Written by: Robin Joseph, Team Lead – Cloud Operations, Cyber Group Inc.
In today’s digital world, organizations rely on applications to run their business. They use automated IT solutions and DevOps methodologies to speed development and innovation. Applications and IT environments may vary from organization to organization, but one thing will remain constant: every application, script and automation tool relies on some form of privileged credential to access other tools, applications, and data.
These privileged credentials are often called “secrets” and refer to a private piece of information. Every IT system uses Secrets in the form of API keys, database credentials or encryption keys to run the applications smoothly and securely. These secrets must be hidden but at the same time it must be stored somewhere. Securely storing secrets in Cloud architecture is a challenging task for every organization.
Secrets are privileged credentials that provide digital authentication. Some common types of Secrets are database passwords, privileged account credentials, SSH keys, encryption keys, API keys, and private certificates for secure communication and data transmission.
Because the Secrets are highly sensitive and private pieces of information, it must be protected at all costs, both in transit and at rest. One of the best practices to protect Secrets is changing the value of these Secrets frequently.
We need to change the value of the Secrets frequently for the following reasons:
Your encryption algorithm can be stale and broken after many years and needs to be upgraded to the latest technology. For example, DES was awesome in 1977 but there are now better alternatives that should be used in newer environments or projects. The safe thing is to rotate your key and potentially the algorithm too.
Secrets can be compromised maliciously or unknowingly. The safe thing to do is to rotate your encryption key every so often, so that when keys do get compromised, the amount of data that you lose can be minimized.
Limiting the number of messages encrypted with the same key version helps prevent brute-force attacks enabled by cryptanalysis. Key lifetime recommendations depend on the key’s algorithm, as well as either the number of messages produced, or the total number of bytes encrypted with the same key version. For many encryption algorithms, the more data you gather, the easier it is to break. A prominent example is AES GSM that loses its protection if more than 64GB of data is encrypted with the same key.
Key rotation is the process by which you retire an encryption key, Secret, or password and replace that old key by generating a new one on a timely basis. This ensures that if keys are accidentally leaked or otherwise revealed, the plain text remains secure, assuming the adversary has not also already obtained a copy of the data encrypted under said key. Key rotation is recommended across a wide range of industries and organizations. For example, The National Institute of Standards and Technology (NIST) recommends regular and planned rotation. The Open Web Application Security Project (OWASP), and the Payment Card Industry (PCI) also requires this on a periodic basis for customer data. Most of the cloud computing platforms support such operations so that customers that are mandated to rotate keys can do so.
AWS provides Secrets Manager Service which is a Secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily store, rotate, manage, and retrieve database credentials, API keys, and other Secrets throughout their lifecycle.
In AWS, AWS Secrets Manager helps you meet your security and compliance requirements by enabling you to rotate Secrets safely without the need for code deployments. For example, Secrets Manager offers built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB and rotates these database credentials on your behalf automatically. You can customize Lambda functions to extend Secrets Manager rotation to other Secret types, such as API keys and OAuth tokens. Retrieving the Secret from Secrets Manager ensures that developers and applications are using the latest version of your Secrets.
In your application, by adding AWS SDK packages and a piece of code, you can retrieve AWS Secrets that can be used for referencing the Secrets. This can be done without hard coding or adding it as part of a CI/CD pipeline variable. This way the Secret updates need to be done only at one place and all the applications consuming that Secret get the updated value.
Key rotation on a regular interval is highly recommended as a DevSecOps best practice. It is not only making your organization compliant with Industry standards but also keeps your IT infrastructure secure. Automated key rotation methods provided by the cloud services make the whole process easily configurable if you are using an inbuilt cloud service.
Part 2 of this discussion will cover the Secret store and key rotation services provided by Azure.