Managing shared secrets
We have already touched on security topics, such as isolating legacy systems and external interfaces in their own cloud accounts and having on-premises components pull data from the cloud instead of granting the cloud access to on-premises. These techniques help control the attack surface that exists at the interactions between disparate systems. In this section, we will address shared secrets such as passwords, access keys, and API keys.
Securing secrets
The various egress scenarios require connecting to external resources. These interactions are secured in transit with SSL, but first they must be authenticated. Legacy systems will most likely require a username and password, while modern systems typically require some sort of long-lived token. For example, a SaaS system may use API keys and a cloud provider may require an access token. In reality, these are all semantically the same; they are all secrets. The syntactical details only really matter to...