Managing sensitive user data across synthetic scripting
Anyone responsible for maintaining a website or application often have to work with a multitude of synthetic scripts. Many times synthetic scripts contain sensitive data that must be kept secure, only available to select personnel, and in compliance with a company’s security policies. To make things more challenging, this sensitive data may need to be changed on an ongoing basis, and across a large quantity of scripts, which adds user toil.
As a result of feedback from our customers, New Relic Synthetics is addressing these challenges with secure credentials, which is now generally available.
Inputting, updating, and manipulating sensitive data should be easy
Remember those long nights rotating passwords and manually having to update dozens or hundreds of synthetics scripts? Secure credentials acts to give you that time back. At-a-glance it does so by using key/value pairs which are easily created, stored, and automatically updated across Synthetics’ scripts, but there’s much more to the story.
Synthetics utilizes key value pairs so users can update your credentials once without having to update each individual monitor when passwords, or any sensitive user data, change. Once the sensitive data is entered and saved within a key value pair it is then referenceable as an “object” for any script. Users creating scripts will then only need to reference that object which corresponds to the specific sensitive value.
If the user has 100 scripts which contain one or more secure credential, they simply edit those specific credentials, save the changes, and those 100 scripts will use the updated key value the next time the monitor runs.
Using secure credentials
Let’s walk through an example of setting up secure credentials in Synthetics.
In Synthetics, select the Secure credentials tab. If this is your first time creating secure credentials, click Create new secure credential.
Input your key and its value, and add a description for easy reference. For example, let’s say I have a secure credential with the password value, Password123, and the key is MATS_PASSWORD.
After you create the secure credential, open the script you want to use. Click Secure credentials (on the right-hand side of the page) to see a list of credentials you’ve created.
Insert your secure credential. In the script, highlight the value you want to change, and click select the secure credential you want to use. The value in the script will change to $secure._______ with the name of your selected key referenced in the object. In this case, we’ve used $secure.MATS_PASSWORD.
If you want to update pre-existing scripts, the script editor includes “find and replace” functionality. Use CMD + F on your keyboard, and use the “find and replace” input selector. (See the documentation for more information.)
Keeping your sensitive data secure with the highest encryption standard
Customer can rely on Synthetics’ secure credentials to keep thei sensitive data safe. We use Amazon Key Management Service (KMS) to encrypt key/value pairs and ensure those keys are frequently rotated. We use KMS to create individual encryption keys for every credential stored using AES-GCM 256-bit encryption. Data is decrypted only at run time when a check needs to be executed by a Synthetics minion.
After a script is run, the Synthetics minion scrubs all persistent data from the collected metrics, and the feedback log references the key/value pair object as SECURECREDENTIAL, meaning the object is removed at the end of each run. By identifying the sensitive data point as a referenceable key and inputting it into the script as an object, secure credentials ensures that it never accidentally captures and persistently stores sensitive user data. If customers use secure credentials with Synthetics’ fine-grained permissions, they can ensure that only users allowed to access sensitive data have access to it, and that the data is secure in the creation and running of a script.
Embrace the ease and security
As of today, secure credentials is available to all New Relic Synthetics users. We’re confident our customers will enjoy a reduction in toil when it comes to managing sensitive data in Synthetics. Rotating passwords and updating scripts doesn’t have to be an hours-long manual process—with secure credentials users simply make one change, and automatically switch credential values across all their scripts. It’s just another way New Relic is continually working to deliver ease of use along with the highest level of trust.