Why managing ‘secrets’ is key to safeguarding sensitive data
Rana Gupta, the Vice President for APAC, Data Security, at the advanced technologies leader Thales, tells GovInsider what 'secrets' government agencies and organisations are protecting, and how they can do so in a safe and systematic manner.
“That definition of what is critical to you, as a citizen, versus what is critical to government, can be different," says Thales' Vice President for APAC, Data Security, Rana Gupta. Image: Canva
When you have something valuable to protect, your first instinct may be to put it under lock and key, say in a safe deposit box at a bank.
To secure access to that box, you need a key that only you hold. The box protects the valuables inside, and the key provides the access to the valuables.
In today’s digital world, when it comes to safeguarding data that contains mission-critical confidential information, organisations tend to use encryption and encryption keys to protect the sensitive data they hold.
Much focus in recent years has been on the human access to that data through the use of passwords and credentials.
But as more data is generated today, the focus is turning towards how machines, applications, and systems access and exchange information, processes that now necessitate secrets management solutions.
What are corporate or public-sector ‘secrets’?
According to Rana Gupta, the Vice President for APAC, Data Security, at the advanced technologies leader Thales, secrets are the credentials, certificates, and API keys that authenticate and protect access to data – not the data itself.
In the safe deposit box example, the keys to these boxes are analogous to the secrets organisations need to keep securely.
As secrets can be imbedded into infrastructure scripts, application codes, and configuration files, this can create “secrets sprawl”, where secrets become stored in multiple places, and provides a much greater attack surface for hackers to infiltrate.
Most recent global hacks are the result of such secrets, and the credentials they entail, being compromised.
“All kinds of secrets are getting generated,” says Gupta, “but what's happening is that a lot of these secrets are making it into the source code, making them vulnerable to cyber attacks.”
What kinds of sensitive data are at risk?
Gupta tells GovInsider that government agencies and organisations need to manage and protect their secrets in a safe and systematic manner.
Sensitive and critical data that should be protected as part of a secrets management plan can include publicly identifiable information such as financial or health information about a person.
“That definition of what is critical to you, as a citizen, versus what is critical to government, can be different,” Gupta tells GovInsider.
“It can be critical for you that nobody knows how much you earn,” he says.
“From the government standpoint, for example, if they [have information on] people who are transacting in real estate, people who have sold their homes and received sale proceeds, they don’t want it to leak out” and become a source for social hacking and targeting by criminals.
While such data – useful to governments but also potentially very sensitive – can be encrypted, vulnerabilities can arise when data is being exchanged by applications and systems.
Jason Grant Allen, Associate Professor of Law and Director of the Centre for AI & Data Governance at Singapore Management University, tells GovInsider that “data governance is certainly a key issue in the digital transformation of public administration.”
He adds that as government agencies partner with tech providers to offer improved public services, “there are questions about the use and ownership of data, including downstream,” and the importance of data security looms large.
Taking a platform approach
According to Gupta, many governments today are focused on digital transformation to cut down on corruption, by cutting out the middlemen, and to serve citizens better.
"When you start putting those systems for government services together, you start to realise that these systems ‘talk’ to one another,” he says. “The question becomes, ‘How do you authenticate these various components, to enable access for the right applications?’”
As with safe deposit boxes, this means managing the keys that allow access, and ensuring the security of those keys. Managing and securing encryption keys is something Thales has been very good at, and it has now incorporated secrets management into its portfolio, says Gupta.
Associate Professor Allen notes that “vulnerabilities exist at multiple points [within and across systems], including the less obvious ones, and good data stewardship requires holistic and vigilant security.
“Exploring different data governance architectures and approaches is important.”
As customers have a need for secrets management, Thales has added this additional functionality into its CipherTrust Data Security Platform solution.
The platform provides a unified approach to help organisations simplify data security across a broad set of use cases, secure their digital transformation, and accelerate their time to compliance.
At the foundation of the CipherTrust Data Security Platform is CipherTrust Manager, which comes in physical and virtual appliances, and as a service.
Gupta added that more than 80 per cent of CIOs responding to a recent survey said that they would prefer a platform approach, such as that offered through CipherTrust Manager, to only deal with a single vendor and train staff on one solution.
A ‘simple fix’
From a technology standpoint, in the face of growing cyber threats amidst a proliferation of sensitive data and secrets, secrets management is a relatively “simple fix” says Gupta.
For instance, CipherTrust Secrets Management is enterprise-ready and provides automatic processes for creating, storing, rotating, and removing secrets.
This reduces the potential for human error and consistently enforces security and compliance policies across the organisation.
And, because the solution is centralised, easy to use, and scalable, return-on-investment and other efficiencies are greatly improved.
“The hardest part of any IT project is convincing the stakeholders that they need to change the way that they have been doing things in the past,” he adds.
A versatile solution
Today, as more public-sector agencies transition from on-prem to cloud, with several in a hybrid state, an enterprise key management platform can be suitable for any scenario.
“Depending on the level of security they require, our customers have the assurance that they don’t need to reinvest or spend more money if they should decide to go from on-prem to cloud, or vice versa,” says Gupta.
And when it comes to government agencies, their applications and systems, and citizens’ data, secrets management can be a crucial piece of the puzzle.
“It is probably more important because governments don’t tend to manage these systems on their own, they rely on [vendors] to build, operate and maintain them,” says Gupta.
“They then need to make sure that they have some way of assuring that no one can, or that it is harder, rather, for people to interfere with their sensitive data and the secrets that provide access to them. Ultimately, it's all about citizens’ confidence.”