Secrets Management Integration
A secret, such as a password, is considered sensitive data, and it is used in interfaces, Environments and Fabric System Database as a way to enable communication with external systems. Hence, secrets should be protected and suitably stored. Click here for further information about secured storage of secrets in Fabric.
Fabric also supports integration with Secrets Management services as they provide several benefits while secrets are not stored in Fabric itself.
Secrets Management services are tools that aim to securely store, manage, access and audit sensitive information such as passwords, API keys and other credentials, across the organization. The features included in Secrets Management services are encryption, access controls, auditing and automatic rotation of secrets.
The advantages of Secrets Management are:
- Reducing the risk of secret leaks when providing a secret for each client application.
- Having a single source of truth, which can be better controlled, changed or rotated, manually or automatically.
- Managing access to secrets with fine-grained authorization policies.
- Detecting security breaches and attempted system access, done by analyzing audit logs and alerts that provide detailed history of client interactions, which can also be used for guiding security policy enforcement.
Fabric supports integration with various external Secrets Management services, in which case Fabric does not store the secrets but rather their reference IDs.
These are Fabric's currently supported Secrets Management service providers, along with their official webpages:
- AWS Secret Manager - AWS Secret Manager
- HashiCorp Vault - HashiCorp Vault
- Azure Key Vault - Azure Key Vault
- CyberArk CCP - CyberArk CCP
- Google Cloud Secret Manager - Google Cloud Secret Manager
- OneIdentity Safeguard - OneIdentity Safeguard
How does it Work
- The customer's security team administrator creates a set of credentials on either a database or a similarly secured resource server, and then provisions them as secrets in the Secrets Management provider. The latter encrypts and stores the credentials within the secrets.
- The administrator has to grant Fabric (client application) with permissions to approach these secrets.
- When Fabric opens a connection in order to access the database/resource server via an interface, it examines whether its credentials are defined as reference IDs in an external Secrets Management service. If they are defined as such, Fabric queries the Secrets Management service to retrieve the relevant secrets.
- The Secrets Management service decrypts and returns the secrets to Fabric over a secured channel.
- Fabric uses the secrets as the resource server credentials, as defined in the interface.
- Fabric caches the credentials in memory. If the connection to a resource server fails due to credentials, Fabric assumes that the credentials were changed, and therefore accesses the Secrets Management service again for the purpose of retrieving them.
Using Secrets Management Services
In order to use a Secrets Management provider, you should:
- config.ini, Set the configuration in the config.ini file with the selected Secrets Management provider, along with access and permission details. Read here for more details.
- Interface Editor, Provision and mark the required interface connection details as those that should be taken from the Secrets Management provider, as part of the project's implementation settings. Read here for more details.
Secrets Management Integration
A secret, such as a password, is considered sensitive data, and it is used in interfaces, Environments and Fabric System Database as a way to enable communication with external systems. Hence, secrets should be protected and suitably stored. Click here for further information about secured storage of secrets in Fabric.
Fabric also supports integration with Secrets Management services as they provide several benefits while secrets are not stored in Fabric itself.
Secrets Management services are tools that aim to securely store, manage, access and audit sensitive information such as passwords, API keys and other credentials, across the organization. The features included in Secrets Management services are encryption, access controls, auditing and automatic rotation of secrets.
The advantages of Secrets Management are:
- Reducing the risk of secret leaks when providing a secret for each client application.
- Having a single source of truth, which can be better controlled, changed or rotated, manually or automatically.
- Managing access to secrets with fine-grained authorization policies.
- Detecting security breaches and attempted system access, done by analyzing audit logs and alerts that provide detailed history of client interactions, which can also be used for guiding security policy enforcement.
Fabric supports integration with various external Secrets Management services, in which case Fabric does not store the secrets but rather their reference IDs.
These are Fabric's currently supported Secrets Management service providers, along with their official webpages:
- AWS Secret Manager - AWS Secret Manager
- HashiCorp Vault - HashiCorp Vault
- Azure Key Vault - Azure Key Vault
- CyberArk CCP - CyberArk CCP
- Google Cloud Secret Manager - Google Cloud Secret Manager
- OneIdentity Safeguard - OneIdentity Safeguard
How does it Work
- The customer's security team administrator creates a set of credentials on either a database or a similarly secured resource server, and then provisions them as secrets in the Secrets Management provider. The latter encrypts and stores the credentials within the secrets.
- The administrator has to grant Fabric (client application) with permissions to approach these secrets.
- When Fabric opens a connection in order to access the database/resource server via an interface, it examines whether its credentials are defined as reference IDs in an external Secrets Management service. If they are defined as such, Fabric queries the Secrets Management service to retrieve the relevant secrets.
- The Secrets Management service decrypts and returns the secrets to Fabric over a secured channel.
- Fabric uses the secrets as the resource server credentials, as defined in the interface.
- Fabric caches the credentials in memory. If the connection to a resource server fails due to credentials, Fabric assumes that the credentials were changed, and therefore accesses the Secrets Management service again for the purpose of retrieving them.
Using Secrets Management Services
In order to use a Secrets Management provider, you should:
- config.ini, Set the configuration in the config.ini file with the selected Secrets Management provider, along with access and permission details. Read here for more details.
- Interface Editor, Provision and mark the required interface connection details as those that should be taken from the Secrets Management provider, as part of the project's implementation settings. Read here for more details.
