Posted by Miryam Brand
July 18, 2022
As explained in a recent blog post, Software Supply Chain Attacks are prevalent in today’s corporate infrastructures. In a supply chain attack, attackers make their way into the chain of resources that make up the final software product, frequently by abusing valid credentials they obtained due to careless programming practices (Secret Sprawl). Once they have established access, they succeed in stealthily embedding malicious software into a trusted, widely used software product. Unfortunately, there are many points of entry for attackers but stolen or leaked credentials are by far the most common cause of such security breaches.
A fundamental risk associated with how most secrets (such as credentials, certificates, and keys) are currently used is that they are static. Secrets that are not regularly updated provide a large window of opportunity for an attacker to use them.
Using a Secrets Management solution enables organizations to limit the risk of static secrets by automatically and frequently rotating them to shorten their life cycle without disrupting the workflows of the identities that use these secrets.
The next level of protection against leaked credentials is to reduce the usage of even rotated static secrets and migrate away from a world of long-standing privileges. The way to do this is to use dynamic secrets, also known as “Just-in-Time” secrets. Just-In-Time (JIT) is a term borrowed from the manufacturing industry, where materials are ordered only when needed, to improve efficiency. In the case of Secrets Management, Just-In-Time or dynamic secrets provide clients (either human or machine identities) with access to a resource with the minimum of privileges they need to accomplish a specific task, for the minimum time required. Secrets are created anew for each connection and immediately expire, so they’re only valid for seconds or minutes, as opposed to days or months for static secrets. If compromised, dynamic secrets are almost immediately useless to an attacker – they have already expired.
Let’s observe a practical, real-world scenario, where an application wants to access a database on AWS. The graphics below describe how an application requests credentials for the AWS database from the Akeyless Platform, which then provisions the appropriate, temporary credentials on the AWS platform and provides the details to the application.
Akeyless allows organizations to reduce the risk of supply chain attacks by improving security around secret usage with frequent, automated rotation mechanisms, as well as Just-In-Time access scenarios. The Akeyless Secrets Orchestration Platform is a purpose-built SaaS solution that revolutionizes the connection process for human-to-machine (H2M) communications and especially for machine-to-machine (M2M) communications. JIT drastically reduces the risk of secret leaks that result in software supply chain attacks.
Akeyless provides out-of-the-box JIT access for many different targets, including:
To see how simple it is to move your organization away from the dangers of long-standing privileges, book a demo with Akeyless.
