re: How does your organization pass secret keys around? VIEW POST


We host our own One-Time Secret instance. Our security policy calls for employees to use password managers to store their own passwords & generally prohibits shared logins. If there's a shared key or password that needs to be documented, we insist it's stored in our project management system where it's behind a login and we can control who has access to it.

If you don't want people bypassing policies for expediency, it needs to be addressed culturally. Make it clear that they won't be hassled for taking time to share data securely and protect your people from that pressure. Explain why your rules and chosen tools are in place. Nobody wants to be responsible for the next big credit card or medical data leak, right? So make it clear that they're on the front lines of protecting your clients & customers from identity theft. They have the power, tools, and management's support to do their job responsibly. They won't be the faces behind the nasty headlines.

Code of Conduct Report abuse