Posted by Ori Mankali
October 27, 2022
A world without credential rotation
Credential rotation isn’t always simple or easy. Many companies with on-prem machines or legacy systems are forced to rotate their credentials manually (and some choose not to rotate at all).
Without regular credential rotation, the security concern is clear: if someone unauthorized gets access to those credentials, they have access forever. There’s no backup plan.
In addition, without rotation for on-prem infrastructure, there’s no way for companies to know when an unauthorized party uses stolen credentials. Since credentials don’t expire, they can be used again and again.
Enter Akeyless Universal Identity, a powerful, lightweight authentication method you can easily implement on any operating system, including on-prem machines.
Universal Identity Authentication on any machine
Universal Identity can be implemented on any Windows, Linux, or MacOS machine. This opens up a world of possibilities for on-prem infrastructure, because it enables automated rotation of these machines’ credentials. It provides a solution to secret zero that is not reliant on cloud tooling and isn’t limited to cloud infrastructure.
With Akeyless, the Universal Identity auth method is simple—you can use Windows Task Scheduler, a CRON job, or a similar scheduler, to run a script that rotates an identity token. This is a lightweight solution that can be easily implemented on any operating system, including on-prem machines.
The benefits of Universal Identity Authentication for credential rotation
Universal Identity authentication has two main benefits.
First, it enables easy credential rotation.
Once tokens expire, they can be set via a task scheduler to rotate at set intervals on any operating system. When a new token is generated, it invalidates the expiring token.
If someone were to gain illicit access to one of your existing tokens, it would likely expire before it could be used.
In addition, if a hacker tried to rotate the token themselves, the previous token would become invalid. Authorized token requests would fail, alerting the company immediately to malicious activity.
Second, Universal Identity tokens can create child tokens.
Child tokens are able to have a sub-set of permissions from its parent. They also have their own time-to-live and can rotate. Like other authentication structures, child tokens can have their own child and sibling tokens. The configuration of the auth tree fits your use case, allowing credential rotation to scale.
Without this mechanism, token rotation is an operational burden. For example, when a token is rotated at one location, the other location with the token will stop working, and vice versa. With Universal Identity, each token can rotate on its own without dependency on other tokens.
In summary, Universal Identity is an authentication method that companies can use to manage secrets for on-prem infrastructure without heavy deployment costs. Many other secrets management tools don’t effectively address the complexity of hybrid infrastructure for modern enterprise companies. This leads to frustrated engineers trying to hack together pieces to get the results they want. With Akeyless, this solution is ready to use out-of-the-box as part of the standard SaaS deployment.