Password specialist 1Password has acquired SecretHub, a secrets management platform aimed at IT engineers, and made a new service called Secrets Automation, previously in beta, generally available.
The proliferation of passwords and SSH keys in modern IT has brought with it a tricky management problem, not only for people but also for machine-to-machine communications. Developers may struggle to keep secrets such as database logins secure, when their code will not function without them.
In 2019 researchers at North Carolina State University scanned code publicly committed to GitHub and found that “not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets are leaked every day.” In June 2020, security researcher Craig Hays deliberately leaked server credentials in a GitHub repository and observed an unauthorised login just 34 minutes later.
Secrets Automation uses a Connect Server, delivered as a Docker container, which users deploy in their environment. This provides a REST API which applications and services call to get the credentials they need.
Step by step. Source: 1Password. Click to enlarge
These requests are authenticated with an access token, unique to each application or service. 1Password provides API client libraries for Go, Node.js and Python, and there are plugins for tools including Terraform, Kubernetes, Hashicorp Vault, and Ansible.
There is also an upcoming integration with GitHub; VP of partner engineering Dana Lawson said that “with the upcoming GitHub and 1Password Secrets Automation integration, teams will be able to fu ..