Secrets & Credentials
Description
Secrets & Credentials include passwords, SSH keys, API keys, certificates, and any sensitive authentication materials used across the infrastructure and platforms.
Asset Identification
| Attribute | Value |
|---|---|
| Asset ID | DAT-SEC-01 |
| CI Type | Information |
| Asset Name | Secrets & Credentials |
| Asset Category | Authentication Data |
| Owner | Security Role (Sec) |
| Status | Planned |
| Location | Secure Secrets Storage / Vault |
| Primary Function | Authentication, authorization, and access protection |
Asset Dependencies
| Dependency Type | Asset | Status |
|---|---|---|
| Platform | Identity Management Platform | Planned |
| Platform | All Platform Assets | Planned |
| Information | Automation Playbooks | Planned |
Relationships
| Relationship | Target CI |
|---|---|
| Supports | Secure Remote Access |
| Supports | Administrative Bastion Access |
| Supports | Platform Operations |
Asset Classification
| Criteria | Level |
|---|---|
| Confidentiality | 🟥 High |
| Integrity | 🟥 High |
| Availability | 🟨 Medium |
Criticality score: 🟥 High
Rationale:
- Exposure of credentials would compromise entire infrastructure.
- Integrity is essential to prevent unauthorized use.
- Availability is important but can tolerate short downtime if backup credentials exist.
Responsibilities
| Role | Responsibility |
|---|---|
| Security Role (Sec) | Management, storage, and rotation of secrets |
| Operations Role (Ops) | Assist with secure integration into platform services |
| Development Role (Dev) | Use secrets in automation securely |
Security Controls
- Vault-based storage with access control
- Encryption at rest and in transit
- Automated rotation and expiration policies
- Logging and audit trails of secret usage
Security Considerations
Main risks include:
- Credential compromise
- Unauthorized access to secrets vault
- Improper distribution of keys
Mitigations:
- Role-based access control
- Strong encryption and rotation
- Monitoring and audit of access events
Methodological References:
- ISO 27001 - Control 5.1 Policies for information security ; Control 8.2 Privileged access rights ; Control 8.3 Information access restriction.
- NIST CSF - PR.AC Identity Management, Authentication and Access Control ; PR.DS Data Security.
- EBIOS RM - Secrets considered as critical information assets supporting threat scenario modelling and risk evaluation.