Stop worrying. Start rotating.

Stop worrying. Start rotating.
Amir Shaked

Amir Shaked

VP R&D

Published on

July 11, 2024

As a cybersecurity practitioner, few things have caused me more headaches than rotating a critical secret. The process is always tricky: first, tracking down where the secret is being used, then identifying who owns it to facilitate the change, and finally, dealing with the fear of breaking something or disrupting critical service.

Over the years, I've noticed there are three types of companies when it comes to secret rotation. A significant number of companies, like in my case, try to manage it themselves, constantly fearing the chaos that might ensue if something goes wrong. Some companies have thrown in the towel, accepting the risks and not addressing the issue at all. For them, the fear of disrupting a service outweighs the potential risk of a security breach from not rotating passwords. Then there are those who enforce rotation only on specific identities (usually break-glass service accounts) through PAM solutions.

Which category does your company fall into, and more importantly, is there a better way?

Let's start from the beginning: why is it so important to rotate secrets?

The Importance of Secret Rotation

Rotation is the process of periodically updating a secret. The secret can be an API key, security credential, encryption key, or any other sensitive value. According to best practices, secrets should be rotated regularly—at least every 60 days. But, Why?

  • Non-human identities (NHIs) do not have additional measures such as multi-factor authentication (MFA) or privilege management, making regular secret rotation even more critical. 
  • Regularly rotating secrets reduces the window of opportunity for attackers. If they gain access to credentials—which is not that uncommon —Uber, Datadog, and OneLogin have had AWS Key breaches, just to name a few—those credentials quickly become obsolete, limiting potential damage.
  • Frequent rotation of secrets helps mitigate risks posed by insiders or former employees who might retain access to old credentials. 
  • Old, forgotten, or unused secrets can become security vulnerabilities. Regular rotation ensures that only current, necessary credentials are in use.

The Challenges of Secret Rotation

Despite its importance, rotating secrets is very complex: 

  • Manually updating secrets across multiple applications and services can be labor-intensive and time-consuming, especially as the number of non-human identities grows. 
  • The potential for errors is significant. Mistakes such as forgetting to update a secret in one location or misconfiguring a service can lead to downtime and even production disruption. 
  • Tracking the owner of each secret and determining which secrets need rotation, and ensuring all instances are updated correctly is challenging without the right tools. As demonstrated by the CloudFlare breach, failing to rotate just four non-human identities (NHIs) allowed hackers to gain access to the organization.
  • Legacy or older systems may not support modern secret rotation practices, making the process more complex and risky. Updating or replacing these systems to facilitate secret rotation can be costly and disruptive.

How Oasis Automates Secret Rotation

At Oasis, we understand the complexities of secret rotation and recognize that there are several scenarios to be accounted for. That's why we've developed a range of capabilities to help you rotate secrets safely and efficiently depending on the use case you want to resolve and the level of automation you want to leverage. Let's explore the options available to you and how Oasis can help your company get from 0 to 5.

  • Manual Rotation: For those who prefer to have complete control, Oasis notifies the user that the NHI is unrotated and how to solve it, providing a manual step-by-step process. The user needs to navigate to the 3rd party vendor to rotate the secret. 
  • On-demand Rotation: This on-demand option simplifies the process with a one-click integration. Oasis Posture Engine identifies a policy violation on the life of a secret, reports a posture risk, and provides a rapid response solution to remediate, in this case, by rotating the secret. Once Oasis notifies the user that the secret is unrotated, and after the user initiates the workflow, Oasis interacts with the third-party vendor to rotate the secret. This is a very common remediation scenario.
  • Policy-based Automatic Rotation: For those who want to take automation to the next level, Oasis offers a fully automatic mode. This type of action is configured by the user via policy and executed by Oasis autonomously, either for a single cycle or on a scheduled, permanent basis. Real lifecycle automation!

What Makes Oasis's Safe Secret Rotation Automation Special? 

It’s easy to get wowed by the automation capabilities that the Oasis platform provides when it comes to secret rotation orchestration, but there are other important unique aspects to consider:

  1. Oasis is an identity-centric solution. This means that when we rotate a secret, we do it with a complete understanding of the non-human identity that uses it. This is crucial because it allows Oasis to complete knowledge of the context - consumer, resources, and owners - in which the secret is used. As a result, we can actually realize the goal of SAFE rotation that doesn’t break things. 
Identity centric Rotation
  1. Oasis is Vault agnostic. This means we can integrate with various secret management systems, providing flexibility and compatibility with different vault solutions. This flexibility allows organizations to leverage Oasis's capabilities without being tied to a single vault provider.
  2. Oasis supports automated rotation across clouds. This cross-cloud functionality is a game changer for organizations operating in multi-cloud environments, ensuring consistent and secure secret management.
  3. Policy-driven controls. This means that rotations are governed by predefined policies, ensuring consistency, compliance, and security across the organization. Policies can be tailored to meet specific organizational requirements, providing a high level of control and customization.

Ready to enhance your secret management strategy? Contact us today to learn more about our secret rotation capabilities and how they can benefit your organization.

To learn more read the importance of Secret Rotation in ensuring security and compliance

More like this