What Is Secrets Management?

In modern software engineering, effective secrets management has become key to maintaining a strong security posture. 

Secrets management is the systematic approach to protecting, controlling, and auditing sensitive digital credentials throughout their lifecycle, particularly those involved in machine-to-machine authentication and authorization. This involves securing critical information such as authentication tokens, API keys, and encryption certificates used in software applications, cloud services, and IT infrastructure. 

For large organizations, where numerous developers use secrets daily in various contexts, improper secrets management can lead to data breaches and potential existential risks for the business. As enterprises grow and their environments become more diverse, spanning on-premises and multi-cloud infrastructures, managing secrets securely becomes increasingly complex:

• Different levels of authentication and authorization
• Secret rotation and revocation
• Maintaining comprehensive audit trails

Given these challenges, engineering teams often find themselves at a crossroads: Should they build a custom secrets management solution tailored to their specific needs, or buy an off-the-shelf product from a reputable vendor? 

This article will explore both options, weighing the pros and cons of each to help you make an informed decision for your organization’s secret storage needs.

Building a Custom Secrets Management Solution

Building a custom solution comes with advantages and drawbacks. Organizations that have complex environments or highly specialized use cases may not be able to integrate a vendor solution without requiring extensive customization. A custom solution, meanwhile, can be designed with unique requirements and specifications in mind.

Advantages of Building a Custom Solution

Organizations that choose to build a custom solution will have the advantage of getting a system that is tailored exactly to their needs and integrates well with their existing applications.

Tailored to Specific Organizational Needs

Your team can design and build a custom-built secrets management tool that directly addresses your organization’s unique requirements and workflows.

Full Control Over the Architecture and Security Measures

You have complete oversight of the system’s design, allowing you to implement security measures that align with your organization’s standards.

Potential for Deep Integration with Existing Systems

A custom solution can be designed from day one to integrate specifically with existing systems and infrastructure; there’s no need to build additional middleware or perform extra integration work that might be needed with an off-the-shelf solution.

Challenges and Other Considerations

Despite their pros, custom solutions present significant challenges you’ll need to consider carefully before deciding to proceed with implementation. They also require heavy investment in support and ongoing development cycles.

Development Time and Resources Required

Building a working secrets management system from scratch requires significant time and skilled personnel, which may divert resources from other critical projects. 

Ongoing Maintenance and Updates

Secrets management is a mission-critical function, as your applications need constant secrets access. As threats evolve and new vulnerabilities are discovered, your team will need to continuously update and maintain the system to ensure its security and effectiveness. Each update will additionally need to be checked to ensure it does not cause downtime in your bespoke system. 

The solution will also need full operational support, as users will expect the same SLA and uptime requirements as their own systems. This will require on-call resources, documentation, and an integrated ticketing and response system.

Ensuring Compliance with Industry Standards and Regulations

Keeping up with complex compliance requirements can create high hurdles for an in-house team, not to mention be resource-intensive. 

Compliance frameworks like GDPR, HIPAA, and PCI-DSS all have specific guidance for securing the storage of sensitive data, i.e., how to store, manage, and transmit sensitive values like credentials. Getting this wrong with a custom solution could put your organization at risk for fines or an investigation.

Buying a Commercial Secrets Management Solution

Purchasing a commercial secrets management solution is an attractive approach for a number of reasons. Perhaps most importantly, many engineering teams should focus on building and developing their own products rather than building and maintaining a complex, custom system when third-party solutions already exist. 

Advantages of Purchasing a Commercial Solution

There are practical reasons why buying may be the best option for most.

Rapid Deployment and Faster Time-to-Value

Off-the-shelf solutions are already built and typically come with vendor support resources. Compared to the effort required to build a custom secrets management tool, vendor solutions often require a fraction of the engineering effort to integrate.

Proven Security Measures and Regular Updates

Established vendors invest heavily in security research and development, providing customers with industry-standard solutions that are regularly updated and tested.

Built-In Compliance Features and Certifications

Many commercial solutions come with pre-built compliance features and industry certifications, simplifying the process of meeting regulatory requirements.

Challenges and Considerations

There are, however, various hurdles when choosing to buy instead of build a platform for secrets management.

Less Flexibility for Customization

Commercial solutions often offer some level of customization, although this can come at the cost of flexibility; a vendor platform will typically not match a custom-built system in meeting highly specific organizational needs. Look for a solution that provides a wide range of out-of-the-box integrations as well as support for custom integrations.

Dependency on Vendor Support and Roadmap

Your organization’s ability to adapt and evolve its secrets management practices may be tied to the vendor’s development roadmap and support capabilities.

Licensing Costs and Potential Vendor Lock-In

Commercial solutions typically involve ongoing licensing fees, and there may be concerns about becoming overly reliant on a single vendor’s ecosystem.

Key Factors to Consider in the Build vs. Buy Decision

When evaluating whether to build or buy a secrets management solution, several attributes come into play. 

Scalability Requirements

Scalability is crucial for secrets management, especially in enterprises that may have a larger number of diverse environments, such as on-premises or hybrid infrastructure. Scalability factors to keep in mind include:

• Horizontal scaling: Make sure the platform can handle an increasing number of secrets and users without performance degradation.
• Multi-region support: For global organizations, verify the solution can replicate secrets across different geographical regions while maintaining consistency. 
• Support for multi-cloud and hybrid: Most large organizations have processes running on multiple cloud service providers as well as on legacy, bare-metal systems. Make sure that you choose a solution that can support your processes wherever they are located.
• API performance: Evaluate the solution’s ability to handle high-volume API requests, which is critical for automated systems and CI/CD pipelines.

A custom-built solution might offer fine-grained control over scalability but will require significant engineering effort. Commercial vendors, on the other hand, often offer scaling capabilities via built-in autoscaling, load balancing, and other features that can be more cost-effective for most organizations.

Security and Compliance Across Environments

Security is one of the top priorities in secrets management. Some of the key considerations include:

• Encryption standards: Look for solutions that use strong, industry-standard encryption algorithms (e.g., AES-256) for data at rest and in transit.
• Key management: Evaluate the strength and usability of key management practices, including key rotation and lifecycle management, storage, transit security, and integrity management.
• Compliance certifications: For regulated industries, ensure the solution meets relevant standards (e.g., FIPS 140-2, SOC 2, ISO 27001).

While a custom solution allows for tailored security measures, commercial solutions often have the advantage of extensive security testing and regular audits.

Total Cost of Ownership (TCO)

TCO goes beyond initial implementation costs and can have a long-term impact on engineering productivity:

• Development costs: Consider the time and resources required for designing, developing, and testing custom solutions. 
• Operational costs: Include ongoing expenses such as infrastructure, monitoring, and incident response.
• Maintenance and updates: Calculate the spend required to apply the latest security patches, update the solution, and code new features. 

Commercial solutions typically have a more predictable TCO, with costs scaling linearly as usage increases. Custom platforms, however, often see exponential cost growth due to increasing complexity and maintenance requirements.

Integration Capabilities

Secrets management doesn’t exist in isolation. Organizations should also evaluate:

• API flexibility: Look for well-documented APIs that follow common standards like REST and allow for easy integration with existing tools and workflows. 
• DevOps tool integration: Consider native integrations with popular CI/CD tools, container orchestrators, and cloud platforms. 
• Identity provider integration: Assess the ability to integrate with identity and access management (IAM) policies and tools already in place for unified authentication and authorization.

A custom-built secrets management system can offer deep, tailored integrations but require significant development effort. A commercial one, on the other hand, often provides out-of-the-box integrations with popular tools and platforms, potentially saving considerable time and resources.

Long-Term Maintenance and Support

Supporting an internal secrets management platform long-term means engineering and operational support resources must be managed and integrated into product design considerations:

• Security updates: Continuously monitor and update the secrets management platform and all associated infrastructure to ensure a robust security posture. 
• Feature development: Provide ongoing product management for the secrets management platform. Engineering teams will likely want additional features to support new tools and applications, and will need continuously updated feature roadmaps and release cadences.
• Support and troubleshooting: Commit to and maintain SLA commitments for the secrets management platform so that engineering teams can feel confident depending on the service for their own applications.

Custom solutions are resource-intensive, requiring a dedicated team for day-to-day maintenance and support. Commercial solutions typically offer professional support and regular updates as part of their service, potentially reducing the burden on internal teams.

What to Look for in a Commercial Secrets Management Solution

Not all commercial secrets management solutions are created equal; organizations can easily get sucked into buying an expensive, complex, and difficult-to-integrate solution:

• Simplicity and scalability: Many secrets management solutions employ complex vault-based systems that are resource-intensive, don’t scale well, and are quite costly. Choose solutions that are easy to scale and don’t require constant maintenance.
• Integration and extensibility: Look for solutions with broad cloud ecosystem support, featuring native integrations as well as comprehensive APIs and SDKs to incorporate into your existing workflows.
• Compliance and auditing: Choose a solution that simplifies security audits; a good secrets management platform will already be certified by industry-standard frameworks.
• Zero knowledge: Your secrets are your secrets. Vendors shouldn’t need or have access to your most sensitive data to deliver their service.

Commercial solutions offer many advantages over those that are custom-built. However, choosing the wrong one could mean getting stuck with an expensive product that doesn’t actually satisfy your organization’s needs.

Best Practices for Implementing Secrets Management

Whether your organization chooses to build or buy, there are a few best practices that apply to either choice:

• Implement centralized secrets management to maintain consistent access controls and simplify management.
• Automate secret rotation and lifecycle management to reduce the risk of compromise.
• Maintain comprehensive logs and implement monitoring tools for fast incident detection and remediation.
• Enforce the principle of least privilege to minimize the blast radius of potential breaches.

Conclusion

It’s critical to get secrets management right. 

As an organization scales in size and system complexity, the total cost of ownership for an in-house custom solution tends to grow exponentially, while the cost of a third-party solution increases linearly.

While building a custom solution may seem appealing due to the potential for tailored functionality, the long-term costs and challenges associated with maintaining and scaling such a system often outweigh the benefits. 

Third-party secrets management solutions, on the other hand, can offer faster deployment, proven security measures, and built-in compliance features that can significantly reduce the burden on your organization.

For most enterprises with diverse environments and complex security requirements, a commercial solution is likely to provide the most cost-effective and secure approach to secrets management.

The Akeyless Secrets Management platform should be on your short list when considering a comprehensive secrets management solution. While building a custom solution may seem appealing, Akeyless offers a ready-to-scale SaaS platform that provides centralized secrets management and saves you money wasted on hidden costs. 

Our secrets management solution is easy to maintain and deploy, plus it integrates seamlessly with your existing tooling. The unique Akeyless architecture supports multi-cloud, hybrid, and bare-metal systems and includes patented DFC™ cryptography that ensures Zero Knowledge for your secrets. Learn more about Akeyless security and automated functionality by scheduling a demo today.