They always use Alice and Bob in technical examples. We’ll use Anna and George as fictional characters in our article where we put an emphasis on the secure way of sharing data between team members.
In our example, Anna is a new developer who started to work recently for an IT company X and her onboarding process has been exhausting (so many services, various usernames, passwords to set, oh my!).
George is a senior devops who has access and keys to all services which are used daily by the company’s employees. He also helped Anna with her onboarding process.
Anna’s first task is to work on the oAuth part for the company’s existing app named Orion. For further development with oAuth she needs credentials that belong to the Orion app. Credentials are encrypted and saved in a KeePassX file on a server where Anna doesn’t have access yet.
This is where George has to jump in and help her but he hit a security wall. Should he risk and just copy/paste credentials to Anna via some chat tool? Or should he do it in a proper, security safe way?
In our perfect dreams George’s experience makes him choose a security wise way:
- He sends Anna invitation to Keybase
- Grants her with access to the server with limited rights
- Grants her with git push/pull rights for the KeePassX file so she can download it locally
- Gives Anna main password that opens the KeePassX file via Keybase exploding message
This way Anna gets access to the main KeePassX file in a secure way is able to download it locally and she is ready to go!
With this little onboarding story, we hope you got the feeling that sharing sensitive data among your team members in the company is not a piece of a cake. Achieving that everybody follows same rules is an even tougher task. It requires lots of education, informing, repeating and lots and lots of patience. The main goal is that people in the company get sensibility around data security as well as its sharing and management.
As an addition, we compiled a list of 5 methods/tools for sharing credentials among team members, together with their pros and cons. You may find them useful in your onboarding process:
- Pros: encrypted database, password protection, doesn’t depend on a third party, multi-platform, portable, doesn’t take too much storage space, you can use solutions like internal GitLab to host it and people just pull new updates locally
- Cons: constant KeePassX file opening and copy/paste of a password from the file is a hassle and not security wise
- Pros: multi-device sync, inter-server sharing, file access control, server-side encryption, app access rights, brute force hacking protection, file encryption
- Cons: maintenance since it is self-hosted, price
- Pros: public key cryptography, easy user identification, encrypted chat, exploding messages, multiple device sync
- Cons: depends on the third party
- Pros: use one login to access multiple services, integration with Google accounts, multiple teams can use it
- Cons: price, depends on a third party since it is not self hosted, holding passwords for services like internal databases is something I wouldn’t recommend but that is up to you and how much you trust third party for this
Temporary file sharing via self-hosted server
- Pros: full access control, easy to use and share
- Cons: it is not hacker prone, not many possibilities unless you really have time for developing extra features, everything in plain text unless you encrypt it with solutions like ansible-vault
“But what is the best solution?” - you may ask. Honestly, when security is in question there is no best solution or just one solution. You will never be 100% sure that your data and/or data sharing is safe. Therefore, I would recommend using a combination of several tools:
- for the onboarding process, I would put more general applications like Google accounts into some SSO solution (e.g. Bitium, Okta),
- delicate things like database passwords can be put in KeePassX file which should be stored on a server with limited access,
- for encrypted file sharing and encrypted chat, I would suggest using Keybase exploding messages
You see where I’m going with this? The type of solution depends on a level of criticality and situation. It also depends on how tech-savvy certain department of the company is. For example, devops team will have close to no problem using KeePassX while sales department might look at you like you speak a different language, at least in the beginning until they learn and adopt the solution.
To recap, one and best solution is not possible here. To be a bit of sarcastic child I’ll share Willy Wonka for the end and his final security solution. I am exaggerating of course but you’ll get my point. ;)
What solutions for sharing secret/delicate data are you using in your company? Feel free to share your thoughts and experiences in the comments below.