|
|
|
|
|
|
by sjbase
4110 days ago
|
|
|
Storing secrets is fundamentally imperfect ("it's not a secret if someone [or something] else knows it"). This article calls for aid in the form of standards other than PCI-DSS, and those standards do actually exist. NIST 800-53 and 800-130 to name a couple; the EU has others in different industry flavors. Now, I'm not going to defend these govt. standards as up-to-date or comprehensive. But they're a good philosophical reference for how to manage keys/secrets. Some COTS technologies (which I won't advertise here) try to automate/enforce strong key management for infra, but are typically only affordable for enterprise deployments. |
|
|
It's much easier to feel comfortable handing out secrets of each of them had a fixed lifespan. It reduces anxiety greatly.