Who Says We Have A Secret Sprawl Problem

Lalit Choda, NHI Mgmt Group

25 years ago at a Global Investment bank :

  • we had the opposite to the current Secrets Sprawl problem

  • we had just one Non-Human Identity (NHI) for the whole division

  • everyone in the department had access to the NHI over 1,000 people

  • we ended up with a major audit finding as result

So what did we do ?

  • each application ended up having its own set of NHIs

  • we segregated NHIs - one per environment to to prevent lateral movement between environments

  • each account had an environment post-fix e.g. o trading_prod, trading_qa, tradingl_dev

25 years on, we still see :

  • many accounts are still shared across environments

  • many accounts are still shared across applications

  • many plain-text credentials are found in source code repos etc

  • organisations are still struggling to Cycle NHI credentials

Oh I Wish We Could Go Back To One NHI And Avoid the Secrets Sprawl Problem