Why do we keep long-lived credentials and keys in cloud-based applications? There's a better strategy for cloud security using more dynamic secrets management.
Most of us know the castle-and-moat perimeter firewall strategy of network security doesn't work as well when your applications are running on cloud infrastructure. So it's not hard to imagine an attacker will eventually find their way onto your network.
The first place most attackers on a network will go is to the developers' version control systems to look for exposed, plain text secrets (credentials, keys, certificates, etc.). Maybe you feel you've done a good job hiding secrets in your VCS. The attacker finds nothing there.
Then they head to your logs. In years past your team hasn't been as diligent in preventing secret spillage to logs, so the attacker finds a secret from five years ago. It's still in use. Now they can get deep access to your systems.
It's estimated that only 5% of development teams have a standardized secrets management approach. With ephemeral cloud workloads on the rise, infrastructure is undeniably becoming more dynamic, so why do we settle for static secrets to support it? As you read above, long-lived secrets can be a ticking time bomb.
It's true that some events relating to secrets are infrequent, cornerstone events:
But what's needed in most cloud-based development today, is a dynamic secrets approach that automates the important continuous events of secrets management:
Logging and Monitoring
In this talk, HashiCorp field CTO Sarah Polan will examine strategic ways to embed zero trust practices and dynamic secrets into your workflows to ensure that your secrets are moving at the same speed as the infrastructure and decreasing the attack surface for a credential breach.