Rotated vs. dynamic secrets: Which should you use?

Secrets are crucial in securing access to applications, sensitive data, or machines. They fall into four categories: unmanaged, static, rotated, and dynamic. Static secrets are the most common type but pose security risks if not securely stored and centrally managed. Rotating and dynamically generating secrets can improve an organization's security posture by reducing the time a secret could be used if obtained by a threat actor. Auto-rotated secrets enable organizations to improve their security stance by ensuring that static secrets aren't long-lived. They are created on a schedule, with one or multiple new versions stored as the latest version(s) for the secret. When an instance of the application starts up, it will pull the latest version of the secret. Dynamic secrets help manage intentions instead of managing credentials and are created just-in-time by an issuing service when requested. They have a predefined lifespan (TTL), after which they expire and become invalid. Every application instance has a different credential, and each set of credentials can be revoked irrespective of other running applications. Auto-rotated secrets are suited for longer-lasting workloads that need more stability in their connection but still need to be rotated. Dynamic secrets are particularly useful for ephemeral workloads in environments with stringent security requirements, such as cloud environments, distributed systems, and microservice architectures. Incorporating both dynamic secrets and secret auto-rotation into an organization's secrets management practices can effectively address a broader range of security requirements and operational challenges.