YALE-MSS-9.7: Secure and/or limit storage of authentication information

Standards Group:
YALE-MSS-9: Authentication and Authorization

YALE-MSS-9.7: Secure and/or limit storage of authentication information

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

Authentication credentials, such as passwords and keys, are highly sensitive and must be stored in a manner commensurate with that sensitivity. Typically, this means appropriate access controls and encryption are used to prevent unauthorized disclosure.

Do not store sensitive credentials in source code or configuration files. Instead, use appropriate secrets management tools offered by Cloud providers, found in container environments such as Docker or Kubernetes, and made available through operating systems (e.g., the Linux keyring).

Similarly, use a password manager for proper storage of user account credentials.

Once a solution is determined, it must be documented along with any operational processes.