Protecting machine secrets

Machine secrets, including API keys and cryptographic keys, are often compromised. Ehud Amiriat at Saviynt shares five ways they can be protected

 

Today’s modern business practices have astronomically increased the reliance on adaptable and automated services. With the rise of cloud services and interconnected systems, the security of machine secrets has never been more critical.

 

Machine secrets, including API keys, OAuth tokens, service account credentials, and cryptographic keys, act as digital keys or authentication tokens that allow systems, applications, and services to communicate securely and access sensitive data. When fully protected, they enable seamless automation, integration, and secure data exchanges. 

 

When machine secrets are compromised, the consequences can be devastating. Attackers can exploit them to infiltrate systems, escalate privileges, and move laterally across networks, often remaining undetected. In 2024, several high-profile breaches revealed just how damaging secret leaks can be, with companies suffering data theft, service disruptions, and reputational damage. For example, global technology provider Dell suffered a data breach in which 49 million customer records were sold on the dark web, all because of a misconfigured API accessible through a partner portal. 

 

The problem lies in the inherent makeup of machine secrets, as they are often poorly managed or hidden in unexpected places. Hardcoded credentials, plaintext storage, and misconfigured environments have made them easy targets. Once attackers gain initial access, they quickly scan for exposed secrets, turning a minor foothold into a full-blown security incident.

 

Secrets are everywhere, and the attackers know it. When they get away with initial access to your systems, one of the first things they will do is scan compromised access points for credentials. In too many cases, our machine credentials and secrets are stored in surprising places and get exposed that way. 

 

Where the secrets lie

When we look at where machine secrets are most often exploited from, code repositories remain the number one issue, even as the industry becomes more aware of the risks. With the rise of Infrastructure as Code (IaC), CI/CD pipelines need access to cloud environments, and secrets can be inadvertently exposed in the process. Fortunately, there are now tools specifically designed to detect secrets in Git repositories, including those provided by the Git platform itself, such as GitHub. Leveraging these tools is crucial to mitigating the risk of secret leakage.

 

When a workload, such as a virtual machine, is compromised, often the attacker will try to search for secrets within the compromised workload. This includes scanning the filesystem of the workload, as well as scanning environment variables for secrets. Both ways are successful, and newer techniques such as secretless will be needed to address this weakness. 

 

Recently, there have been several incidents involving access to publicly exposed data sources, such as buckets and databases, where sensitive information was found. One recent example is a report from Wiz, which discovered the DeepSeek database had been misconfigured to be publicly accessible. Shockingly (or perhaps not), the database contained customer prompts, many of which included API access keys and other types of credentials for both human and machine identities.

 

One of the more devastating situations is when a vendor you work with gets compromised, and secrets of your infrastructure get exposed as part of the initial attack that happened outside of your control. A more high-profile example of this type of attack involved Cloudflare and Okta. In this incident, a system at Okta was compromised, exposing service account credentials for multiple customers, including Cloudflare.

 

This type of attack highlights the importance of carefully selecting and monitoring vendors, not just for the functionality they provide, but also for their internal security practices. 

 

Secrets are often stored throughout your IT systems in ways you might not expect. It’s surprisingly common to find internal wiki pages listing systems needed for QA processes, complete with plaintext passwords and API keys. You might also discover secrets tucked away in help desks or app support systems, left behind as support engineers replicate issues. Even logs can contain plaintext secrets, scattered across your entire network. In reality, almost every IT system in your organisation could be harbouring sensitive information.

 

How to safeguard secrets

With machine secrets scattered across various systems, the question becomes: how can you safeguard them effectively? Fortunately, there are practical steps you can take to minimise risk and secure your sensitive information. Here are five key recommendations to get you started.

• Gain visibility.  Start by identifying all non-human identities and their credentials. This first step is crucial to understanding which secrets you have in place.
• Minimise your attack surface by eliminating unnecessary secrets. "Delete" can feel like a risky word, and many organisations hesitate to remove things, worried about the potential fallout. However, a lot of keys are just remnants of ad-hoc activities and are no longer needed. Identify these outdated keys and safely remove them to reduce your risk.
• Minimise your attack surface by adopting secretless solutions. There are increasingly more opportunities to replace hard-coded secrets with modern approaches that eliminate the need for secrets. Embracing secretless methods can significantly enhance your security posture.
• Use Privileged Access Management (PAM). Instead of relying on hard-coded keys, consider using vaults and PAM solutions. These tools offer a more secure way to store and manage sensitive credentials, reducing the risk of exposure. By centralising access and automating secret management, you can greatly enhance security and minimise the chances of credential leaks.
• Manually rotate your keys. If all else fails, ensure you have a comprehensive inventory of any secrets that can’t be eliminated or stored in a vault. These are the secrets you’ll need to manage manually. Establish a clear, enforceable process to periodically rotate or change these keys to maintain security.

Moving to a converged AI-driven identity security cloud platform is emerging as the most effective defence against machine secrets threats. These platforms integrate identity governance, privileged access management, and application access governance into one unified solution. This holistic approach not only centralises identity management but also leverages artificial intelligence and machine learning to continuously monitor, detect, and respond to threats in real-time.

 

By automating key security processes and offering deep visibility into both human and machine identities, organisations can proactively address vulnerabilities and significantly reduce the risk of machine secret exposure.

 

Looking ahead, managing machine secrets will remain a critical priority for organisations. Implementing best practices, like gaining visibility, minimising your attack surface, adopting secretless methods, using PAM solutions, and manually rotating keys when necessary, can make a significant impact. Ultimately, investing in a converged AI-driven identity security cloud platform is the most effective way to secure machine secrets in an evolving threat landscape.

 

By unifying identity management and leveraging AI-driven insights, organisations can stay ahead of attackers and protect their digital assets with confidence.

 

---

 

Ehud Amiri is Senior VP of Product Management at Saviynt

 

Main image courtesy of iStockPhoto.com and Olemedia