IT Operating Environments Best Practices

Overview

Secrets - the credentials, API keys, certificates, tokens, and connection strings that applications and pipelines use to authenticate to other systems and services - are among the most sensitive and most frequently mismanaged assets in the enterprise technology environment. When secrets are managed informally, they are hardcoded in source code where they persist in version control history long after the code is changed. They are shared in configuration files that are checked into repositories accessible to anyone with code access. They are copied from one environment to another when a lower environment needs to connect to a service, inadvertently sharing Production credentials with environments that should never have access to Production systems. Each of these failures creates a secret exposure risk that, when exploited, gives adversaries authenticated access to the systems that the secret protects.

Best Practice

Govern secrets management across all environments through three non-negotiable principles. First, secrets must be environment-specific: the credentials, API keys, certificates, and connection strings used in each environment must be distinct from those used in every other environment. Production secrets must never be present in any lower environment without approved and governed exceptions, not only because lower environments are less secure than Production but because lower environment secrets that are identical to Production secrets grant lower-environment access holders the ability to authenticate to Production systems using credentials they legitimately hold for a lower-environment purpose. Second, secrets must be centrally managed through a dedicated secrets management system - such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or an equivalent platform - that provides encrypted storage, access-controlled retrieval, rotation capabilities, and comprehensive audit logging. Secrets that are not in a centralized management system are effectively ungoverned regardless of any other controls that are applied to them. Third, secrets must never be hardcoded in source code, configuration files, build scripts, or any other artifact that is stored in version control, shared outside the secrets management system, or accessible to individuals who do not require the secret for a legitimate operational purpose.

Apply secrets rotation policies across all environments, with rotation frequency calibrated to the sensitivity of the secrets and the risk profile of the environment. Production secrets should be rotated most frequently, on a defined schedule and immediately following any actual or suspected exposure. Lower environment secrets should be rotated on a defined cadence and whenever the team composition of the environment changes significantly.

Benefit(s)

Consistent secrets governance across all environments eliminates the most common categories of credential exposure that adversaries leverage to gain authenticated access to enterprise systems. Environment-specific secrets ensure that a compromise of a lower environment does not grant access to Production systems. Centralized secrets management ensures that every secret is stored securely, accessed through governed mechanisms, and audited comprehensively. The elimination of hardcoded secrets removes the persistent exposure that version control history creates when credentials are embedded in code that is checked in, forgotten, and then discovered by an attacker with access to the repository. The organization develops a secrets governance capability that is proportionate to the sensitivity of the assets those secrets protect.