Why You Need a Faster Secrets Rotation Strategy

Why do we keep long-lived credentials and keys in cloud-based applications? There's a better strategy for cloud security using more dynamic secrets management.

»How an Attacker Will Find Your Secrets

Most of us know the castle-and-moat perimeter firewall strategy of network security doesn't work as well when your applications are running on cloud infrastructure. So it's not hard to imagine an attacker will eventually find their way onto your network.

The first place most attackers on a network will go is to the developers' version control systems to look for exposed, plain text secrets (credentials, keys, certificates, etc.). Maybe you feel you've done a good job hiding secrets in your VCS. The attacker finds nothing there.

Then they head to your logs. In years past your team hasn't been as diligent in preventing secret spillage to logs, so the attacker finds a secret from five years ago. It's still in use. Now they can get deep access to your systems.

»Playing Catch Up in Cloud Security

It's estimated that only 5% of development teams have a standardized secrets management approach. With ephemeral cloud workloads on the rise, infrastructure is undeniably becoming more dynamic, so why do we settle for static secrets to support it? As you read above, long-lived secrets can be a ticking time bomb.

It's true that some events relating to secrets are infrequent, cornerstone events:

  • Secret acquisition

  • Authentication mechanisms

  • Authorization permissions

  • Secret revocation

But what's needed in most cloud-based development today, is a dynamic secrets approach that automates the important continuous events of secrets management:

  • Rotation

  • Auditing

  • Logging and Monitoring

»What You'll Learn

In this talk, HashiCorp field CTO Sarah Polan will examine strategic ways to embed zero trust practices and dynamic secrets into your workflows to ensure that your secrets are moving at the same speed as the infrastructure and decreasing the attack surface for a credential breach.

More resources like this one

  • 4/11/2024
  • FAQ

Introduction to HashiCorp Vault

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/15/2023
  • Case Study

Using Consul Dataplane on Kubernetes to implement service mesh at an Adfinis client

  • 3/14/2023
  • Article

5 best practices for secrets management