Building Uber’s Multi-Cloud Secrets Management Platform to Enhance Security

Matt Mathew, Ludi Li, Chen Xi, Yiting Fan
16 min readadvanced
--
View Original

Overview

This article discusses the development of Uber's Multi-Cloud Secrets Management Platform, designed to enhance security across its extensive microservices architecture. It highlights the challenges of secrets sprawl and the strategies implemented to centralize and automate secrets management, ensuring secure and efficient operations.

What You'll Learn

1

How to implement a centralized secrets management system in a multi-cloud environment

2

Why automating secret rotation is crucial for security and efficiency

3

When to use secretless authentication to enhance security posture

Prerequisites & Requirements

  • Understanding of secrets management concepts and practices
  • Familiarity with HashiCorp Vault and cloud service integrations(optional)

Key Questions Answered

What challenges does Uber face with secrets management?
Uber manages over 150,000 secrets across 5,000 microservices and 5,000 databases, leading to issues like secrets sprawl and insecure sharing. The article details the company's efforts to centralize and automate secrets management to address these challenges.
How does Uber automate secret rotation?
Uber's Secret Management Platform automates the rotation of secrets through APIs that manage secret lifecycle events. This system orchestrates the rotation process, enabling up to 20,000 secrets to be rotated monthly without human intervention.
What is the Secure Secret eXchange (SSX) system?
The SSX system allows Uber to securely exchange secrets with third-party vendors without exposing them to humans. It verifies vendors through a one-time passcode and facilitates the direct transfer of secrets into Uber's internal vaults.
What are the benefits of consolidating secret vaults?
Consolidating secret vaults into six managed by a single team allows for standardized governance and security measures across all secrets. This reduces the complexity of managing multiple vaults and limits the blast radius in case of incidents.

Key Statistics & Figures

Number of microservices managed
5,000
Uber operates over 5,000 microservices to support its applications.
Number of secrets managed
150,000
Uber utilizes over 150,000 secrets for authentication across its services.
Secrets rotated monthly
20,000
The automation system orchestrates the rotation of approximately 20,000 secrets each month.
Reduction in secrets distributed to workloads
90%
Monitoring and scoping secrets appropriately led to a 90% reduction in unnecessary secret distribution.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Implement a centralized secrets management platform to enhance security across your organization.
Centralizing secrets management helps prevent leaks and ensures consistent security measures, especially in complex multi-cloud environments.
2
Adopt automated secret rotation to minimize the risk of credential exposure.
Automating this process reduces the manual workload and enhances the security posture by ensuring secrets are rotated regularly without human error.
3
Consider secretless authentication as a strategy to reduce dependency on traditional secrets.
This approach can simplify security management and reduce the risks associated with secret leaks, particularly in cloud integrations.

Common Pitfalls

1
Failing to automate secret management processes can lead to human error and security vulnerabilities.
Without automation, the risk of exposing secrets increases, especially during manual rotation or sharing processes.
2
Overlooking the importance of centralizing secrets can create inconsistencies in security practices.
Decentralized management can lead to varied security measures, making it harder to enforce policies and respond to incidents.

Related Concepts

Secrets Management Best Practices
Cloud Security Strategies
Automation In Devops
Risk Management In It Security