Blog

Ensuring Database Security with Dynamic Secrets in Enterprise DevOps

Ensuring Database Security in the DevOps Pipeline with Dynamic Secrets
The traditional “vault-and-forward” method for secrets management means a user or application authenticates to the vault and then gets access to the secrets they need. The fundamental problem is once those secrets are out of the vault, it is extremely difficult to ensure their safety.

In the case of an application, the ways Secrets can be leaked is almost infinite. There is the code your team writes, commercial or open-source code that you add, as well as libraries, plug-ins, and extensions that are required. Any of those pieces may get access to the secrets and not properly protect them.

They may leave the secrets in memory, duplicate them to the hard drive, save them to a database, expose them to users or other applications, or even include the Secret in the logs. Even if all the code is secure, then you have to worry about the server configuration and potentially even network configuration were vulnerabilities that may be present. People can come back later to access the applications, databases, or tools the secrets are protecting

Also Read: The Importance of Monitoring in DevOps

If humans need to get involved with the secrets, then, of course, they might write them down or put them in an insecure spreadsheet or even share them with other people outside of the vault. This is even assuming they are not doing anything deceptive. With all of these secrets, they have standing access to come back later (maybe even after they leave the company) to access the applications, databases, or tools the secrets are protecting.

Of course, our response to this is that we need to rotate the secrets. But that causes another set of issues and questions your IT team needs to answer. How often do those secrets get rotated? Who is going to do the rotation, both in the vault and the target? How do we track and manage all of this?

A different approach is to use ephemeral, or dynamic secrets. The idea being when DevOps tools, applications, databases, or humans need to access the vault for secrets that provide access to a target, the vault generates short-lived secrets with fine-grained access control. If these secrets are leaked, then any would-be attacker is limited to what they can do by the fine-grained access control and they’ll have a limited time to do it because of the short timeframe before the secrets expire. Not only is this far more secure, but it removes the hassle of trying to track and rotate secrets.

Also Read: Shifting Left: The Evolving Role of Automation in DevOps Tools

DevOps Secrets Vault is designed to securely store and manage your secrets for applications, databases, and DevOps tools. It integrates with AWS, Azure, and GCP to create and deliver dynamic secrets. Read more about dynamic secrets for IaaS platforms here.

Beyond the IaaS providers, another place dynamic secrets are valuable is with databases. Because most databases don’t have the ability to generate dynamic secrets or have an API, DevOps Secrets Vault provides an engine to enable this ability.

Disclaimer- This article was originally published on www.securityboulevard.com

The following two tabs change content below.
BDCC

BDCC

Co-Founder & Director, Business Management
BDCC Global is a leading DevOps research company. We believe in sharing knowledge and increasing awareness, and to contribute to this cause, we try to include all the latest changes, news, and fresh content from the DevOps world into our blogs.
BDCC

About BDCC

BDCC Global is a leading DevOps research company. We believe in sharing knowledge and increasing awareness, and to contribute to this cause, we try to include all the latest changes, news, and fresh content from the DevOps world into our blogs.