Airlock IAM usually deals with sensitive information such as user records, secret keys, shared secrets and so on. The following list gives hints how to deal with sensitive information.
Securing sensitive information in the IAM configuration
The IAM configuration may contain sensitive information such as:
- Shared secrets
- Database or LDAP service user passwords
- Private keys for client certificates, SAML, etc.
- etc.
The following hints may help securing such information:
Store sensitive configuration properties in external files:
- See Storing sensitive configuration values externally, how to securely config store secrets.
- Make sure to use a long enough secret to encrypt the external secrets file
- Make sure the external secrets file does not get backed up by accident.
- Restrict access to the file as much as possible using file ownership and permission settings.
- If sensitive information has to reside in the IAM configuration (XML), consider using the "obfuscated" function in the ConfigEditor: it "obfuscates" the value with a fixed key stored in the IAM code.
Note that it does not prevent an adversary from restoring the original value (given the IAM code and some basic Java know-how). Therefore, do not rely only on this obfuscation technique!
Keep key store files in well-protected directories:
- Choose file locations sensibly, so they won't get backed by accident.
- Restrict access to key store files as much as possible using file ownership and permission settings.
- Deliver pre-configured IAM instances without key stores.
Do not share sensitive configuration across stages:
- Choose different sensitive configuration values for each stage (test, acceptance, prod, ...)
- The feature described in Configuration environments in combination with externally stored secrets (see Storing sensitive configuration values externally) offer a way to separated secrets from staged configurations.
Sensitive data in test data and log files
Keep in mind that test data sets and log files may contain sensitive information about the end-users authenticating themselves using Airlock IAM.
Although Airlock IAM will never log credential data (such as passwords), information identifying persons may be part of the log files (depending on the configuration).
The following hints may prevent exposure of sensitive data:
- Operate Airlock IAM with the minimum amount of personal data possible (e.g. do not read first and last name of customers from directory, if it is not necessary)
- Do not use productive data in test environments
- Scan log files for sensitive information before sending them to supporting partners (such as the Airlock professional or vendor service team)