Posted by Sam Gabrail
May 30, 2024
Introduction
Maintaining data encryption and security is crucial for any organization. One effective strategy is the proper management of keys and credentials, particularly through automated credential rotation. This method ensures the ongoing security and integrity of sensitive information.
Akeyless offers advanced capabilities in securing secrets and automating credential rotation. In this blog post, we will explore the importance of credentials and key rotation, the challenges associated with it, and how the Akeyless approach can significantly enhance your security.
A Demo Video
Understanding Credentials and Key Rotation
Credentials and key rotation involves periodically changing keys and other security credentials. This practice, including automatic key rotation, minimizes the risk of compromised keys being used for unauthorized access, thereby enhancing data security. Credentials and key rotation is an integral part of a robust security policy, ensuring that even if a key is compromised, the potential damage is limited.
The Need for Automated Credential Rotation
Why Rotate Keys and Credentials in General?
Regularly updating keys and credentials is essential for several reasons:
- Security: Rotated credentials and limit the exposure time of sensitive information, reducing the risk of unauthorized access.
- Compliance: Many regulatory frameworks require credentials and key rotation to protect sensitive data.
- Data Integrity: Regular rotation ensures that encrypted data remains secure against evolving threats. Encrypting new data and re-encrypting old data with new keys are crucial steps in this process.
Compliance and Regulatory Requirements
Several regulatory standards mandate credentials and key rotation as part of their security requirements, including:
- General Data Protection Regulation (GDPR): Emphasizes the need for protecting personal data through encryption and key management.
- Payment Card Industry Data Security Standard (PCI DSS): Requires regular key rotation to safeguard cardholder data.
- Health Insurance Portability and Accountability Act (HIPAA): Mandates the protection of patient data, including the use of encryption and key management practices.
Case Studies: Consequences of Poor Credentials and Key Management
With the growing complexity of cyber threats, it’s essential to recognize recent incidents highlighting the consequences of poor credentials and key management. Based on recent research and reports, here are some examples.
The recent breaches at Okta, Sumo Logic, and Cloudflare highlight critical vulnerabilities in credential and key management practices:
- Okta Breach (October 2023)
- Root Cause: Theft of service account passwords.
- Impact: Unauthorized access to Okta’s customer support management system leads to exposure of user names and email addresses.
- Lesson Learned: This breach underscores the importance of stringent monitoring and securing service accounts. Regularly rotating service account passwords and implementing robust access controls are crucial to prevent such misuse.
- Sumo Logic Breach (November 2023)
- Root Cause: Compromised credentials used to access an AWS account.
- Impact: Exploitation of unchanged access keys, leading to unauthorized access.
- Lesson Learned: Enabling automatic key rotation and enforcing regular key rotation for AWS credentials is paramount. Sumo Logic’s response to securing its infrastructure and advising customers to rotate critical credentials is a best practice that should be widely adopted.
- Cloudflare Breach (January 2024)
- Root Cause: Exploitation of stolen authentication tokens and service account credentials from a prior Okta breach.
- Impact: Unauthorized access to Cloudflare’s Confluence, Jira, and Bitbucket systems.
- Lesson Learned: This breach highlights the need for robust API security and automatic credential rotation. Implementing strong security measures to protect against reusing stolen credentials from other breaches is essential.
Key Observations:
- Importance of Automatic Key Rotation: All three breaches emphasize the critical need for automatic key rotation. Regularly rotating keys and credentials can significantly reduce attackers’ window of opportunity.
- Monitoring and Auditing: Continuous monitoring and auditing of key usage are essential to promptly detect and respond to unauthorized access. This includes using advanced tools to track access patterns and identify anomalies.
- Securing Service Accounts: Due to their high privileges, service accounts are often targeted by attackers. Ensuring these accounts are secured with strong authentication methods and regular credential rotation is vital.
- API Security: Robust API security measures, including the rotation of API keys and tokens, are necessary to protect against unauthorized access through compromised credentials.
- Response and Remediation: Swift response and remediation efforts, such as changing compromised credentials and advising customers on best practices, are crucial in mitigating the impact of a breach.
The Problem with Static Credentials
Static credentials, which do not change frequently, pose a significant security risk. They provide attackers with more time to discover and exploit these credentials, potentially leading to data breaches.
Risks of Manual Credential Rotation
Manually rotating secrets is error-prone and resource-intensive. It demands significant administrative effort and can lead to inconsistencies if not managed properly. Manual processes are susceptible to human error, which can result in gaps in security.
Challenges in Scaling and Monitoring Key Rotation Solutions
As organizations grow, the number of keys and credentials that need management increases dramatically, complicating the scaling of manual rotation processes. Automated solutions are essential to handle this complexity effectively. Scaling challenges include:
- Volume: Large enterprises manage thousands of secrets, making manual rotation impractical.
- Complexity: Different systems and applications may have varying requirements for key management, adding to the complexity.
- Coordination: Ensuring that all credentials are rotated without disrupting operations requires precise coordination.
The Akeyless Approach to Dynamic Secrets and Automated Rotation
Automated Credential Rotation with Akeyless
Akeyless simplifies credential rotation by automating the entire process. This enhances security and improves operational efficiency by eliminating the manual overhead associated with traditional credentials and key management service practices. Key features include:
- Centralized Management: Akeyless provides a single platform for managing all keys and credentials, simplifying administration.
- Policy-Based Rotation: Rotation policies can be defined and enforced automatically, ensuring compliance with security standards.
- Seamless Integration: Akeyless integrates with various systems and applications, making it easy to implement automated credential rotation across the organization.
Check out this blog post on Securing Privileged User Accounts with Rotated Secrets.
Dynamic Secrets Management
Dynamic secrets are temporary credentials generated on-demand and automatically expire after a short duration. This approach minimizes the risk of secret leakage and reduces the attack surface. Dynamic secrets offer several benefits:
- Short Lifespan: They are valid only for a brief period, reducing the risk of exposure.
- On-Demand Generation: Secrets are generated as needed, ensuring they are always fresh and unique.
- Automated Expiration: Dynamic secrets automatically expire, eliminating the need for manual revocation.
Dynamic secrets are great, especially for applications. Applications are pretty bad at keeping secrets. A developer can, by accident, leak these secrets via logs or to a monitoring system. So if the secret is long-lived, then that poses a security concern, whereas if dynamic secrets with short time-to-live (TTL) are used, then the secret is useless after that TTL expires.
Key Rotation Strategies and Best Practices
Time-Based vs. On-Demand Key Rotation
Comparing these strategies:
- Time-Based Rotation: Credentials and Keys are rotated at regular intervals regardless of use. This approach ensures a consistent rotation schedule but may rotate credentials unnecessarily. Akeyless has this functionality that you can use directly.
- On-Demand Rotation: Credentials and Keys are rotated as needed, typically triggered by specific events or conditions. This approach is more flexible and can reduce the frequency of rotations. You can use an external system to rotate the credentials by accessing the Akeyless API.
Best Practices for Rotating Keys and Credentials
Here are some practical tips for effective credentials and key management and key rotation procedures:
- Regularly Update Rotation Policies: Ensure policies are up-to-date with the latest security standards.
- Leverage Automation Tools: Use tools like Akeyless to automate the rotation process.
- Monitor and Audit: Continuously monitor access patterns and audit credentials and key usage to detect any unusual activities.
- Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification.
- Segment Access: Limit access to credentials based on the principle of least privilege, reducing the risk of unauthorized access.
- Use Strong Encryption Algorithms: Ensure that all credentials and keys are generated using robust encryption algorithms to maximize security.
Implementing Automated Credential Rotation with Akeyless
There are two main ways to rotate credentials in Akeyless. You can use rotated secrets or dynamic secrets. Below, you’ll see a guide for each. I chose Azure for rotated secrets and AWS for dynamic secrets as examples.
Step-by-Step Guide for Rotated Secrets for Azure
Implementing rotated secrets with Akeyless ensures that sensitive credentials are regularly updated to maintain security. Here’s how you can set up and manage rotated secrets for Azure using the Akeyless platform.
Prerequisites
- Azure AD App: Ensure you have an Azure Active Directory (AD) App.
- Azure AD Storage Account: Alternatively, have an Azure AD Storage Account.
- Permissions: Required permissions include Application.ReadWrite.OwnedBy and Application.ReadWrite.All for creating and deleting application secrets.
- Akeyless Gateway: Ensure you have an Akeyless Gateway configured.
Creating a Rotated Secret for Azure in the Akeyless UI
- Set Up Akeyless Account:
- Create an account on Akeyless and log in to the dashboard.
- Define Rotated Secret:
- Navigate to the ‘Items’ section in the Akeyless dashboard.
- Click on ‘New’ and select ‘Rotated Secret.’
- Choose ‘Azure AD’ as the Type.
- Configure Rotated Secret:
- Name and Description: Provide a unique name and description for the rotated secret.
- Location: Specify the path to the virtual folder where you want to create the new rotated secret. If the folder does not exist, it will be created automatically.
- Target: Define the Azure Target with which the rotated secret should be associated. This target must include the Azure tenant ID, client ID, and client secret for a privileged app authorized to rotate credentials. You can find more information here about creating Azure AD Targets.
- Authentication Credentials: Choose how to authenticate:
- use-user-creds: Use credentials defined on the rotated secret item.
- use-target-creds: Use credentials of the privileged Azure app defined inside the Azure Target item.
- Rotator Type: Select the type of credentials to be rotated:
- api-key: Rotate the client secret specified in the rotated secret.
- API ID: Define the client secret ID of the Azure app whose client secret should be rotated.
- API Key: Define the client secret to rotate.
- Application ID: Define the ID of the Azure app that holds the secret being rotated.
- target: Rotate the client secret of the privileged app specified in the Azure Target.
- password: Rotate a user password in Azure Entra.
- api-key: Rotate the client secret specified in the rotated secret.
- Auto Rotate: Enable automatic key rotation to update the client secret regularly. Specify the automatic rotation interval in days and, optionally, the rotation hour.
- Set Up Gateway:
- Gateway URL: Ensure you have configured the Gateway URL to enable communication between the Akeyless SaaS and the Akeyless Gateway.
- Protection Key:
- You can select a protection key with a Customer Fragment to enable Zero-Knowledge encryption. This ensures that even Akeyless cannot decrypt the secrets.
- Save and Test:
- Save the rotated secret configuration.
- Test the configuration to ensure the rotation works as expected.
- Manually Rotating a Rotated Secret:
- You can manually rotate a rotated secret from the UI, as shown below:
- Monitor and Manage:
- Monitor the secret rotation logs and manage the secret versions through the Akeyless dashboard.
- Ensure that the secret is being rotated according to the defined policy.
For more detailed instructions, refer to the Akeyless documentation on creating an Azure rotated secret.
Step-by-Step Guide for Dynamic Secrets
Dynamic secrets are temporary credentials that are generated each time they are accessed, with a predefined time-to-live (TTL). Here’s how to set up and manage dynamic secrets for AWS using Akeyless:
Prerequisites
- Akeyless Gateway: Ensure you have an Akeyless Gateway configured.
- Set Up Akeyless Account:
- Create an account on Akeyless and log in to the dashboard.
- Define Dynamic Secret:
- Navigate to the ‘Items’ section and click on ‘New’.
- Select ‘Dynamic Secret’ and choose ‘AWS’ as the secret type.
- Configure Dynamic Secret:
- Name and Description: Provide a name and description for the dynamic secret.
- Location: Specify the path to the virtual folder where you want to create the new dynamic secret. If the folder does not exist, it will be created automatically.
- Target Mode:
- Existing AWS Target: Select an existing AWS target.
- Specify Target Properties: Provide details of the target AWS account (Access Key ID, Secret Access Key, Region).
- Access Mode: Select the AWS access mode, either iam_user or assumed_role.
- Policies: Provide the individual Policy ARN(s) available for this dynamic secret. Multiple values should be separated by a comma.
- Groups: Provide the UserGroup name(s). Multiple values should be separated by a comma.
- Role ARNs: Provide the allowed AWS Role ARNs to be used in the Assume Role mode.
- User Programmatic Access: Enable an Access ID and Access Key for the AWS API, CLI, SDK.
- User Console Access: Enable access to the AWS management console.
- Temporary Password Length: Set the length of the temporary password (relevant only for IAM User access mode).
- TTL (Time to Live): Set the TTL for the dynamic secret.
- Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.
- Gateway: Select the Gateway through which the dynamic secret will create users.
- Protection Key: Select a key with a Customer Fragment to enable Zero-Knowledge encryption.
- Save and Test:
- Save the dynamic secret configuration.
- Test the dynamic secret to ensure it generates temporary credentials as expected.
- Accessing Dynamic Secrets Using the UI:
- Go to the ‘Items’ section and select the dynamic secret you configured.
- Click ‘Get Dynamic Secret’ to generate temporary credentials.
- Review the generated credentials such as access key ID and secret access key for AWS.
- Note the TTL, which indicates how long the credentials are valid.
- Monitor and Manage:
- Monitor the usage of dynamic secrets through the Akeyless dashboard.
- Ensure that credentials are being generated and expired as expected.
For more detailed instructions, refer to the Akeyless documentation on creating AWS dynamic secrets.
Conclusion
Automated credential rotation is a cornerstone of modern data security strategies. With tools like Akeyless, businesses can secure their digital assets, comply with regulatory standards, and enhance their security framework. Organizations can reduce the risk of credentials and key compromise by automating and monitoring rotation and ensuring their data remains protected.
Ready to take your security to the next level? Explore the Akeyless solutions for secure credentials and key management and start fortifying your data protection strategies today. Visit our product pages for more information and to schedule a demo.
References
- October Customer Support Security Incident – Update and Recommended Actions | Okta Security
- Okta reveals October security breach was much more damaging | Biometric Update
- Okta October 2023 Security Incident Investigation Closure | Okta Security
- Sumo Logic Breach: What We Know So Far – Coralogix
- Sumo Logic 2023 – Public Cloud Security Breaches
- The Inside Story of Cloudflare’s Battle Against an Auth Token Breach and How It Could Have Been Prevented – Suridata
- Cloudflare Suffers Breach After Failing to Rotate Stolen Credentials – Infosecurity Magazine (infosecurity-magazine.com)
- 2024 Data Breach Investigations Report | Verizon
- Report – LP – Global – Pulse Report – Future of AppSec (checkmarx.com)
- The State of the Identity Attack Surface: Insights into Critical Protection Gaps