Skip to content

What’s in a Secret? Best Practices for Static, Rotated and Dynamic Secrets

Stolen credentials, also known as secrets, are ranked as the leading cause of data breaches. Because of this, it’s important to know when and how to use different types of secrets. In this blog post, we’ll break down when it’s best to use static, rotated, or dynamic secrets. 

Static Secrets

First of all, there are static secrets, which is the most common type of secret. As the name suggests, static secrets don’t change over time, which means whoever has access to these secrets typically has long-standing access.  

With static secrets, it’s easy to store secrets in config files or hard-bake it into code. Hard-coding your credentials is the path of least resistance for many developers moving fast, but it can lead to scalability problems and serious security concerns. 

The biggest issue with static secrets, however, is that they don’t change. If a malicious actor gets hold of a static secret, they could have access to sensitive information indefinitely, and without your knowledge.

There are times, however, when it’s necessary to use static secrets. 

In this case, it’s best to use static secrets with a secrets manager that injects the secrets where you need them. Instead of using secrets directly, in code or otherwise, you simply have to reference the secrets management platform. This prevents sharing and proliferation of the secret across teams and infrastructure, reducing risk of breach. In addition, when you use a secrets management tool, you can simply change the secret in one place and have it populate across your infrastructure, decreasing time to production.  

Rotated Secrets

Next, you can have rotated secrets, which are secrets that are replaced every set period of time. Changing secrets regularly is highly recommended and often required if your business follows security standards like PCI DSS (which mandates up to a 90-day rotation cycle).

Usually, rotated secrets are best used for long-standing accounts that need extra protection, such as an Administrator account or a root account for databases. Rotating secrets ensures that stolen credentials can’t be used for long, especially if they are rotated frequently. 

Implementing rotated secrets can be difficult—If you rotate secrets manually, it can be a heavy lift for IT teams. In addition, credential rotation must be logged for audits, which adds another layer of operational burden.

Although rotated secrets are often more secure than static secrets, they can still be a source of risk depending on how often secrets are rotated. For example, if rotated secrets are stored in configuration files, and pushed up to a Git repository, this could expose sensitive infrastructure. Even if the secret was scheduled to be rotated in the next 90 days, that still gives a large window for the exposed credentials to be used maliciously. That’s why frequent rotation through automated processes is recommended for optimal security. 

Dynamic Secrets

The last type of secret is dynamic secrets, or just-in-time secrets. Dynamic secrets expire after a set period of time, which makes them best used for infrastructure that is ephemeral. 

Dynamic secrets are core to implementing zero trust, a gold standard in security where secrets are only provisioned when they are needed, and expire after they are used. In this scenario, all access is temporary, creating very low risk for credential theft and breach.

Similar to the other two types of secrets, dynamic secrets are best implemented in a secrets management platform that automates the process. Using these platforms, users can easily create temporary service accounts when needed, or integrate dynamic secrets into infrastructure as code with tools like Terraform. 

Although dynamic secrets are the gold standard, many companies still don’t put it into practice. Implementing dynamic secrets can require a culture shift, as well as an up-front time and energy investment. 

The Akeyless Platform: Static, Rotated, and Dynamic Secrets

Akeyless is a secure, API-driven SaaS platform that makes it easy to implement static, rotated, and dynamic secrets across your infrastructure. With support for any cloud or on-prem infrastructure, you can control and manage all your secrets in one place.

  • Static secrets: Akeyless supports any secret string, such as passwords, API keys and even complete configuration files. 
  • Rotated secrets: Akeyless makes it easy to automatically rotate secrets across your infrastructure while everything is logged for compliance needs.
  • Dynamic secrets: Make dynamic secrets a reality by using Akeyless to automatically create temporary accounts and expire them when needed.  

Want to see Akeyless in action? Book a free demo today.


See Akeyless in Action

Get a Demo certification folder key