The Secret Life of Machines III: Secrets want To Be Free
(NOTE: The Secret Life of Machines series was originally written for a different site in the 1st half of 2021. These are virtually unchanged)
Secrets have come in many forms over the course of history. Regardless of the century or the technological underpinnings, secret disclosure and information leakage has always followed the fundamental laws of entropy and equilibrium.
Whitfield Diffie, a pioneer of public-key cryptography and someone who was clearly all about secrecy and secrets, summarized our attitudes about secrets in infosec when he wrote “It isn’t that secrets are never needed in security. It’s that they are never desirable.” Of course, his lukewarm endorsement is spot on, but why and what can be done about it?
Each time you build a process, a practice, or a control that relies upon a secret being kept – you’ve added a new set of vulnerabilities that bring their own risks and expense to your business. Bruce Schneier, another security luminary, makes the point directly; “Every secret creates a potential failure point.”
As long as we can keep our secrets secure, we should be all good right? Here is the problem. Even if it were possible to have exactly the right technology, the right training, and the right processes and controls in place, can secrets actually be kept? Is there something about the very nature of secrets – at least the ones that matter – that makes this impossible? Of course, the right technology, training, processes and controls is just an abstract ideal; realty is messy (hint: I’m foreshadowing disorder – unmanaged information dissemination – as a state of equilibrium)
If secrets are, in fact, vulnerabilities wrapped in a promise that can’t be kept, what does that say about our near total dependence on secrets like Privileged account credentials, Passwords, Certificates, SSH keys, API keys, and Encryption keys? Gary McGraw, a software security pioneer and noted author spoke to the magical thinking that we often cling to in the cybersecurity world when he wrote that “all the magic crypto fairy dust in the world won’t make you secure.”
If the leaders in data and systems security don’t see secret management as a technology problem at its core, could this all be tied back to a flaw in human nature? Quips from Lincoln, Benjamin Franklin, and Samuel Johnson highlighted above make clear that over the centuries no rational thinker would be foolish enough to bet their life on the lifespan of a secret.
If keeping secret management’s only Achilles heel is people, then let’s just take humans out of the equation. This would be a huge relief for two reasons. First, given the rise of IoT, machine learning, and microservices, device identity and trust have never been more critical. We simply must find a way to establish an unshakeable root of trust in these increasingly independent systems. Second, with the growing sophistication of machine-to-machine behaviors, perhaps the perfect secret management solution that does not rely on passwords – or other kinds of secrets – may finally be within reach!
…but what if the problem goes deeper? – and mankind’s millennial-long struggle to keep its secrets is a symptom rather than the root cause of a secret’s frailty and brittle nature? As the quotes from fiction authors above highlight, secrets have their own energy – a power hat is proportional to the disruption and chaos that flows from secret (information) leakage – not by the absolute number of people with or without access. …and with complete disclosure, a secret “loses all its power.”
The Laws of Secret Management
The orderly structure implied by a well-kept secret (information being only accessible to authorized people and machines and prohibited from all others even as they clamor to gain access) behaves like every other ordered system in the universe. They trend toward disorder.
Information leakage is one of those phenomena that are irreversible; you can’t put the genie back in the bottle. For a wholly accessible and entertaining discussion of how experience (keeping and losing secrets or the melting of an iceberg) fit into a hierarchy of complexity that ultimately ties back to detailed physical laws – and why BOTH important – I recommend The Character of Physical Law 5 - The Distinction of Past and Future by Richard Feynman (I recommend Richard Feynman period).
I doubt (although I can’t be certain) that when Lisa Unger wrote in Beautiful Lies that “The Universe doesn't like secrets. It conspires to reveal the truth, to lead you to it,” that she was consciously dramatizing The Second Law of Thermodynamics that states that “As one goes forward in time, the net entropy (degree of disorder) of any isolated or closed system will always increase.” Nevertheless, that is what she was doing.
This is not a metaphor – there is an irreversible force of nature that moves closed systems (our networks and connections) to release its secrets – to reach a point of equilibrium where your most important secrets are known.
The Secrets Management Market which includes Identity Management, Encryption, etc. and easily exceeds $100B USD and growing. The substantial expense, complexity, and risks that stem from building security dependent on secrets are all in play to postpone and forestall the inevitable. This is what is behind Whitfield Diffie’s truly prescient insight “It isn’t that secrets are never needed in security. It’s that they are never desirable.”
There can be (should be) a better way to build security without secrets and to avoid the massive burden and byzantine operations that must follow secrets management everywhere.