Scaling infrastructure? You’re actually scaling identities
Keep your identities secure and manageable as your systems scale.
TL;DR
When you scale infrastructure, you also multiply the number of identities, such as API keys, service accounts, and credentials, that need secure handling. Without the right systems, these can sprawl, get reused, and create serious security risks. Doppler solves this by centralizing secrets management across all environments, automating rotation, integrating with deploy pipelines, and giving teams full visibility into who has access and how credentials are used, keeping identities secure and organized as your systems grow.
Scaling infrastructure also means scaling identities
Every startup dreams of being the proverbial rocket ship: customers are rolling in and signing up to use your product. But what’s happening on the backend? Often, the picture is not quite as rosy. In all likelihood, the infrastructure team is frantically scaling and pushing out new servers to keep everything “in the green”.
Scaling infrastructure means more than just new servers and deployments: each new service adds additional database logins, storage identities, monitoring service accounts, and tool APIs that need to be managed. You’re not just scaling infrastructure, you’re also scaling identities. Are you recycling the logins? Are the identities being properly rotated? How is the team tracking and updating credentials in your rapidly growing system?
Even if your organization is not(yet) a rocket ship, you are regularly deploying new infrastructure and services, and each new deployment leads to new identities that need to be managed. This guide is for teams that are scaling infrastructure. You’ll learn how to keep identities safe, secure, and manageable, even as the infrastructure grows and evolves at a breathtaking pace.
How access spreads inside a growing stack
Securing access and credentials across services is a daunting task. Simple mistakes or slip-ups can have disastrous effects. Below are a few examples of how small changes, even those made for the right reason, can lower your organization's security posture.
- Overprovisioning due to time pressure: Development teams are renowned for using overprovisioned secrets, and there’s nothing worse than a developer spending hours debugging an error, only to realize the credential has insufficient access to a cloud service. So, when a new staging environment is spun up, what secrets are used? Certainly not the production secrets, and we all know we shouldn't be using the developer’s admin-level credentials. But time may be short, and the developer's secrets are placed in staging. We're one deployment from pushing these credentials to production.
- Secret reuse across services: The main server is overloaded, so the team spins up a second instance and places a load balancer in front of it to share the workload. API keys should not be reused, and each additional instance should be provided with new service accounts.
- Credential dependency risks after offboarding: What happens when a developer leaves? Do you dare invalidate their credentials? Are you sure staging will still work? Maybe even prod? An old version of the database was retired: Were the secrets revoked? Who has access to what?
Identity management is a difficult task, even on small static systems. Keeping up with credentials in the chaos of spinning up multiple environments and new infrastructure is next to impossible. Luckily, there are tools available to help development teams scale secrets and identities safely.
Where most tools break down
Many organizations start small, and credentials are stored locally on a developer's machine. As the team grows, secrets are shared on Slack, or the .env is stored on a shared drive for easy access. This eventually breaks down. Managing identities for many environments, rotating on each deployment, and invalidating old secrets is a challenge.
Cloud services offer Identity and Access Management(IAM) tools, but these are fragmented across tools and clouds.
How are secrets audited for use? Who monitors the rotation of secrets? What access management is placed on the identities? Who tracks where each identity is being used and how often? Without answers to these questions, identity management is failing. As the infrastructure scales, your identity management is failing at scale.
What strong access systems do as teams scale
As your team scales, you need an access management system to help track and manage the identities being used. These systems help teams:
| System | What they track |
|---|---|
Identity management | Know what identities exist, including access, reach, unused secrets, and more. |
Coordination of identities by environment | Identities are tied to environments. If run in multiple environments, they are connected, so a single change updates all environments. Secrets cannot "accidentally" be deployed to multiple environments. |
Built-in secret rotation or expiration | Periodically update or replace sensitive information. |
Centralize all identities | Store secrets for all clouds in a single solution. |
Integrations | With deploy tooling for automatic injection of secrets at deployment. |
Identity logging | Track usage patterns to pinpoint potential incursions and identity changes. |
Individually, many of your systems may have good secrets management. But tracking access across all of your tools is next to impossible. Scaling identities becomes much easier in a centralized secrets management solution. A team that stores all their identities in a single access system is not immune to improperly scaling identities, but it does become easier to identify and resolve.
What Doppler brings into the system
Developers know that properly managing identities is an important task. What they need is developer-friendly tooling, quick setup, and easy processes. Doppler’s secrets management system is a developer-first product that organizes identities, tokens, and API keys by deployment environment.
No longer can development tokens "accidentally" move to staging. Secrets that are meant to be shared across environments are automatically synced, so any change is immediately synchronized. When rolling out a new environment, copy an existing one to use as a blueprint: you know exactly what secrets need to be provisioned.
Access control is centralized. Only users with the correct access privileges can access or change identities. Logging and monitoring track rotations and usage.
Automated secret rotation and rotation reminders
Secrets for many cloud tools (for example, AWS, Cloudflare, and GCP) can be set to automatically rotate on a fixed schedule. Doppler has tight integrations with CI/CD tooling to inject secrets on every deployment for all other systems. Most importantly, Doppler is designed for growing teams, so as your identities scale, so does the tool supporting them.
Scaling infrastructure means scaling identities
Building out and expanding IT systems is challenging; there is always more work to be done than there is time. With all of the moving pieces and the urgency to keep the service up, sometimes credentials and identities are reused or not properly scoped. While this might work for the short term, these credentials can be security time bombs.
Rather than trying to manually manage the growing list of identities in your infrastructure, consider leveraging Doppler to manage and keep track of identities. Designed for scale, Doppler makes it easy to provision new environments, protect secrets, and ensure secrets rotation. Doppler also provides detailed logging and metrics around identity usage across the organization.
As your infrastructure scales, Doppler helps you scale identities securely and safely.
Related Content
Explore More
Enter the new era of secrets management
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.
