Who Says We Have A Secret Sprawl Problem
25 years ago at a Global Investment bank :
we had the opposite to the current Secrets Sprawl problem
we had just one Non-Human Identity (NHI) for the whole division
everyone in the department had access to the NHI over 1,000 people
we ended up with a major audit finding as result
So what did we do ?
each application ended up having its own set of NHIs
we segregated NHIs - one per environment to to prevent lateral movement between environments
each account had an environment post-fix e.g. o trading_prod, trading_qa, tradingl_dev
25 years on, we still see :
many accounts are still shared across environments
many accounts are still shared across applications
many plain-text credentials are found in source code repos etc
organisations are still struggling to Cycle NHI credentials
Oh I Wish We Could Go Back To One NHI And Avoid the Secrets Sprawl Problem