Standard : Credentials are short-lived and auditable

Purpose and Strategic Importance

This standard ensures all credentials are short-lived and auditable by default, limiting exposure time and enabling traceability. It reduces the blast radius of potential breaches and supports rapid incident response.

Aligned to our "Zero Trust Architecture" policy, this standard enforces secure-by-design practices for identity and access management. Without it, secrets persist longer than necessary, increasing risk and eroding system trust.

Strategic Impact

  • Improved delivery flow and reduced operational risk
  • Faster and safer response to access breaches
  • Strengthened trust in system-level access and observability
  • Easier adoption of automation and least-privilege design

Risks of Not Having This Standard

  • Secrets remain valid beyond their useful life, increasing the risk of misuse
  • Breaches are harder to detect and investigate
  • Delayed response to compromise events
  • Erosion of system and data trust

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Teams lack awareness of secret rotation or audit needs.
Credentials are created once and reused indefinitely.
Process & Governance No consistent process exists for rotating or reviewing credentials.
Technology & Tools Secrets are managed manually or stored insecurely.
No audit logs exist.
Measurement & Metrics No tracking of secret usage, expiry, or leakage events.

Level 2 – Managed

Category Description
People & Culture Some teams manually rotate secrets on a scheduled basis.
Awareness of risks is emerging.
Process & Governance Rotation schedules are defined for critical systems only.
Reviews are occasional.
Technology & Tools Basic vaulting tools are used.
Auditing is limited to a subset of environments.
Measurement & Metrics Manual audit trails are maintained for high-risk credentials.

Level 3 – Defined

Category Description
People & Culture Teams follow secure credential lifecycle practices.
Training includes access management hygiene.
Process & Governance Expiry and audit policies are enforced organisation-wide.
Rotation is documented and repeatable.
Technology & Tools Vaults and automation are used to issue time-bound credentials.
Audit logs are centralised.
Measurement & Metrics Coverage of short-lived secrets and audit events is reported regularly.

Level 4 – Quantitatively Managed

Category Description
People & Culture Engineers monitor credential usage and contribute to policy tuning.
Security is part of daily practice.
Process & Governance Credential issuance, rotation, and deprovisioning are integrated into CI/CD pipelines.
Technology & Tools Secret access and expiry are measured in real time.
Auto-rotation tools issue credentials per session or build.
Measurement & Metrics Metrics cover age, reuse, and leakage window for all credential types.

Level 5 – Optimising

Category Description
People & Culture Credential security is a cultural norm.
Teams review blast radius scenarios and design for minimal exposure.
Process & Governance Policy-as-code enforces zero-standing credentials.
Regular security game days test secret handling.
Technology & Tools All secrets are ephemeral by default.
Automated systems issue traceable, short-lived tokens at runtime.
Measurement & Metrics Continuous audit of credential flows.
Anomaly detection and automatic expiry tuning are standard.

Key Measures

  • % of credentials with enforced expiry and rotation
  • Number of secrets stored in unmanaged systems
  • Mean and max lifetime of issued credentials
  • % of credentials issued automatically versus manually
  • Audit coverage of all credential types across environments
  • Time to revoke or rotate credentials after exposure