- How the secret is injected
- Too many types of secrets needed, too few handled
- Difficulty of auditing secret usage
- Difficulty of rotating secrets
- Support of more advanced automatic security measures (such as dynamic secrets).
- Despite this Cryptographic RBAC paper coming out in 2013, googling for cryptographic rbac solutions turns up no results, even in Hashicorp Vault.
- Difficulty of defining, propagating, and enforcing Resource Based Access Control schemes
- How the secret-zero problem is handled. (Even when handled, it’s often error-prone and not as secure as it could be)
I’m sure I’m forgetting a few. Social and bureaucratic factors also come into play in the real world, which further complicates matters.