Credentials Rotation Policy

Use Apono for periodic credentials rotation and passwords reset on granted access for security and compliance purposes

Intro

As we all know, it is highly unsafe to have stale credentials that are changed seldom, if at all.

In addition, many compliance and regulation standards require credentials rotation periodically, often quarterly (every 90 days), or less.

πŸ“˜

Common compliance and regulation standards: credentials rotation

PCI DSS (Payment Card Industry Data Security Standard) requires the rotation of user passwords and other security parameters at least every 90 days. This applies to any systems or applications that store, process, or transmit payment card data.

HIPAA (Health Insurance Portability and Accountability Act)doesn't specify a specific time frame for credential rotation but requires that organizations implement policies and procedures for regular access reviews and modifications to ensure the security of electronic protected health information (ePHI). Some auditors require password changes every 60 or 90 days.

SOC 2 (Service Organization Control 2) requires that passwords are changed every 90 days or less and not reused for at least six months.

With Apono, you can rest assured that credentials are rotated regularly by activating our Credentials Rotation Policy. You can enforce this policy organization-wide, and even per integration. This helps keep the company secure with extra care for extra-sensitive resources.

Please note: Apono can reset credentials only for Apono-generated users and passwords. If you're using Apono with SSO or a cloud native IAM service, you must make sure password reset policies are enforced there.

How to: Enable periodic credentials rotation

When turned on, Apono will reset a user's credentials after the defined time period elapses. To support productivity and offer the best experience, Apono resets the password for a user's next request, and not during active access.

For example: if on January 1st a user requests access to a MySQL database, they will receive a username and password from Apono. If the reset password policy is turned on for a 90 days period, the user will continue to use the same password for all of their requests until March 31st. The next request this user creates after March 31st will be granted with new credentials, and then again on June 30th, September 30th, and so forth.

🚧

If both a global policy and integration policy are turned on, Apono will follow the stricter one.

If the global policy states 90-days credentials rotation and the SSH integration states 30-days credentials rotation, Apono will reset SSH private keys after 30 days.

If the global policy states 30-days credentials rotation and the SSH integration states 90-days credentials rotation, Apono will reset SSH private keys after 90 days.

Global reset credentials policy

To enable a global, organization-wide credentials rotation policy for all your Apono integrations, follow these steps:

  1. Visit the Settings page

  2. Find the "Credentials Rotation Policy" toggle

  3. Turn the toggle on and insert the period after which the reset will take place. The default is 90 days, but can be changed into any amount of days.

Integration-level reset credentials policy

To enable per-integration credentials rotation policy, follow these steps:

  1. Create a new integration or visit any existing integration you'd like to set a credentials rotation policy for.

  2. Find the "Credentials Rotation period" configuration

  3. Insert any number of days. Inserting 0 will trigger password reset for every new request.

  4. Click Submit or Update.

Audit

Admins can follow Apono credentials rotation in the Activity Report.

Pick any request and look at the Request Timeline to see rotation events:

Grantees

Apono alerts users that new credentials have been generated for them. This helps grantees understand that they need to reinsert credentials, even if they've set up and used the Apono access previously.

In Slack

For granted requests that contain new credentials, Apono adds ":key: New credentials" under the Access Details button.

In the Web Portal

For granted requests that contain new credentials, Apono adds a green dot and "New access credentials" to the View access details button.

Troubleshooting