Admin and developer secrets – such as SSH keys, API keys, and database passwords – are the essential credentials that let developers access the systems they need to do their jobs. If these secrets are compromised, they can grant particularly dangerous levels of unauthorized access, giving bad actors access to an organization’s most sensitive data and mission-critical systems. One compromised SSH key can enable data breaches, service disruptions, and potential full infrastructure compromise.
Despite their importance, developer secrets pose a particular challenge to IT and security teams. As Matt Burgess reported for Wired, “It is relatively trivial for a developer to accidentally include their company’s secrets in software or code.” Many breaches, such as the 2022 Uber hack, show how bad actors can then leverage these kinds of hardcoded credentials to escalate their access to company systems, causing severe and costly damage.
Given the danger, it’s imperative that IT and security teams have the tools they need to secure developer secrets across their company. In today’s distributed workforce, where admins need to manage access across many users, devices, and applications, secrets sprawl is a growing blind spot for IT and security teams.
In this blog, we’ll explore the ways that 1Password Extended Access Management® helps reduce this risk, enabling admins and developers to keep secrets secure and managed.
1Password developer tools
1Password’s developer tools utilize the 1Password® Enterprise Password Manager (EPM) to frictionlessly store and manage secrets access. Secrets stay secure while developers can work and collaborate without disruption.
Built-in SSH agent
SSH keys can be particularly complex to set up and use. 1Password EPM simplifies their management through the built-in SSH agent. Within the 1Password desktop app or through the 1Password command-line tool (CLI), developers can generate new SSH keys, import existing keys, and securely export and encrypt private SSH keys.
SSH keys stay secure and organized within 1Password EPM, and developers have full control over which processes can access specific keys. This means they can securely share public keys and can use the 1Password browser extension to autofill keys into git or cloud platforms.
Secret references
Secret references enable developers to build securely without needing to hardcode secrets.
Secret reference URIs use unique identifiers to point toward secrets that are stored within 1Password accounts. Developers can then load secret references into their terminals to ensure they get the most up-to-date values when running scripts. This means that teams can work and collaborate on projects without ever needing to expose secrets in plaintext.
1Password SDK and Integrations with Existing Developer Workflows
1Password SDKs enable 1Password’s EPM and Developer Tools to integrate with platforms like Kubernetes, Terraform, GitHub Actions, and more. This gives developers a simple method of securely accessing secrets – and easily inserting secret references into code – during their standard development workflow.
Centralized visibility for admins
Through 1Password Extended Access Management, admins can contain secrets sprawl, gain centralized oversight, and enable security best practices for their developers.
Monitor for plaintext secrets
Through 1Password® Device Trust, admins can set Checks that monitor for the storage of plaintext credentials on end-user devices. When plaintext credentials are found, 1Password Device Trust then blocks users from accessing systems until the risk has been resolved.
The 1Password Device Trust admin portal also provides admins with logs of failed Checks, enabling them to gain oversight over the overall storage and use of plaintext developer secrets across their company.
Centralized credential storage
Through 1Password Service Accounts, admins can centrally store, access, and share secrets that are used across a company’s infrastructure – whether through cloud environments or on-premise. This lets admins maintain a single source of truth, enabling them to better audit and manage developer secrets across their organization.
Secrets automation
1Password SDKs also enable Secrets Automation workflows for admins. For instance, admins can automate the provisioning and deprovisioning of secrets access according to group or role. Following the principle of least privilege, admins can better manage access to shared vaults and secrets.
Secrets Automation enables teams to supply secrets securely when and where they’re needed. Not only does this simplify and automate access for developers, but it also lets IT and security teams gain visibility into secret usage patterns without interfering with developer workflows.
1Password offers seamless and secure secrets management
Developer secrets are complex to manage and track, particularly across distributed teams that have to manage access to various systems while juggling multiple projects. Historically, even well-meaning and security-focused developers have faced difficulties in keeping secrets secure.
This is why, to secure developer secrets, IT and security admins need tools that serve the needs of their developers. For this reason, 1Password was designed to help developers adopt secure practices with as little friction as possible. Admins can ensure that developers are empowered to follow best security practices, while also cracking down on secrets sprawl across their systems.
Secrets stay secure while teams stay productive; that’s a win for admins, developers, and the entire organization.
Want to learn more about how 1Password Extended Access Management secures risk across distributed teams? Reach out for a demo!
Rachel Sudbeck
Content Associate
Tweet about this post