Handling and securing secrets
A secret is any piece of data that is sensitive within the context of an application or service. Secrets must be securely protected through their entire lifecycle.
Secrets include all of the following but are not limited to:
- Passwords of any type (database logins, OS accounts, functional IDs, and so on)
- API keys
- Long-lived authentication tokens (OAuth2, GitHub, IAM, and so on)
- SSH keys
- Encryption keys
- Other private keys (PKI/TLS certificates, HMAC keys, signing keys, and so on)
Application providers should ensure:
- Secrets are generated and stored in the environment (for example, dev, test, and production) where your service is deployed.
- Secrets never leave their environments (for example, dev, test, and production) and should be secured by using access control measures. Service design should minimize the number of machines and people with access to secrets by using both authorization and network restrictions based on the principle of least privilege.
- Secrets are rotated in according with the requirements of the IBM Cloud Framework for Financial Services with minimal or no downtime.
- Secrets are never stored in source code, configuration files, or documentation.
The following table lists the different solutions that you can use to protect your application secrets.
| Scenario | What to use |
|---|---|
| You need to create, lease, and manage API keys, credentials, database configurations, and other secrets for your services and applications. | Use IBM Cloud Secrets Manager. |
| You need to generate, renew, and manage TLS/SSL certificates for your deployments. | Use IBM Cloud Secrets Manager. |
| You need to create and manage encryption keys. | Use Hyper Protect Crypto Services to manage encryption keys in a single-tenant service with dedicated hardware. |
| You need secrets in your Red Hat OpenShift on IBM Cloud environment for microservices to connect to system resources. | Use Kubernetes secrets encrypted using Hyper Protect Crypto Services as your Key Management Service (KMS) provider. |
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
| Family | Control |
|---|---|
| Access Control (AC) | AC-2 Account Management |
| Identification and Authentication (IA) | IA-2 User Identification and Authentication IA-5 Authenticator Management |