What if an application could automatically repel attackers by rotating its access credentials every day, thereby making every stolen password useless in a short amount of time? That’s the idea behind CredHub, a new feature introduced for Pivotal Cloud Foundry today.
The feature is designed to automatically rotate an application’s credentials on a regular basis without disrupting its operation. Developers and operations engineers shouldn’t have to worry about the rotation, and the applications running on top of Pivotal Cloud Foundry shouldn’t see any downtime as a result.
Pivotal Cloud Foundry is based on the Cloud Foundry open source project, which is designed to help developers build applications without worrying about the underlying infrastructure. PCF is designed to build on that foundation by providing businesses with additional management features beyond those available through the open source offering in exchange for a fee.
CredHub is an important feature for Pivotal’s enterprise customers, since it will allow them to maintain security while doing continuous code deployment with the applications running on PCF. While customers are interested in developing code in an agile way, they won’t sacrifice security, according to James Watters, Pivotal’s senior vice president of product and business development.
“As important as agility is, those organizations and those industries are still going to tilt towards [sticking] with security,” he said.
CredHub is supposed to be a turn-key feature for engineers to set up that will just run in the background and help keep an application secure. For example, the recent SWIFT banking system hack was the result of attackers being able to exploit old credentials to get access to sensitive systems. Pivotal’s new feature could have helped prevent that by making those credentials useless in a short period of time.
Building CredHub was a lot of work, Watters said. Because the system will automatically change passwords, it needs to handle a period of time when both sets of credentials work, before the change-over is complete.
While the feature is just launching today, Pivotal has been testing it with a number of major banks. Their security teams were able to review CredHub as it was in development, and their feedback helped shape the product. But while the feature is designed to support high-end features like hardware security modules, Watters said that it should work for smaller businesses without massive security teams, too.