25 years ago at a Global Investment bank :
- we had the opposite to the current Secrets Sprawl problem
- we had just one Non-Human Identity (NHI) for the whole division
- everyone in the department had access to the NHI over 1,000 people
- we ended up with a major audit finding as result
So what did we do ?
- each application ended up having its own set of NHIs
- we segregated NHIs – one per environment to to prevent lateral movement between environments
- each account had an environment post-fix e.g. o trading_prod, trading_qa, tradingl_dev
25 years on, we still see :
- many accounts are still shared across environments
- many accounts are still shared across applications
- many plain-text credentials are found in source code repos etc
- organisations are still struggling to Cycle NHI credentials
Oh I Wish We Could Go Back To One NHI And Avoid the Secrets Sprawl Problem