A deeper look into third-party secrets security risks

Itzik Alvas. Co-founder & CEO, Entro
June 6, 2024
third party secrets risks

According to SecurityScorecards 2024 report, trusted third parties pose a huge security risk. It is concerning to note that 98% of organizations have ties to a third party that has experienced a breach. What’s more, these breaches account for 29% of all security incidents. 

New secrets security risks are being brought forward by the growing dependency on third parties. These non-human identities, which range from authentication tokens to API keys, serve as the interface between an organization’s internal systems and the external services they rely on. Yet, as we see in the GitGaurdian report, there were 12.8 million cases of secrets being exposed on GitHub in 2023, a 28% increase in cases from the previous year. 

These trends highlight the need for understanding third party secrets security risks and exploring solutions that can help mitigate them. 

In this blog post, we will examine the rise of third-party secrets security risks and secrets management strategies on how to mitigate them. 

What are third party secrets?

The term “third party secrets” refers to the credentials and tokens given by or exchanged with outside groups that have been incorporated into an organization’s infrastructure. Such secrets or non-human identities could be API keys, authentication tokens, certificates, and SSH keys provided by vendors or associates. These allow for communication and functionality between a company’s internal systems and services outside of it – partners, or vendor services, for example. 

According to the CRA survey on cybersecurity, 57% of the respondents have had an incident related to IT security, either an attack or a breach, involving a partner outside their organization in the last two years. This underlines how important third-party secrets are for business activities. For instance, an API key from a payment processor vendor or SSH key belonging to a third party can attack a client’s servers. These are non-human identities that companies must keep to themselves for the sake of their business, but they can also be dangerous if not handled with care.

Types of third party secrets risks

  1. Exposure and leakage: If secrets are unintentionally exposed, they become vulnerable and can be misused by malicious actors for unauthorized entry into databases and systems. For example, an API key that is hard-coded in a public repository could be utilized for extracting sensitive information or causing service interruptions.
  2. Compromise and abuse: When secrets are compromised, there is a risk of data breach, unauthorized access to data, and service disruption. So, if an attacker gets hold of a cloud provider’s API keys, they could gain access to confidential data or use the organization’s resources for their own purposes.
  3. Overprivileged access: Often, secrets have more access than they need. When a key for an API allows full administrative control instead of only read access to a service, the consequences become much more significant if it gets exposed.
  4. Lack of visibility and control: Entities might find it hard to sustain visibility and influence over third party secrets, which can result in security blind spots. Old-fashioned systems and clandestine IT operations could be utilizing unobserved and unmanaged secrets, creating hidden vulnerabilities.

Why are third party secrets risks increasing?

According to the CRA survey on cybersecurity, respondents increasingly collaborate with third party entities, with an average of 88 partners across various sectors, and large enterprises working with approximately 173 third party partners, highlighting the supply chain cybersecurity vulnerability.

Here are some of the other factors contributing to the third party access risks:

  • Proliferation of cloud services: With organizations using many cloud-based services, the amount of third-party secrets has gone up and the attack area has only gotten bigger. A variety of non-human identities are involved in every cloud service integration and without high security measures and context around these non-human identities the internal and external attack surface widens. 
  • Complex integrations: In today’s IT environments, many third party services are integrated into the system. For each of these services, non-human identities need to be securely managed. Without a complete third party access management solution, it can be difficult to keep complex architectures like microservices and API ecosystems safe. 
  • DevOps and CI/CD pipelines: The fast pace of application development and deployment methods might lead to teams taking shortcuts while handling secrets. In fast-paced DevOps teams, secrets could be hardcoded directly into scripts or configuration files. In complex software delivery pipelines the lifecycle of non-human identities – from creation to management to retiring – can become complex very quickly. Yet, it takes deep visibility at every step to be able to control access to, and adequately secure these non-human identities.

How can teams mitigate third party secrets security risks?

With the help of a NHI platform  secrets management tool, companies can mitigate the third party secrets security risk in the following ways:

1. Provide guidance, not just alerts

Alerting developers about leaks or attacks isn’t enough. Teams should get comprehensive guidance that not only addresses immediate issues but also fosters a proactive security culture within the organization. A secrets management solution can help developers with much-needed context about every non-human identity and give them actionable guidance and support to patch leaks strategically.

2. Scrutinize certain file types

Among file types, .env files are most likely to lead secrets. These files commonly store environment variables and non-human identities and are often committed to repositories without realizing it. You need to be able to scan these files for exposed non-human identities. 

3. Automated detection isn’t enough

While GitHub’s program for detecting and reporting potentially exposed non human identities is beneficial, more is needed. Automated detection needs to be part of a broader strategy that includes monitoring, prioritization, education, and a real strategy for non-human identities management.

4. Regular scanning

Regularly scan code repositories for exposed secrets, including new commits and pull requests. Integrating scanning tools into the CI/CD pipeline can help catch secrets before they are pushed to production. Automating this process with a secrets management tool like Entro will ensure continuous monitoring without manual intervention, significantly reducing the risk of human error. Entro not only scans for exposures, but also enriches the exposed non-human identities with context to help you mitigate the risk from the exposure.

5. Context and prioritization

Not all secrets are equal. Prioritize the remediation of secrets based on their sensitivity and potential impact if exposed. Understanding the context in which a non-human identity is used can help assess its risk level. For instance, a non-human identity used to access financial data would be prioritized over one used for accessing marketing materials. 

6. Remediation

Implement a clear and efficient remediation process for exposed secrets. Exposed secrets often remain active days or weeks after a breach notification. This is precious time that attackers can use to wreak havoc. What it requires is revoking or rotating the compromised secrets and ensuring the affected systems are secured against unauthorized access – and doing this as soon as an exposure happens.

7. Rotation and protocols

It is essential to establish protocols for the regular rotation of secrets in order to uphold security measures. For example, adhering to regulatory demands may mandate the periodic changing of encryption keys or API tokens, every six months. However, with automated tools such as Entro, businesses can expedite this procedure by pinpointing which secrets necessitate rotation according to their most recent update, giving priority to previous ones that present a greater hazard. This vital information about the rotation of secrets is another example of contextual information that’s essential for securing non-human identities.

Third-party secrets can be the Achilles heel of any organization because of the lack of visibility and control over non-human identities beyond an organization’s boundaries. But with a solution like Entro, you can now secure non-human identities no matter who uses them – your internal users, or external third-party users.

Reclaim control over your secrets

Get updates

All secret security right in your inbox

Want full security oversight?

See the Entro platform in action