Spiceworks: Protecting Secret Zero No Longer Requires Black Belt In Security
Protecting source code and data has added considerable time and complexity to development. Steve Van Lare, VP of Engineering, Anjuna Security discusses how from-the-ground-up data and code security speeds development and frees innovation.
While pressures on developers continue to intensify, building security for code and data directly into the codebase no longer needs to be a concern due to the advances in confidential computing technology in the public cloud. The challenge with encryption is how to distribute keys rather than issues with algorithms. Previously for most systems, one still needed a secret for getting keys from a key manager, and that secret is the root of trust. The problem of protecting the code and operations’ secrets was met by building secret zero—a master secret protecting all other secrets—directly into the code. Besides the work involved in building such a system of cascading secrets and the lengths required to protect secret zero, the overall endeavor left a considerable single point of vulnerability or failure. If someone gains access to secret zero, the rest is like a house of cards. Such a scenario is not purely hypothetical. This is exactly what happened in the case of the devastating Solar Winds breach.
Read Steve's full article on Spiceworks for the complete.