Question: Are credentials, API keys, and secrets securely stored, rotated, and access-controlled?
-
Objective — Why This Matters
Hardcoded or plain-text secrets are a direct path to compromise. Central secret management enforces encryption, rotation, and controlled distribution. -
Maturity Levels (0 – 5)
Secrets stored in code or configs.
Manual encryption or shared files.
Secrets vault implemented; manual rotations.
Automated rotation; role-based access.
Dynamic secrets and audit logging.
Fully automated vault with just-in-time secrets and zero standing privilege.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 2 | Deploy a vault; remove plain-text secrets. |
| 2 → 3 | Automate rotations and enable RBAC. |
| 3 → 4 | Integrate audit logs and dynamic secret issuance. |
| 4 → 5 | Implement JIT credentials and full automation. |
-
People / Process / Technology Enablers
People – DevOps, Security Engineer.
Process – Key lifecycle policy, approval matrix.
Technology – HashiCorp Vault, Sealed Secrets, Doppler. -
Evidence Required
Vault policies, rotation logs, audit trails. -
Metrics / KPIs
• number of static credentials in code repos
• percentage of secrets with automated rotation enabled
• average time to revoke compromised keys -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Vault | HashiCorp Vault (OSS) | Central secret lifecycle control. |
| Rotation | Kubernetes Sealed Secrets | Encrypt secrets per namespace. |
| Audit | Wazuh / ELK | Monitor secret access and rotations. |
-
Common Pitfalls
Developers bypass vaults; delayed revocation of credentials. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.11 / A.5.15. |
| NIST CSF 2.0 | PR.AC-1 / PR.DS-1. |
| CERT-In 2022 | Secure credential storage. |
| NIRMATA Scoring | IS-Q08 ≥ Level 4 requires dynamic rotation and auditing. |