App Registration - Client Secrete Key Rotation

Sravan Kumar Mettu 40 Reputation points
2024-01-23T09:29:43.0633333+00:00

Hi There, We have registered GCP workload identity federation related app under Active Directory -> App registrations. Now as per the recommendations, Client Secrete Key needs to be rotated in every 180 days, which leads to operational overhead like restarting all our servers to reflect new keys in our production servers. What kind of security impact will it have if we set secrete key to never expiry (something like expire after 100 years) Or do we have any other good solution to avoid secrete key rotation? Regards, Sravan

Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Abrar Adil S 246 Reputation points
    2024-01-23T09:43:12.9933333+00:00

    If the secret is set to expire after 100 years, it increases the risk if the secret is compromised and data will be breached until we have figured it would be too late, can you try to store the secret in a Azure Key Vault and configure the Key Rotation Policy with required Access so that it would not compromised and you might not need to restarting all our servers to reflect new keys in our production environment.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Deepanshu katara 13,840 Reputation points MVP
    2024-01-23T09:39:41.5833333+00:00

    Hi Sravan ,

    Here are some considerations regarding setting a secret key to never expire:

    1. Security Risks: If a key is compromised, the longer it is valid, the more time an attacker has to exploit it. Regularly rotating keys limits the exposure to potential breaches.
    2. Compliance Requirements: Depending on your industry and compliance standards, there may be specific requirements regarding key rotation. Not adhering to these standards could result in compliance violations.
    3. Operational Overhead: While key rotation does introduce operational overhead, it is a necessary security measure. Explore automation options to streamline the process and minimize the impact on production servers. Cloud providers often provide tools and APIs to facilitate key rotation without requiring server restarts.

    To address the operational overhead:

    Rolling Restart Strategy: Plan a rolling restart strategy for your servers so that they can pick up the new keys without causing downtime for the entire system.

    Please find the below link for step by step process to enable Rolling update for VMs/servers https://learn.microsoft.com/en-us/windows-server/failover-clustering/cluster-operating-system-rolling-upgrade

    If you have any other questions, please let me know.

    Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

  2. Sravan Kumar Mettu 40 Reputation points
    2024-01-23T12:37:09.3566667+00:00
    • @Deepanshu katara Thank you so much for the explanation. I too agree that never expiry is a potential risk solution. And we do have automation in place, but operations team takes atleast 80Hrs to spin the servers on rotational basis.
    • @Abrar Adil S - I liked the idea of having Azure Key Vault solution (main it centrally) and configure key rotation policy to access it. In this way we can avoid the storing the key in distributed environments which lead to operational overhead.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.