Unified and Secure Management for your Cloud Secrets

Is there a better practice when it comes to managing your password?

For a user, the simplest way is to store the password in plaintext as part of the build script. It isn’t the best security practice and doesn’t scale as well. Hence, the solution is AWS Secrets Manager. Instead of hard coding the credentials in the application, you can store them in the Secrets Manager, and when you need to use them, an API call to the Secrets Manager returns with the secrets.

The AWS Secrets Manager acts as a single authoritative secret store and ensures that the rotation of secrets is made easier and safer. It also uses AWS KMS for encryption with IAM roles to restrict access to the services and Cloud Trial for recording the API calls made for the secrets. Further, it can be extended for additional details such as login credentials, database passwords and cloud vendor API secret keys that change periodically and should not be hard-coded or stored in plaintext in the application.

 

Challenges faced by our customers:

Credentials used in the application are sensitive customer data since any leak of application credentials can lead to a privacy breach. Below are some concerns raised for credentials storage and management –

Some passwords need to be updated at regular intervals, thus creating a burden for the development teams to update them in the application. It also leads to the downtime of an application in some cases.
Storing passwords in plaintext is a security concern and not recommended in a production environment.

If multiple applications use the same credentials, then it is advisable to store these credentials at a single location so that they can be updated for all the applications at once.
In a production environment, how can we ensure to rotate credentials at regular intervals to maintain a high level of security?

 

How can Data Privacy on iEDPS complement AWS Secrets Manager?

iEDPS provides a secret management feature, which helps create secrets in a repository or on cloud vaults such as AWS Secrets Manager, thus enabling a single point of management for all secret vaults. This feature also removes the user’s dependency on the application’s on-premise repository to store highly-sensitive keys used in an application.

Once a secret key is created, no one can access or modify its value. Secret keys created using secrets management are used in Encrypt/Decrypt feature. This feature allows a user to encrypt or decrypt the entire datastore having multiple tables at one go.

 

Secrets or credentials related to any service should not be hardcoded in code or stored on a local file system. They should be updated at regular intervals, improving the security of applications and preventing data breaches related to credential leakage.

Thus, iEDPS offers to store the secret keys in several secrets managers apart from AWS Secrets Manager, including GCP Secrets Manager and Azure Key Vault, which can help remove dependency on the developers to manage, secure and hard cord those secrets in applications. Additionally, it can be used to protect the data at rest by encrypting or decrypting the entire data store.

 

Author: – Nashaa Taj

Author Details

Vijayalaxmi Vijayalaxmi

Vijayalaxmi Suvarna is a Senior System Engineer at Infosys Center for Emerging Technology Solutions, she leads the Marketing initiatives for the PrivacyNext iEDPS Platform. Her focus includes User Experience and online branding of Infosys Data Privacy offerings.

Leave a Comment

Your email address will not be published. Required fields are marked *