Machines without Secrets

Secretless: The New Best Practice

In our first blog we explored the sharp rise of machine identities organizations have to manage and secure and provided recommendations and summarized a few best practices for secrets management. In this blog we discuss how to improve upon secrets management by going… secretless. I’ll explain.

The challenges machines face with secrets closely parallel the issues humans have long encountered with password management. Passwords, once the gold-standard of human identity verification, are now widely recognized as a weak link in cybersecurity. This awareness has driven the shift towards mitigation strategies and the adoption of alternative methods including Passwordless authentication. Passwordless offers stronger security with an improved user experience.

Similarly, machines can transition away from relying on secrets through a concept known as “secretless” operations. While secretless approaches are available in the major cloud environments, they have yet to achieve widespread adoption, primarily due to the additional configuration steps required and a general lack of awareness.

Secretless in Action with AWS

Secretless is not entirely new and has been used by cloud platforms for a while. A strong example of secretless operations is how AWS manages EC2 instances.

When a new virtual machine (VM) is launched on AWS, it is automatically assigned a pre-configured role that grants access to other AWS resources without requiring explicit authentication through secrets. This role-based access is seamlessly managed by AWS, eliminating the need for storing and handling secrets within the instance itself. This approach not only simplifies security but also aligns with zero trust principles and security by design. AWS extends this model across its entire ecosystem, enabling secure and streamlined access management through implicit authentication by leveraging the platform’s comprehensive control over the environment.

This approach is highly effective within the AWS ecosystem, and similar models exist for platforms like Azure, Google Cloud Platform (GCP), and other single-platform environments. In these scenarios, the orchestrator—such as AWS—automatically assigns the appropriate authentication and authorization, eliminating the need for traditional authentication methods.

More recently, through federated Single Sign-On (SSO), this trust model has been extended across different platforms, enabling secretless machine access even when machines and resources operate on different platforms.

Broader Adoption of Secretless Operations

Despite the clear benefits, secretless operations are not yet widely adopted.

At Saviynt, we believe there are three key reasons for this:

1. Lack of Awareness: Many development and security teams are unaware that secretless operations are an option, causing them to rely on traditional secrets for machine authentication, even for scenarios where secretless solutions are available, easier to implement, and offer improved machine-to-machine access.
2. Complexity: Implementing secretless configurations across multiple platforms remains challenging due to the need to establish federated SSO and build trust relationships between different systems.
3. Limited Availability: Secretless capabilities are not yet available across all platforms. While leading cloud providers like AWS offer these options within their ecosystems, the broader adoption of secretless operations across different platforms is still evolving.

We can anticipate that as vendors and organizations become more acutely aware of the vulnerabilities inherent in managing secrets, and as they gain a deeper understanding of secretless principles, we will see a significant shift in the industry.

Vendors are likely to increase their investment in developing and expanding secretless technologies, making them more accessible and integrated across various platforms.

At the same time, security practitioners will emerge as key agents of change within their organizations, driving their teams toward adopting secretless operations. This collective effort will pave the way for secretless methodologies to evolve into a widely adopted best practice, fundamentally transforming how machine identities and access controls are managed across the industry.

This raises a critical question: how can CISOs and IAM leaders start mitigating the risks posed by machine identities? What should they focus on to reduce security gaps, prioritize their efforts, and achieve better overall cybersecurity outcomes when managing machine identities?

To address these challenges, security leaders can take a three-pronged approach:

First, they should enhance machine identity hygiene by identifying and removing dormant or unused machine identities across cloud, SaaS, and other business applications. Ensuring each machine identity has a clear purpose and a defined owner is essential for reducing risk.

Second, they must focus on minimizing the use of shared secrets by adopting secretless authentication methods wherever possible, which helps to lower the attack surface associated with credential misuse.

Lastly, where secrets remain necessary, organizations should implement robust secret management practices, such as secret vaulting and regular secret rotation, to mitigate the risks posed by static credentials. By following these steps, organizations can significantly improve their security posture in managing machine identities and reduce vulnerabilities to cyberattacks.

Conclusion

NHI is a relatively new and growing exploited attack surface. Most organizations are still building their strategy around this. When you do that, consider building in secretless authentication capabilities and explore where it can be deployed before defaulting to traditional and reactive  methods such as secret management. Saviynt is here to help you look at human and non-human identity management holistically.