Secrets Management JTBDs - Meta Analysis

💡 Research results

Developers use GitLab CI/CD variables to store sensitive credentials because it allows to store it outside of code.
In highly regulated environments, dynamic secrets, automatic secret rotation and secret expiration policies provide additional layer of security.
Developers expect sensitive credentials to be fully encrypted.
Depending on the team structure, organization size and secret type, users want to choose between a secret-based or identity based access policies (such as IAM users, RBAC policies, policy-as-code).
In addition to access policies, developers should be able to select between different permissions levels such as read/write or read-only.
For compliance reasons organizations are required to keep audit logs of secrets usage and management.
Engineers need to have insight into the status of the secrets, their usage, and any suspicious behavior.
Engineers need a way to quickly update or rotate the secret in case there's been a vulnerability.
When a secret is created or updated, the code using the secret needs to be updated appropriately.
Engineers need a way to quickly roll back changes to a secret in case of unwanted changes or a vulnerability.
Access requests for services are typically tracked in tickets or issues.

Identify the remaining open questions and integrate them into upcoming research studies
Prioritize the jobs to be done

Further details

Edited Aug 22, 2022 by Nadia Sotnikova