The Importance of Secret Rotation in Ensuring Security and Compliance

Yonit Glozshtein

Yonit Glozshtein

Director of Product Management

Published on

July 2, 2024

Secret rotation might not be the first thing that comes to mind when thinking about cybersecurity, but it is a critical practice for any organization. Whether it is a response to a breach, a compliance requirement, or simply a matter of operational efficiency, it is indispensable. But, if secret rotation is so important, why is it often overlooked and why current solutions in the market are not enough to keep your data secure?  

Let’s first explore why rotating secrets is important in the first place

Respond to an attack or potential exposure: One primary reason for rotating secrets is to respond to security breaches. Consider Cloudflare, for example. When they discovered that Okta had been compromised, their immediate priority was to rotate all exposed credentials to prevent further exposure. When an attack happens to you or to a third party, you do not want to leave your digital keys out in the open. 

Meet regulatory compliance and audits: Another reason for secret rotation is compliance with regulatory frameworks and laws. Auditors need proof that your organization manages its identities securely and adheres to the necessary standards. While the primary focus is often on privileged identities, it's important to manage all secrets to ensure comprehensive compliance and prevent issues such as lateral movement within the organization. This approach not only helps in passing audits but also in maintaining overall security hygiene across the organization.

Keep up with organizational changes: Changes in a company's organizational structure require a review to determine if secret rotation is needed. When employees join, move within, or leave the company, their permissions must be reassessed and reassigned. This review should not only focus on users and roles within specific applications but also consider any privileged information and secrets the employee had access to.

For instance, if an employee who had access to sensitive information leaves, you must ensure they no longer have access, it is important to note that simply decommissioning their identity in your Identity Governance and Administration (IGA) system or source of truth is not enough. Similarly, when employees move to different roles, their permissions need to be adjusted to prevent excessive access. This ongoing reassessment is crucial for maintaining security integrity and ensuring that only authorized individuals have access to any company assets, including non-human accounts and secrets.

Maintain business continuity: Operational issues also drive the need for secret rotation. Expired secrets can cause applications to break or fall out of sync, necessitating the creation of new secrets and updating configurations to maintain functionality. 

Common pitfalls, misconceptions, and challenges of secret rotation 

  • “If we properly offboard employees when they leave my company, they no longer have access to any company assets, including non-human accounts and secrets.”

A common misconception is that closing an employee’s account upon offboarding is sufficient to secure secrets and non-human identities (NHI). However, decommissioning or even deleting the employee's account in the authoritative source or IGA may not stop the former employee's access to an NHI. Non-human identities represent resources, which can be on-premises within your perimeter or cloud services accessible directly from the internet. In the case of resources in the cloud, NHI is the perimeter, and you only need the NHI to authenticate to the cloud or SaaS. This means that if the employee knows the resource and its secret, they could still gain access from their home.

  • “If we have robust monitoring tools in place, we can detect and prevent unauthorized access to all sensitive information.”

Another misconception is that monitoring tools alone can detect and prevent unauthorized access to all sensitive information. Some organizations believe that having tools like CSPM (Cloud Security Posture Management) or ITDR (Identity Threat Detection and Response) is enough to alert them of any security issues. While these tools are helpful, they do not eliminate the need for secret rotation. They might detect anomalies, but the response to these alerts often requires rotating and managing secrets to mitigate the risks. This process needs to be addressed manually, making the task time-consuming and labor-intensive.

  • "If our secrets are stored securely in a vault, we don't need to worry about regular rotation."

Storing secrets in a vault provides a layer of security, but it does not eliminate the need for regular secret rotation. Secrets can still be exposed or compromised through various means, such as phishing attacks or insider threats. Without a proper discovery tool, it is challenging to identify if there are any secrets used directly and not stored in a vault. Even though most organizations implement processes to ensure that everyone uses vaults, it's not enforceable. Therefore, you need a tool that shows all the secrets, how they're being used, and by whom. In addition, regular rotation ensures that even if a secret is compromised, its usability is limited, maintaining the overall security of your systems.

  • "If we use secret scanners, we can identify and secure all shared secrets."

Detection tools like secret scanners can identify shared secrets on platforms like Slack, but they can't cover all possible avenues, such as WhatsApp or email. It’s unrealistic to assume that all environments can be scanned completely. Hence, rotating and managing secrets remains essential, regardless of the detection tools in place. Regular rotation and proactive management ensure that secrets remain secure and minimize the risk of exposure through unmonitored channels.

Automation is key. Stop the scream test

In many cases, secret rotation is performed only as a measure of last resort and brute force rather than programmatically operationalized. We are all familiar with the notion of the "scream test,” which generally consists of removing the item and waiting for the screams because something broke. If someone screams, put it back; in this particular case, secrets are disabled to see who complains (indicating the secret’s active use). In addition to being dangerous for business continuity, this manual process is tedious, not comprehensive, not repeatable and  leads to oversight, inefficiency, and increased risk of exposure. 

Automated tools and processes are essential for ensuring comprehensive, efficient, and repeatable secret management across the organization. Only with reliable automation, we can make secret rotation a programmatic seamless process that just works in the background without causing unnecessary operation and business continuity background.

In the next chapter of our mini-series will discuss how Oasis solves these critical challenges.

More like this