Cost of Automating vs. Cost of Managing

Secrets management is one of those things that becomes more and more important as successful small companies grow into successful bigger companies.  At first, with a small group of trusted developers, we tend to ignore secrets management entirely.  As we grow larger, we often patch together technology and process to meet the security requirements of secrets management without the need of scoping and implementing an entirely automated solution.  At some point, the ongoing cost of managing the manual process exceeds the cost of biting the bullet and implementing a proper, fully automated solution.

Although this lifecycle may still be the case for some, new solutions have lowered the cost of implementing a fully automated solution to the point that pretty much everyone should be jumping straight to the finish line, and implementing a proper secrets management solution from the start.   AWS Secrets Manager is one of these.  If your infrastructure is running on AWS, there is no longer any excuse to avoid secrets management.

Case Study

We recently did an implementation for Blast Motion, who aggregate and analyze athletic performance metrics and are running on AWS with apps running in Elastic Beanstalk.  Clearly they value automation, with a fully automated, container based deployment pipeline and a fully automated infrastructure.  When they asked for a secrets management solution, the AWS Secrets Manager fit the bill.

We configured AWS Secrets Manager and assisted with the integration of AWS Secrets Manager with their application.  The first set of credentials were database credentials.  The configuration was captured in code and provisioned with Terraform, ensuring that we maintain all of our infrastructure as code.  From here, we assisted the application development team with the application integration.  In no time, they were up and running.

Results

With relatively small effort, Blast Motion now enjoys high confidence that they can rotate keys and otherwise manage key lifecycle with almost no management overhead.  This further strengthens and improves the reliability of their end-to-end encryption model, which includes both mobile and web based applications.  Have you automated your secrets management yet? Are you using AWS Secrets Manager?  HashiCorp’s Vault?  Other tools?  Let us know!