The Snyk Perpetual Key Rotation Machine
1 avril 2023
0 minutes de lectureAt Snyk, we think of developers as citizens of a special community. In that community, your collection of apps is your neighborhood — and your code is your home base; your house. How do you secure a house? With a lock! And how do you make sure no one else can unlock that lock? You keep the key! That’s security ideation at its finest: keys. Just ask Vinz Clortho, Keymaster of Gozer.
But keys are only as secure as the people in charge of them. We've all seen Mission Impossible, so we know keys can be stolen. All you need is some rope, a grappling hook, a team of highly-trained masters of espionage armed with millions of dollars’ worth of spy stuff, and a black v-neck. Or just, like, accidentally leave your keys on your desk when you go on a coffee break.
This was a very direct way of saying that keys can be prone to security failure. With that in mind, let’s talk about cryptographic keys. The access keys and tokens you use every day can be stolen. The standard, most effective way to secure them is by practicing key rotation. In this very serious post that's being published on April 1st, we're going to take a look at what key rotation is and how Snyk is revolutionizing it in a modern, high-stakes, disruptive, developer-first, agile, digitally-transformed, game-changing, deep-diving, cloud-centric world.
What is key rotation?
Key rotation is a security practice in which cryptographic keys used for encryption or authentication are periodically changed or updated. The purpose of key rotation is to limit the amount of time that any one key is in use. This reduces the likelihood of the key being compromised or exploited by attackers.
Key rotation is particularly important where data is stored or transmitted over a period of time, such as in cloud storage, messaging systems, or database encryption. By regularly changing the encryption keys used to protect data, the security of the data is improved. Key rotation is your way of pulling the rug out from under hackers — it keeps them guessing. And it also leaves them without a rug.
Key rotation can be done manually or automatically, depending on the system and the security requirements. In an automated key rotation system, new keys are generated at regular intervals and the old keys are securely deleted or retired.
How often are keys normally rotated?
How often keys are rotated can vary depending on security requirements and the type of system being used. However, a typical key rotation cadence for most systems is between 30 and 90 days, with some systems rotating keys even more frequently — more often than monthly, but less often than autocorrect tricks you into sending a pretty moronic-sounding text message.
The frequency of key rotation depends on a number of factors, including the sensitivity of the data being encrypted, the level of security required by the organization, and any regulatory or compliance requirements that may be applicable.
Standard key rotation isn’t enough
Key-based encryption is a good start, but bad actors can still find, steal, or guess cryptographic keys. Remember the Heartbleed bug of 2014? It allowed malicious actors to access sensitive data even though it had been encrypted. This led to widespread concern about the security of encrypted traffic, and many websites and services were forced to revoke and reissue their SSL certificates. Back in 1977, the RSA encryption algorithm was introduced, which was thought to be extremely secure. However, in 1994, a team of mathematicians managed to crack RSA-129 — a 129-digit key that was thought to be impossible to crack. Squeamish ossifrage has never been so dangerous!
Snyk takes key rotation one step further (and many turns faster)
Many tech businesses still ascribe to the “move fast” philosophy — and Snyk is among them. But we’ve taken the idea of “moving fast” one step further. We built a key rotation tool that moves so fast that no one can catch up with it. We're proud to release: Snyk's Perpetual Key Rotation Machine!
Other key rotation tools replace old keys with new keys, ensuring that all encrypted data is protected with the latest encryption key, and they execute this change at intervals, usually a specified number of days. What sets Snyk’s Perpetual Key Rotation Machine apart from the others is that it automatically and continuously rotates encryption keys, without interruption, ensuring that the keys are always changing.
The machine uses proprietary AI (that was developed in an super-secret location) to generate new keys at regular intervals: intervals of attoseconds (for you n00bs out there, that’s one-quintillionth of a second). Giving a very fast fist bump to Newton’s first law of motion, this key rotation machine rotates and rotates and — you guessed it — rotates! And it never stops. Your key rotation keeps happening and your keys keep changing. Or as Taylor Swift said: rotators gonna rotate-tate-tate-tate.
Remember: no one key provides true security — unless it’s changing so frequently that it can never actually be identified. A key that’s rotating continuously can’t be used to hack your data, because it can’t be used. At all! By anyone! Ever! Your data will be less visible than Schrödinger's cat.
But seriously...
Happy April Fools' Day! We know that making data totally inaccessible isn’t a real security solution (even though we do enjoy giving a shout-out to one of our favorite performances by the great Rick Moranis). So if you want to stay secure while not completely locking the whole world — yourself included — out of your apps, check out Snyk. Built on industry-leading security intelligence, our platform secures your code, dependencies, containers, and cloud infrastructure in real-time right from the tools and workflows you already use. That may sound too good to be true, but we promise we're not joking!
Sign up for free and start securing your applications with the security platform developers love.