Keeping your app’s secrets secret | Fortanix Blog

Building Blocks of Application Security

Application and/or information security teams need more proactive prevention, while realizing that reactive detection isn’t the main tool in the arsenal. Getting ahead of adversarial code isn’t trivial, but in practice it starts with a few simple steps. Secrets are the sentries to applications and fortifying them requires a proactive approach, including:

1. Application inventory

- Every information security leader should take it upon themselves to demand an audit of all applications within the enterprise. Armed with such a list, it is their responsibility to now identify the domains which are critical for business and/or sensitive to the customer. This list is by no means static and should be evaluated periodically to ensure maturing security models and threats. The list may comprise applications (and/or micro services) designed in-house or those leveraged externally from service providers.

2. Code and resource repository standards

- At a bare minimum, applications must encrypt data at-rest transparently and transmit it securely over the network or across processes. However, there are times when even computation of the data within a process needs to occur securely. These are usually privileged processes that act upon highly sensitive data and must either do so using homomorphic encryption or a secure enclave, after weighing the practicality of either approach.

3. Centralize secrets with dynamic credentials

- There is a multitude of services and products that claim to provide security for application secrets. As a CISO, it is incumbent to ask what makes a product or service secure. The answer comes down to a phrase — root of trust, which is now being uprooted by the concept of zero trust.

Secrets management: Summary

The age of automation is just beginning and information security goes hand in hand with end user privacy and business continuity. We should be forewarned by the stream of attacks that often could be thwarted by simple practices that were established gradually over time at the core of the enterprise.

  1. Flexible in its deployment model whether on-premises or natively in the cloud, or some combination (hybrid, multi-cloud etc.)
  2. Secure in a way that goes beyond a simple key-value store that most secrets management providers ultimately provide
  3. Capable of connecting to other applications and services through open standards such as OAuth, OpenID (SAML), LDAP, Trustworthy JWT and PKI
  4. Proven to work for national agencies and regulatory bodies alike, since these entities have pivotal security considerations.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fortanix

Fortanix

48 Followers

Fortanix™ has created the world’s first runtime encryption solution. Enterprises get provable, portable, and preventive security for their applications!