed to securely store these kinds of credentials in a way that legitimate, automated processes can access, and intruders can’t—and to scan files uploaded to cloud storage to make sure passwords and keys aren’t exposed—are turning the tide, experts say.
“Everyone knew this was a bad thing to do,” says Armon Dadgar, founder and co-CTO of San Francisco-based software company HashiCorp. “It wasn’t like anyone had an illusion that keeping these credentials in plain text was smart or sane, but no one had a better answer.”
HashiCorp offers an open-source tool called Vault that stores sensitive credentials, encrypted themselves, and strictly limits what people, servers and programs can access them. Vault keeps logs of who accesses the secrets when. In some cases, it can also generate temporary credentials that give people permissions to use cloud resources for a limited time.
Last month, cloud industry leader Amazon launched AWS Secrets Manager, its own credential management tool. And Microsoft offers what it calls Azure Key Vault to securely store and monitor and control access to this kind of data.
But even as these tools become available, it’s still a challenge for companies where developers might be working with a wide array of remote tools requiring credentials.
“The main problem is that companies really don’t have policies for it or they don’t follow up and make sure those policies are followed,” says Christoffer Fjellström, a developer at Swedish security firm Detectify.
Until recent hacks made it clear that few organizations can hope to keep their networks entirely free from intrusion, many companies paid less attention to the security of data within their firewalls, says Dadgar.
“In that world, things like secret management were just less important,” he says. “Does it matter that you have my database credential if you’re not on my network?”
Other new tools help detect if secure data is being sent and stored where it doesn’t belong. UpGuard, known for its frequent role in detecting leaks tied to data stored on insecure cloud machines, has released BreachSight, which scours the internet for its clients’ exposed code, credentials, personally identifiable information, and other sensitive data.
“You might have this world-class team, but the project manager has an online Kanban board sitting out in the open that he’s using for notes, and it’s full of API keys, but nobody thought to look for it because the company believes everything’s internal,” cofounder and co-CEO Mike Baukes says. “It’s examples like that, which are things happening in the real world, that nobody’s had an answer for until now.”
Since last year, Amazon has also offered a service called Amazon Macie, which uses machine learning to detect unusual access patterns to cloud storage and uploads of potentially sensitive data like access keys. Amazon also released open source software to help prevent accidentally storing passwords and keys to source code repositories, and other developers have offered similar tools to scrub credentials from existing code.
At some point, Baukes tells Fast Company, it’s possible that those types of tools will automatically be provided as part of cloud computing contracts, as standard as seatbelts in new cars.
“What we’ll see over time is a lot of those services will just be bundled in for developers to use by default,” he says.