SM-08

SM-08 150 150 CloudGovCo
  • A secret is created by a user with sufficient privileges. The communication channel between the user and application should be secure and mutually authenticated.
  • The application (or application component) is responsible of authenticating and authorizing users and services.
  • Every administrative operation on the secret is logged.
  • A secret may be created, updated, or revoked via a back-end application used by the application the user is engaging with). Communication with the back-end application should be encrypted and mutually authenticated.
  • The secret is stored in sealed storage, which can only be decrypted using an “unseal” key. The unseal key is stored in a secure, separate location.
  • For additional security, the secret itself may be encrypted for its consuming container.
  • Nodes (container hosts) receive the secret (or encrypted secret) over an encrypted and mutually authenticated channel.
  • Whenever a secret is transferred, updated, or removed from a container the event is logged.
  • The secret is only available to the consuming container. For additional security, the secret can decrypted using the container’s private key.
  • A secret is created by a user with sufficient privileges. The communication channel between the user and application should be secure and mutually authenticated.
  • The application (or application component) is responsible of authenticating and authorizing users and services.
  • Every administrative operation on the secret is logged.
  • A secret may be created, updated, or revoked via a back-end application used by the application the user is engaging with). Communication with the back-end application should be encrypted and mutually authenticated.
  • The secret is stored in sealed storage, which can only be decrypted using an “unseal” key. The unseal key is stored in a secure, separate location.
  • For additional security, the secret itself may be encrypted for its consuming container.
  • Nodes (container hosts) receive the secret (or encrypted secret) over an encrypted and mutually authenticated channel.
  • Whenever a secret is transferred, updated, or removed from a container the event is logged.
  • The secret is only available to the consuming container. For additional security, the secret can decrypted using the container’s private key.