**Tags:** #Process #OPSEC > [!info] > This information is shared as part of Decombine's commitment to [[Open Core]] practices. ## Workload Identities Decombine uses Workload Identities where possible to manage resource authentication/authorization lifecycle, rather than creating service principals for individual services or resources, a long-lasting identity based on Open ID Connect (OIDC) is used instead. ![Workload Identity Lifecycle](https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/media/workload-identity-federation/workflow.svg) ### Rotation Rotation of certificates backing workload identities are automatically rotated every 30-90 days without any Decombine action. ## Secrets Secrets are any values that are used specifically for data access or authorization and are sensitive in nature, such as passwords or tokens. Decombine centrally maintains and stores secrets in Azure Key Vaults using software-based security modules that provide industry-leading protections. Access and management to Key Vaults are strictly maintained through a dedicated Microsoft 365 Group which is controlled by source code and Privileged Identity Management (PIM). ### Rotation The vast majority of Decombine resources involving secrets such as a password instead use certificate-based authentication with OIDC federation. For those of resources where this is not practical, secrets are rotated every 180 days programmatically. ## Certificates Certificates are specific secrets that are used for public key infrastructure or cryptography such as Transport Layer Security (TLS). Certificates are exclusively stored and maintained on Azure Key Vaults. ### Rotation Certificates used by Decombine services are rotated every 90 or 180 days and in some very limited cases on an annual basis.