KeyMark Labs is excited to release version 23.3.0 of Forms inMotion. The primary focus of our third main release of the year is taking steps to further secure connections to external resources in the solution. To accomplish this goal we’d like to introduce a brand new feature we like to call Vaults.
Introducing Vaults
In previous versions of the software, each instance of a plugin that required some form of connection information had to have that connection information configured as properties. This created two problems:
- The connection information was visible every time an administrator went to the relevant plugin instance, increasing the possibility of an accidental leak.
- If the same connection was going to be used multiple times, administrators had to find every place those connection properties were used and update them individually.
Vaults solve this problem by providing a secure classification and storage solution for external connection information or general sensitive data. For the sake of simplicity, we call this data “secrets”. Each secret has a type, these types could be items such as:
- A SQL Server connection string
- A token used to connect to a 3rd party API
- The username and password to log in to a company portal
To further explain, we’ll use our Azure Active Directory authentication provider plugin as an example. Below you’ll find a screenshot of the App Registration secret type:
Here you can see that this secret type houses the “Client Id”, “Tenant Id” and, most importantly, the “Client Secret”. All of this information is bundled together and stored in the database as an encrypted range of bytes. To make doubly sure that the secret stays secure, the encryption keys themselves can be protected by an external key vault like Azure Key Vault or AWS CloudHSM1. The secret is only decrypted for administrators with the “SecretStorage” permission, and when being used by the system to run a plugin.
Administrators who do not have permissions to administer the secrets will never have the sensative data contained by the secret exposed to them.
Pictured below is a configured Azure Active Directory Authentication provider. The administrator configuring this Authentication Provider only has the ability to select a secret that is of the type Azure App Registration.
Vaults also come with the secondary benefit of streamlining management for these 3rd party connections. By providing a single location for these secrets to be configured and stored an administrator can be sure that when updating one secret, all plugins that are using the secret will be updated with it.
Additional Changes
Password Type Form Builder Component
We have added a password form builder input field that is now generally available for all plugin types as well as the form builder designer.
Thanks For Reading!
If you are an existing Forms inMotion customer and you’re interested in this feature, please reach out to us at support@keymarkinc.com to discuss an upgrade.
If you’re want to learn more about Forms inMotion feel free to reach out to sales@keymarkinc.com
Thanks for reading!
Footnotes
[1] – Plugins to connect to these key storage vaults must be written before these external protection mechanisms can be used.