#51SECURITYPROTECTElite
Secrets Rotation
Lifecycle and rotation process
Hard
Overview
Automated or semi-automated rotation of secrets on a schedule or after exposure.
Why It Matters
Limits blast radius of compromised secrets. Documented rotation schedule.
The Risk
Without rotation, compromised secrets work forever. You can't limit damage from breaches or departing employees. Compliance requirements go unmet. Old leaked credentials remain valid.
Implementation Components
A complete implementation of this capability includes:
- Rotation schedule defined (quarterly minimum)
- Automated or scripted rotation process
- Pre-rotation testing to avoid outages
- Coordinated rollout to all environments
- Verification that old secrets are invalidated
- Documentation updated with rotation dates
Implementation Pattern
- 1Identify rotation candidates
- 2Define rotation schedule
- 3Automate generation
- 4Test before cutover
Pipeline Coverage
This continuous capability monitors and applies to the following pipeline phases:
RELEASE
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Same Layer
Other capabilities in this continuous layer
- •#44 Database Backups
- •#45 System/App Backups
- •#46 Restore Verification
- •#47 Restore Drills
- •#48 Host Hardening
+5 more