Uber has revealed details of its internally developed Multi-Cloud Secrets Management Platform, designed to address the security challenges of managing over 150,000 secrets across its massive distributed infrastructure. The platform represents a significant evolution in how large-scale technology companies approach credential security in multi-cloud environments.
The ride-sharing giant’s infrastructure presents unique security challenges, with more than 5,000 microservices requiring secure access to sensitive credentials. These services integrate with over 400 third-party vendors and 400 SaaS applications, creating a complex web of authentication requirements that traditional secrets management approaches struggle to handle effectively.
One of Uber’s primary concerns was the proliferation of secrets across codebases, configurations, and various systems throughout their infrastructure. This scattered approach created significant security vulnerabilities and operational inefficiencies. To combat this issue, Uber implemented a dual-pronged strategy combining both preventive and remediation measures. Their preventive approach centers around a CLI tool that integrates directly into the development workflow as a pre-commit hook in Git repositories. This tool actively scans code before commits and blocks any attempts to introduce secrets into the codebase, preventing sensitive information from entering version control systems in the first place. The platform also features both real-time and scheduled scanning capabilities that continuously monitor for exposed secrets across Uber’s entire codebase and infrastructure. Real-time scanning provides immediate feedback to developers, while scheduled scans ensure comprehensive periodic security reviews.
Another scope of this new platform is to hide the complexities of different cloud providers’ security models, allowing developers to focus on application development without worrying about underlying credential management intricacies. This approach has become increasingly important as organizations adopt multi-cloud strategies to avoid vendor lock-in and leverage best-of-breed services.
Before the new Secrets Management Platform, Uber operated 25 separate vault systems, creating operational overhead and increasing the risk of security gaps. This new platform consolidates the previous 25 vault systems into just 6 managed vaults, all operated by a dedicated Secrets team. This centralization provides better security governance while maintaining the flexibility required for Uber’s multi-cloud strategy across different providers
With centralized vaults established, Uber developed a comprehensive Secret Management Platform featuring several key components designed to enhance both security and operational efficiency. The platform’s metadata model serves as a crucial foundation, describing the properties of each secret to aid in governance and automation processes. This structured approach enables better tracking, compliance monitoring, and automated decision-making throughout the secret lifecycle.
Unified interfaces provide seamless interaction with the platform through multiple channels, including REST APIs for programmatic access, command-line interfaces for developer workflows, and web-based user interfaces for administrative tasks. This multi-modal approach ensures that different user types can interact with the system in ways that best suit their needs and workflows.
Lifecycle management capabilities automate critical processes including secret rotation, deletion, and revocation. This automation reduces the burden on development teams while ensuring that security practices are consistently applied across all secrets without manual intervention.
Access management implements consistent access controls across all secrets, ensuring that only authorized services and personnel can access specific credentials. This centralized approach to access control simplifies auditing and compliance while reducing the risk of unauthorized access.
Integration support facilitates seamless secret exchange with third-party vendors and Software-as-a-Service applications, enabling Uber to maintain security standards even when working with external systems and partners.
The implementation of Uber’s Secret Management Platform delivered significant measurable improvements across multiple dimensions. Most notably, through enhanced monitoring and scoping of secret access within containers, the platform achieved up to a 90% reduction in secrets distributed to workloads. This dramatic reduction minimized the attack surface and reduced the potential impact of any security breaches.
The enhanced security posture resulted from centralized management and standardized practices that minimized the risk of secret leaks and unauthorized access. By consolidating control and implementing consistent security measures, Uber significantly strengthened their overall security framework. Operational efficiency improved substantially through the consolidation of vaults and automation of secret lifecycle processes. These improvements streamlined operations, reduced administrative overhead, and freed up engineering resources to focus on core business objectives rather than manual security tasks.
Uber’s approach comes at a time when the secrets management market is rapidly evolving, with vendors like CyberArk and Akeyless developing similar multi-cloud solutions. However, Uber’s decision to build internally highlights the limitations of existing commercial solutions when dealing with hyperscale infrastructure requirements.
