From bdebda7959f2ea175388d7ae9606961a76e6dfe5 Mon Sep 17 00:00:00 2001 From: Chris Cooper Date: Wed, 12 Sep 2018 17:36:27 +0100 Subject: [PATCH] Secure Deploy B Ready for Review --- v2.0/beta/core/implementation/i-secure-deployment.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/v2.0/beta/core/implementation/i-secure-deployment.md b/v2.0/beta/core/implementation/i-secure-deployment.md index 1e427996362..65eca23e872 100644 --- a/v2.0/beta/core/implementation/i-secure-deployment.md +++ b/v2.0/beta/core/implementation/i-secure-deployment.md @@ -96,7 +96,9 @@ Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor i ## Maturity 2 ### Activity -Use encryption or a centralized vault to protect sensitive coniguration information +Before deployment, sensitive credentials and secrets for production systems should be stored with encryption-at-rest and appropriate key management. The organisation should consider using a purpose-built tool/vault for this data. Key management should be handled carefully to ensure that only personnel with responsibility for production deployments are able to access this data (the principle of least privilege). + +Where possible during deployment, secrets should be encrypted-at-rest in configuration files as well. There should be appropriate key management such that the application can access the secrets whilst it is running, but an attacker who obtains the configuration files alone would not be able to decipher them. ### Maturity Questions #### Q 1