Machine-to-Machine (M2M) applications are a critical part of enabling secure and automated communication between applications and our SaaS products. To ensure secure and efficient usage, it is essential to follow best practices for creating, storing, and managing M2M application credentials. Below are detailed guidelines to help you get started and maintain robust security.
Creating an M2M application is straightforward and can be done in the account portal under the "Applications" section. Follow these steps:
Navigate to the "Applications" section in the account portal and click the "Create Application" button to open the application creation page.
Name Your Application: Enter a meaningful and descriptive name for the application. The name should clearly indicate the purpose of the application and where it will be used. This helps in easy identification and management later.
Select the Space: Choose the appropriate "Space" to which this application will have access. The space represents the environment or tenant that the application needs to interact with.
Define Permissions: Once the space is selected, configure the permissions the application requires. Permissions determine what actions the application can perform. If you're uncertain about which permissions to assign, consult the documentation or contact the support team for guidance.
Review the Summary: A summary of your selections will be displayed on the right-hand side. Carefully review all the details to ensure they are accurate.
Create the Application: If everything looks correct, click the "Create Application" button. This will finalize the creation process.
Copy Credentials: After successfully creating the application, a dialog box will appear displaying the "Application Details." This includes the client ID and client secret. Make sure to securely copy and store these credentials, as they will not be displayed again.
Once the application is created, its details can always be retrieved from the "Applications" section in the cloud portal:
In the applications list, the Client ID is displayed directly in the list view for easy reference.
To retrieve the Client Secret, click the kebab (three-dot) icon on the right side of the application entry and select "Copy Secret". This action copies the secret to your clipboard. Ensure you store it securely, as it will not be shown again for security reasons.
M2M application credentials are sensitive information that must be protected to prevent unauthorized access. Follow these guidelines:
Encrypt at Rest: Always store credentials in an encrypted format when saved to disk.
Restrict Access: Ensure that only the application requiring the credentials can access them. This includes setting file permissions and using secure storage mechanisms.
Avoid Public Exposure: Never store credentials in publicly accessible locations, such as code repositories or public-facing servers.
Use Secure Secrets Management Tools: Consider using tools like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault for managing and accessing credentials.
Credential rotation is a key security practice to minimize risks from compromised or outdated credentials:
Rotate Every 6 Months: Create a new M2M application and replace the old credentials in your application at least every six months.
Delete Old Applications: After replacing credentials, delete the old M2M application to prevent accidental use of outdated credentials.
Respond to Suspected Breaches: If you suspect a credential compromise, immediately create new credentials, update your application, and remove the old application.
M2M applications use tokens for authentication, and efficient token management is crucial for reliability and performance:
Cache Tokens: Applications should cache tokens to reduce the number of API calls to the authorization server.
Monitor Expiry: Tokens are valid for 6 hours. Use the cached token if it has more than 1 hour left before expiry.
Proactive Renewal: If a token has less than 1 hour remaining, the application should attempt to fetch a new token and update the cache.
Fallback Handling: If token renewal fails, the application can continue using the old token until it expires. During this time, the application should periodically retry fetching a new token to ensure uninterrupted service.
To further enhance security and reliability, consider the following:
Audit Access and Usage: Regularly review who has access to the M2M application credentials and monitor for any unusual activity.
Implement Environment Segmentation: Use separate M2M applications for different environments (e.g., development, staging, production) to isolate potential security issues.
Use Least Privilege: Configure the M2M application to have the minimum permissions required for its purpose.
Enable Alerts: Set up alerts for suspicious activities, such as failed login attempts or unauthorized access attempts.
By following these best practices, you can ensure the secure and efficient use of M2M application credentials while minimizing potential risks. Remember, security is an ongoing process that requires vigilance and regular updates to keep pace with evolving threats.
