Self-hosted vs. managed secrets: Which scales better for modern infrastructure?

This isn’t a new debate, even if secrets management is a modern industry. Should I do it myself or hire someone else? Like electrical work, plumbing, or fine dining, secrets management solutions are about the right fit. What does your team need to operate as successfully as possible? There are plenty of factors to consider:

Security: The foremost responsibility of any secrets management solution is platform security. Secrets are called secrets for a reason - they are only supposed to be accessed by the right entities at the right times. Secrets management solutions should include encrypted, centralized storage to prevent unauthorized access to sensitive information.

Time: Every manual action in secrets management takes time. In a fast-paced development environment, developers must remain up-to-date with the secrets of their team, project, and environment, or they risk errors associated with mismatched secrets. Manually sharing the values of secrets between team members takes time, which only increases as the number of secrets, developers, and environments increases.

Reliability: A secrets management solution needs to work every time. If 99% of secrets are protected and encrypted, a hacker may still use the remaining secrets to wreak havoc across the platform or steal sensitive user data.

Satisfaction: Developers are people, too! Poor secrets management solutions lead to frustration, which can decrease performance and burnout. Keeping developers satisfied means equipping them with tools that support their work, not hinder it.

Cost: Different solutions will have different kinds of costs! Self-hosted secrets management solutions can include physical infrastructure, development, labor, and time costs, while managed solutions come at a monetary cost.

How do I know what the right solution is?

In general, professional secrets management tools outpace self-hosted solutions in the categories listed above, particularly around security and reliability, though not all managed solutions are created equal! One solution being more reliable doesn’t paint the whole picture, though. There are cases where self-hosted secrets management solutions perform just fine.

For small teams of developers working on projects that don’t include sensitive customer information, the use of .env files or other, more developed self-hosted solutions are simple and easy. Issues arise when a development team handles personal health or financial information since these are prone to more strict government oversight, like the HIPAA or GDPR regulations. As the size of the development team, complexity of the platform, or introduction of stricter security measures increases, self-hosted secrets management solutions run into an issue with scalability.

In secrets management, scalability means an increase in the number of secrets that must be shared and accessed at a time. This upscaled access might come from an expanding development team, but it can just as easily come from an increase in platform complexity, government regulations, or microservice integrations. As security needs increase, secrets management solutions are called on more frequently than ever before. If there are inefficiencies in a secrets management solution, scaling will definitely expose them.

Why are managed solutions better at scaling?

In short, professional secrets management solutions, like Doppler, are designed to function at any scale.

While any encrypted storage location might securely hold the values of secrets, it takes additional actions to share, update, rotate, and revoke the values of those secrets. Multiply the time cost of each of these actions by the number of developers trying to use them, and it becomes abundantly clear that a set of specialized tools is required.

An example:

Three developers working on the same project in a single environment use .env files to load their secrets before application runtime. Any time a secret is created, altered, or removed, this secret must be updated across each of the developers’ .env files, or version mismatches will break their build.

In self-hosted solutions, sharing this file is manual. A developer uses a (hopefully) secure channel to distribute the new file, and each other developer updates their own to correspond. Development is essentially paused until everyone is updated appropriately. This is inefficient at best and introduces a host of risks (debugging time for version mismatch, hackers intercepting files in transit, developer error in simply forgetting to send or forgetting to update).

In a managed secrets solution, there are built-in tools for this very practice. For instance, If a developer adds or alters a secret in a Doppler Config (a more versatile replacement for the .env), this secret can be automatically distributed or updated across any or all developers in any or all selected environments. Tools like these immediately remove the time spent manually updating and allow for development without pause.

Again, securely sending a .env file to a coworker is a secrets management solution that can work, especially when teams and projects are small and simple. When multiplied by the number of secrets in a given project and by the number of developers working on that project in every environment, you quickly realize that manually sharing files is a solution that won’t work.

If the cost of a professional secrets management solution is intimidating, though, don’t worry - Doppler includes different services at different price points, so smaller teams can pay for the secrets management solution that better fits their needs.

Secrets management scaling into the future.

Managed solutions, like Doppler, work alongside development tools and platforms, like AWS, Terraform, Kubernetes, GitHub, Okta, Azure, and more, to ensure their users can work in their preferred development environment now and in the future.

As these services update, as development teams grow, as platforms increase the number of integrations, introduce additional development tools, or if a team switches platform hosts entirely, secrets management solutions must be updated to continue their functionality and relevancy. Managed solutions perform this update for you.

Managed secrets solutions can make your life easier.

Doppler already fits directly into your CI/CD pipeline with its extensive host of integrations, and its development team will ensure it continues to work optimally with your preferred development tools and environments well into the future.

Doppler comes with a suite of features that ensure secrets management is as secure as it is efficient. Features like automatic rotation and revocation, or audit logs, and other breach remediation tools. Check out a free demo to see if Doppler is the right fit for your team now and at scale.