facebook noscript

Best Practices for Access Credential Rotation at VGS

November 20, 2018
access credentials rotation

Rotating access credentials such as passwords, certificates, or keys is a universally accepted best practice for security. Very Good Security’s new Access Credentials Rotation feature makes it easier for you to switch (or rotate) from one set of credentials to another to keep your cloud assets safe and secure.

We’ve enabled you to leverage VGS Access Credentials to manage/rotate access credentials, create new pairs or deactivate old ones, and send data to third parties faster. This makes it easier to manage multiple access credentials, leaving you with extra time to focus on more valuable business priorities.

You can use VGS Access Credentials to provide credentials for each service or user of the VGS system. Fine-grained access control allows data to be restricted down to the field level. Access credentials are automatically created for the user when a vault is created. To help ensure security, credentials are never stored in plaintext within VGS. When new credentials are generated, you will be prompted to download them. If you ever lose these credentials, you can generate a new pair via the settings page for your vault.

Access credentials can only be generated and read by the organization administrators. On the vault settings page, admins can see a list of all access credentials as well as create new ones. The sensitive part of the credentials, the password, is substituted for a username and securely vaulted by VGS. (Note: the credential password can be downloaded at the time of generation).

For each credential, the following information is displayed:

  • Username - randomly generated string used to identify the credentials. This value is not sensitive.
  • Created At - date the credentials were generated.
  • Status - signifies whether the credentials are active or inactive.

Once credentials are created, they can be temporarily deactivated and reactivated.

How to rotate access credentials

Rotating credentials is a highly recommended seurity best practice that limits the time frame in which access credentials can be used. It also reduces any possible negative business impact if credentials are ever compromised.

Very Good Security recommendations the following rotation practices:

  • Establish a process to rotate access credentials every 90 days
  • Rotate credentials immediately if there is any risk that they were compromised
  • Build regular key rotation features into applications to make the process painless

The procedure for rotating credentials on VGS Dashboard is:

  1. Generate new credentials on the vault settings page
  2. Update all applications to make sure they’re using the new username and password
  3. Change the status of previous credentials to “Inactive”
  4. Validate that all applications are working as expected
  5. Delete old credentials

Remember: Always check whether the new credentials are active and working before you delete the deactivated credentials. Once you delete your credentials, you will need to restart the process, as you won’t be able to retrieve them.

Here’s how to get started:

  1. Go to your vault on VGS Dashboard, select Vault Settings, and find the Access Credentials section. Each vault has at least one access credential. In order to perform a rotation, you need at least two sets of credentials, so to add one more click on “Generate Credentials”. This will show a newly generated username/password pair. Make sure to copy or download these because this is the only time the password will be shown in clear text.


  1. You should now have two active credentials for your vault. Be sure to distribute the new username/password pair to all applications that use a VGS vault.

  2. At this point, you need to change the status of old credentials to “Inactive.” This will disable credentials so that they can’t be used for outbound traffic anymore.


  1. Make sure to validate that all applications are working. If the new credentials are working, feel free to go to step 5. If you encounter any issues — for example if you forgot to update one of the applications using VGS vault — you can reactivate the old credentials and go back to step 2.
  2. After you’ve verified that everything is working, it’s safe to delete the old credentials. NOTE: Deleted credentials cannot be restored. (That’s why VGS asks for additional confirmation before they’re deleted.)


To ensure better security of your product, be sure to automate key rotation in your applications to make the process quick and easy. In addition, manual credential rotation using VGS Dashboard on a periodic basis is recommended.

Don't miss the next Developer Office Hours with our CTO

Join Us

VGS continues to redefine data management and security with the Access Credentials Rotation feature, an improved way to manage access credentials for long-term success. This better and faster option comes with even more functionality and ease of use, eliminating complicated processes so that you can stay focused on your core business objectives.

Want to see for yourself? Sign up for a free demo here, or contact us directly at 1-844-847-0232.

Yuriy Yunikov Yuriy Yunikov

Engineering Manager at VGS


You Might also be interested in...


How to Avoid Using Components with Known Vulnerabilities

Bohdan Khablenko November 27, 2018


VGS Wins SINET 16 Innovator Award

Marshall Jones November 8, 2018


How to Make the Most of VGS Access Logs

Yura Shafranyuk September 11, 2018