Developers typically have to pick between speed and security in order to meet these accelerated timelines. To make it simpler to access infrastructure secrets such as API tokens, SSH keys, and private certificates, they store them in config files or close to source code.
However, they are often unaware that the simpler it is for them to gain access to these secrets, the easier it is for hackers to do so as well.
According to the report "Hiding in Plain Sight" by 1Password, the leader in corporate password management, organizations lose an average of $1.2 million each year due to stolen information, which the company's researchers refer to as "secrets."
“Secrets are now the lifeblood for IT and DevOps as they seek to support the explosion of apps and services now required in the contemporary enterprise,” stated Jeff Shiner, CEO of 1Password.
500 adults in the United States who work full-time in their business's IT department or in a DevOps capacity at a company with more than 500 workers were questioned about the keys, tokens, and certificates that power their digital infrastructure.
According to the poll, ten percent of respondents lost more than $5 million as a result of a covert leak. Over 60% of respondents said their company has faced significant data leaks.
Furthermore, two-fifths (40%) of respondents said their businesses had been harmed by a loss of brand reputation, with 29% losing clients as a result of secrets leakage.
According to the research, two-thirds of IT and DevOps personnel (65%) believe their company has more than 500 secrets, and almost one-fifth (18%) believe they have more than they can count.
IT and DevOps professionals spend an average of 25 minutes each day handling secrets, and the number is rising. Last year, more than half of IT and DevOps executives (66%) stated they spent more time managing than they had ever spent before.
Another 61% indicated that numerous initiatives had to be postponed due to their firms' inability to effectively handle their secrets.
Full Access to Former Employer’s systems:
API tokens, SSH keys, and private certificates are still being compromised as 77 percent of IT/DevOps employees indicate they still have access to their former employer's infrastructure secrets, with more than a third (37 percent) claiming complete access.
According to the research, 59 percent of IT/DevOps professionals have also used email to communicate confidential information with coworkers, followed by chat services (40 percent), shared documents/spreadsheets (36%), and text messaging (26 percent ).
More than 62% of respondents said team leads, managers, VPs, and others have ignored security rules due to COVID-19 demands on work.
Jeff Shiner stated, "Our research reveals that secrets are booming, but IT and DevOps teams are not meeting rigorous standards to protect them -- and in the process are putting organizations at risk of incurring a tremendous cost. It's time for companies to take a hard look at how they manage secrets, and adopt practices and solutions to 'put the secret back into secrets' to support a culture of security.
