With the new contexts API release, developers can save their team valuable time while enhancing security practices. We know maintaining your organization’s security is crucial. There is the need to meet strict compliance guidelines, such as FedRAMP and GDPR, and what seems to be an increasing number of breaches, like the compromise of over 150,000 video security cameras as a result of a targeted Jenkins server. Acknowledging the importance of security is only the first step, though; you must also be actively vigilant about managing your security. On CircleCI, customers can proactively manage security requirements in myriad ways, like managing your organization’s sensitive keys or secrets. This process can be challenging when using CI/CD to create an automated delivery pipeline.
Secrets are likely required to build, test, and deploy across multiple projects. Sharing them among your team while maintaining their security can be difficult. In this article, we will cover how using our new contexts API as part of your team’s security strategy can help automate your secret rotation according to best practices, providing the most protection possible.
Managing secrets with CircleCI contexts
To get the most out of CI/CD workflows on CircleCI, developers need to connect to private datastores and access-restricted services. Teams may even connect directly to their infrastructure to push production artifacts. CircleCI enables you to store credentials and other secrets securely in the form of contexts for use during builds.
Despite the countless hours and brainpower that CircleCI and your organization put into keeping these values safe, no system is perfect. In all information systems, it is possible that an unauthorized party could gain access to private data. However, CircleCI makes a concerted effort to ensure that your secrets stay protected. Implementing good security practices including periodic rotation of secrets limits any possible exposure and can prevent a breach from happening in the first place.
Maintaining good secrets hygiene
A secret is any information that you need to protect from unauthorized access, like keys used for cryptography or access to a resource. Secret rotation is the process of replacing and invalidating old secrets.
Good secrets hygiene includes rotating secrets periodically and when someone’s access has been revoked. If an employee leaves your company, or if someone in your organization is transferred to another department, all secrets they had access to should be rotated.
What about secret exposures you do not know about? Perhaps a raised exception in logs contains a secret value, exposing it to people who should not have access to it. Any system that handles secrets has the potential for accidental exposure due to human or machine error, and that includes code that builds on CircleCI.
Our efforts to protect your secrets include encryption at rest and in transit, masking of secret values in build logs, and logging access to secret data stores by CircleCI employees. We are the first CI/CD tool to meet the rigorous security and privacy NIST-standards of FedRAMP, in addition to being SOC 2 Type II compliant.
Recommendations for secret rotation
CircleCI recommends automating your secret rotation to guard against human error and ensuring that it is done periodically. Here are some guidelines for using secrets with CircleCI:
- Use the Principle of Least Privilege. Give only the exact permissions to the secrets you pass to CircleCI necessary for your builds and deploys
- Automate adding and updating secrets in CircleCI contexts using the CircleCI CLI or the API
- Schedule regular secret rotations that fit the unique needs and risk profile of your team
The guidelines described in this article are especially relevant for large organizations, but even maintainers of small open-source projects may want to improve their secrets hygiene to prevent the breach of a popular library. With some upfront effort in design and automation, you can strengthen your security posture regardless of the size of your organization.
For more information on how to begin automating your secret rotation and creating environment variables using the API or CLI, check out our contexts documentation.