NHI2 2025: Secret Leakage – Understanding and Mitigating the Risks

In today's rapidly evolving digital landscape, non-human identities (NHIs) have become indispensable for enterprise operations. These digital credentials, used by machines, applications, and automated processes, support cloud operations and AI-driven tasks. However, this reliance on NHIs introduces significant security challenges, making Secret Leakage a critical risk.

What is Secret Leakage?

Secret Leakage (NHI2:2025) refers to the exposure of sensitive NHIs to unauthorized data stores during the software development lifecycle. These NHIs include API keys, tokens, encryption keys, and certificates, all essential for secure authentication and access within IT systems. The OWASP Foundation identifies Secret Leakage as a primary concern when integrating NHIs into development processes.

How Does Secret Leakage Occur?

Secret Leakage happens when sensitive credentials are unintentionally exposed through various channels:

• Hard-coding into source code: Developers may embed API keys or passwords directly into the code, making them easily accessible.
• Storage in plain text configuration files: Saving sensitive information in unprotected configuration files exposes credentials to anyone with access.
• Sharing over public chat applications: Transmitting secrets via unsecured communication channels increases the risk of interception.
• Embedding in source code, sharing in developer forums, or leaving in publicly accessible repositories: Broader exposure through public platforms amplifies the chances of discovery by malicious actors.

Why is Secret Leakage a Major Security Risk?

The consequences of Secret Leakage can be severe:

• Unauthorized Access: Leaked credentials allow attackers to bypass security measures and gain unauthorized access to critical systems and data.
• Privilege Escalation: Attackers can use compromised NHIs to escalate their privileges, granting them greater control over the network.
• Lateral Movement: Once inside the system, attackers can move laterally, accessing other systems and data.
• Data Exfiltration: Sensitive data can be stolen and exfiltrated, leading to financial losses and reputational damage.
• System Disruption: Critical operations can be disrupted, causing downtime and affecting business continuity.

Real-World Examples

Several high-profile breaches have highlighted the dangers of Secret Leakage, including:

• Cloudflare: Attackers exploited gaps in Cloudflare's inventory of non-human identities by using credentials compromised in a previous Okta breach. They accessed Cloudflare's Atlassian environment using a missed access token and three service accounts.
• AWS: A cyberattack exploited misconfigured environment variable files (.env files) to extract over 90,000 unique credentials, including AWS IAM access keys.
• Hugging Face: Attackers gained unauthorized access to API tokens and secrets used by users to manage AI applications and datasets on Hugging Face's Spaces platform.
• Microsoft Exchange Online: A breach compromised mailboxes by exploiting authentication tokens associated with a Microsoft key established in 2016, giving attackers access to sensitive information and systems.
• Dropbox: A threat actor compromised a service account in an automated system configuration tool, accessing sensitive customer information.

These incidents underscore the importance of proactive measures to prevent Secret Leakage.

Prevention and Mitigation Strategies

To defend against Secret Leakage, organizations should adopt a multi-faceted approach:

• Implement Robust Scanning Tools:
  
  • Use commercial tools like Cremit to scan for exposed secrets across the entire tech stack. Cremit can detect secrets in source code, hidden content, deleted code, and version history.
  • Employ static code analysis tools to identify hardcoded credentials and other vulnerabilities before deployment.
• Enforce Secure Development Practices:
  
  • Avoid hard-coding credentials: Use environment variables or secure vaults to store sensitive information.
  • Secure configuration files: Protect configuration files with appropriate permissions and encryption.
  • Use secure communication channels: Transmit secrets only through encrypted channels.
• Adopt an "Assume Leak" Mindset:
  
  • Operate under the assumption that NHIs have already been exposed.
  • Implement continuous monitoring and behavioral analytics to detect suspicious activities.
  • Establish processes for swiftly revoking compromised NHIs and containing potential damage.
• Implement Zero Trust Principles:
  
  • Verify every identity: Continuously monitor and validate every NHI access request to ensure legitimacy.
  • Enforce least privilege: Grant NHIs only the minimum necessary access permissions.
  • Use short-lived tokens: Employ short-lived, signed tokens (e.g., OAuth 2.0) instead of long-lived static credentials.
  • Context-based validation: Ensure NHIs are accessing resources only from known environments.
• Automate NHI Lifecycle Management:
  
  • Provisioning: Securely create and assign unique credentials to NHIs with appropriate privileges and governance.
  • Rotation: Regularly update credentials to minimize the risk of unauthorized access.
  • Deprovisioning: Deactivate and remove unused NHIs to reduce the attack surface.
• Strengthen NHI Security Posture:
  
  • Conduct posture assessments: Evaluate secret rotation, access permissions, and compliance with security policies.
  • Prioritize remediation: Address over-privileged accounts and unrotated secrets.
• Ensure Comprehensive Visibility and Context:
  
  • Maintain a centralized view of all NHIs across all environments.
  • Understand each NHI’s origin, ownership, storage, usage patterns, and permissions.
  • Use tools like Cremit’s NHI Traceability to map NHI origins and associated risks.

Cremit NHI Security Platform for NHI Protection

Cremit  offers a comprehensive platform to secure NHIs and mitigate the risk of Secret Leakage:

• Complete Visibility Across NHIs: Cremit provides a unified view of all NHIs across cloud platforms, SaaS applications, CI/CD pipelines, code repositories, and on-prem systems.
• Real-Time Threat Detection and Response: The platform continuously monitors NHI activity, flags anomalies, and provides real-time alerts for suspicious behavior, enabling immediate threat containment.
• Zero Trust Architecture: Cremit ensures continuous validation of every NHI interaction, minimizing the risk of unauthorized access.
• Automated Identity Governance: Cremit streamlines lifecycle management, enforcing least-privilege access and ensuring timely removal of obsolete identities.
• Compliance and Audit-Ready Reporting: The platform supports governance, risk management, and audit logs with comprehensive reporting and automated compliance checks.

The Importance of a Proactive Approach

Secret Leakage poses a significant threat to organizations of all sizes. By adopting a proactive approach and leveraging the right tools, enterprises can effectively mitigate the risks associated with Secret Leakage and ensure a more secure and resilient digital environment. Start now or book a demo!