Re: Managing Credentials to Back Office Systems

[Jet Basrawi]

Sorry I appear to have created a duplicate somehow

On Monday, January 4, 2016 at 5:26:24 PM UTC, Jet Basrawi wrote:

Hi,

We have an API Proxy Layer that proxies onto enterprise back office systems for our clients. There are a number of IT organisations within this client around the globe and there will be about 1200 proxied connections to back office systems. Each of these systems may be owned by different IT groups or even third parties.

Given this scenario I am trying to put together what a sensible solution to handling the credentials required to connect to those back office systems might be. Clearly a key management store will be a good place to store these credentials but I am more interested in what are good processes surrounding the acquisition and update of these credentials.

Imagine a few scenarios:

1. How do we onboard credentials when an integration is agreed. Clearly sending them via email or on the phone is not good. Ideally we would not touch them at all.
   
2. The client system wants to rotate their credentials.
3. We need our client to rotate their credentials because we have been compromised

I have been thinking along the lines of a web portal where each system owner can manage the credentials for their systems.

Has anyone had any kind of experience like this?