When should you rotate your secrets?

Hackers are everywhere, looking for exploits, backdoors, or easy ways to gain access into your system. One common avenue of attack is due to weak or exposed secrets. The fact is, the longer a secret is around, the higher the odds that it has been accidentally exposed. For this reason, security professionals recommend that all development teams rotate their secrets “frequently.” But what is frequently? In truth, no concrete number works in all situations, so developers are left making judgment calls on the correct frequency, and all too often, it just becomes never.

This post will discuss the importance of secret rotation and some of the factors involved in secret rotation. These factors can help a development team determine proper secret rotation timelines and ideas on how to properly implement a rotation strategy for secrets.

Unexpected secret rotations: When the schedule goes out the window

There are times when secrets need to be rotated immediately, outside of any regular schedule.

1. Accidental exposure. There are several ways that secrets can be accidentally exposed. The most common is the unintentional push to GitHub.

1. Employee turnover. If one of your developers leaves the organization, and they had access to any of the company’s secrets, it is a good practice to switch them. Even when an employee leaves in good standing, any key or access the developer may have had is no longer in company control and could be at risk.
2. Phishing attack/compromised credentials. Maybe a hacker got in, or a developer opened an email that gave access to their local machine. At any rate, it is time to rotate all the credentials for the affected machines. It’s also not a bad idea to rotate credentials on services that connect with the compromised device, in case the hackers made advances into your systems. In 2022, Dropbox suffered a major data breach when several developers fell prey to a sophisticated phishing attack.

When an unscheduled secret rotation event occurs, does your team have a list of all the secrets in use? Who has/had access to those secrets, and when were the secrets last changed? Accidents are never planned, but having a plan to handle the accident is a critical part of your company’s operational security. At the very least, maintaining a list of all the secrets (or a location where secrets are stored) will help the team mitigate the situation.

A secrets management tool can be helpful in this situation. In addition to being the definitive list of secrets across all systems, many secrets management platforms can help you quickly rotate your secrets in the event of an exposure. If you are not using a secrets management tool that supports rotating secrets - you should!

Back to your regularly scheduled rotations

Emergencies aside, most teams fail not from hacks but from neglect. Regular rotation makes security proactive, not reactive.

The first question that arises when discussing secret rotation is,“How often should we rotate our secrets?” It would be amazing if there was a straightforward answer that everyone could follow, but the true answer is, “it depends.”

It depends on how critical the service is. The more critical the service is to your company, the more frequently secrets should be rotated. Some high-risk systems in finance or critical infrastructure may rotate secrets daily or even hourly! However, an API key to a service that provides public holidays in different countries is a pretty low-stakes attack vector. If the API key were compromised, there might be a small cost to the company, but it is unlikely to have large system-wide ramifications, and rotating the API key every 3 or 6 months might be sufficient.

Determining the right timeframe for secrets rotation

• Legal concerns: There are a number of privacy laws, like HIPAA, GDPR, and CCPA, on the books. These laws may not specify exact rotation schedules, but they all require “robust security measures to protect sensitive data.” Secrets that protect customer data relevant to these governmental legislations should be rotated at a higher frequency.
• Company policies: It might be that you are reading this post in order to create your company’s policy. But, if there is a rotation policy in effect, its rules should be followed. The rules should also be regularly examined and updated as security landscapes shift rapidly.
• Operational security: Does rotating a specific secret lock the database for 15 minutes? Will the website go down? Will employees be unable to access an essential system? For some secret rotations, advance planning (and specific timing windows) may be required. Maybe some systems are best rotated at the same time.

For each secret in your cloud/infrastructure, examine the importance of the system, legal ramifications and begin creating buckets of refresh times: hourly, daily, weekly, monthly, quarterly, etc. Carefully note any special cases where dependencies or windows must be adhered to during the rotation.

Bucketing your secrets into timeframes

The worst possible action in bucketing your secrets is inaction. We’ve all worked at companies that were lax in secret rotation, and a few of us have worked through breaches that had detrimental effects on the company (and were also detrimental to our hairlines/sleep patterns). So the first step is to bucket the secrets into timeframes.

Imagine you work for a company that handles schematics for top secret governmental plans. The critical applications that directly interface into the top-secret plans have secrets that are rotated hourly or daily. Secrets that provide access to adjacent applications are also at risk, so are rotated frequently (perhaps weekly). Then there are very low-impact credentials that might be updated quarterly or every six months.

Scheduling your secret rotations

Once you have your buckets of rotation timeframes in place, it is time to begin creating the rotation schedule. It’s probably best to rotate secrets early in the workday in case of any unexpected issues. Early in the secret rotation journey, it’s best to schedule a few secrets to be rotated during each period, rather than rotating all secrets at once. This reduces the surface area of any issues that might arise during the rotation period.

The most important part is to schedule the rotations and keep up with the schedule. If your company is using a secrets management tool, the secrets can be automatically rotated according to the schedules set in the tools.

Wrapping it all up

It’s a SecOps best practice to have a policy around rotating your company's secrets. By having a policy and procedures around secret rotation, your company is prepared for unexpected breaches, where immediate action must be taken, but is also committed to regularly scheduled rotations. The regular changing of company secrets makes it harder for your systems to be infiltrated and customer data exposed. High-risk secrets should be rotated more frequently, but all secrets should be rotated regularly.

As your company’s development and cloud infrastructure grows and evolves, manual secret rotation may become too cumbersome and time-consuming. Your security team might consider using secret management software like Doppler that allow for automated secret rotation. Once your secrets are set up in the management tool, they are all rotated on a programmed schedule. This gives the dev and security team the peace of mind that secrets are being held and rotated securely, allowing them to focus on more impactful parts of their role. Set up your account for free, and try rotated secrets as a part of a free trial to the Team level subscription.