Connect with us

Hi, what are you looking for?


Security Architecture

Akeyless Launches SaaS-based External Secrets Manager

New SaaS-based secrets manager from Akeyless requires no new infrastructure, and no specialist staff nor secrets management team.

Secrets are fundamental to cybersecurity. They comprise the secret data that allows individual authorization and access to or between systems. But if secrets are not secret, they are threats.

Secrets are also known as credentials. They either provide human access to systems and software, or they provide machine access to other machines. Both categories need to be managed and protected. Although the technology to do this has similarities, human credential protection systems are generally categorized as password managers or privileged access management (PAM) systems, while machine to machine credential protection systems are known as secrets management.

Over time, PAM and secrets management will grow closer, either with single products providing both functions, or single vendors providing both products. This is already happening, but here we will focus on secrets management.

“In cybersecurity, secrets are non-human privileged credentials, most often used to unlock applications, services and IT resources containing highly sensitive information and privileged systems,” explains Craig Lurey, CTO and co-founder at Keeper Security. Attackers see them as keys to the kingdom.

The problem for organizations is these credentials can become distributed and stored in insecure locations. “They may be hard-coded directly into software, stored in plain-text config files, or sitting on a developer’s workstation,” continues Lurey. Since the beginning of cloud migration, the need machine to machine secrets has grown massively. Hybrid and multi-cloud environments can further spread these secrets and lead to duplicated or outdated credentials. 

“The lack of central management not only expands the potential attack surface, it also puts the network in a position where an outdated credential can take down the entire production system,” he warns. Keeper Security provides a Secrets Manager solution for dev teams.

Secrets management is a necessary evil, according to Erik Gaston, VP global executive engagement at Tanium. “Unfortunately, attackers often find their doors and windows into your organization through weak and over-used passwords, or poor management of these.” he explains. “This problem becomes worse with siloed organizations and manual processes and was exacerbated during the pandemic as developers began working remotely and taking weakly authenticated ‘secrets’ out into the public domain where they were easily available to attackers.” This is known as ‘secrets sprawl’.

Advertisement. Scroll to continue reading.

Secrets management therefore implies two separate roles: the protection of secrets’ secrecy, and the management of their distribution (that is, the prevention of secrets sprawl). But there is a third fundamental requirement for a secrets management product. 

“Secret management becomes difficult if something is designed in a manner that assumes a secret can be kept forever which, unfortunately, is quite common,” comments Casey Ellis, founder and CTO at Bugcrowd. It is best to assume a secret will eventually become known: guessed, cracked, found in the wrong place, socially engineered, etcetera. “If security is dependent on that secret, the consequences are disastrous if that assumption fails.” The third fundamental requirement for secrets management is consequently the maintenance of secrecy – something that can be achieved by regularly changing (rotating) the secret – or using dynamic secrets.

It is against this background that Akeyless has launched a new SaaS-based secrets manager. “It is based,” co-founder, chairman and president Shai Onn told SecurityWeek, “on three pillars: economic efficiency, simplicity of use, and high degree of security.”

The first two pillars stem from the system’s SaaS basis. It effectively provides a single cloud-based vault for all secrets, eliminating the need for siloed secrets management dependent on their source. As a SaaS service, it requires no new infrastructure, and no specialist staff nor secrets management team. It also offers a 99.99% availability and supports a configurable caching period in case of short term total internet failure. When a new app is developed, the developer replaces the secret with a link to the SaaS service, eliminating the need for local secret storage altogether. 

While secrets rotation is an available option, the security of the system is primarily based on the Akeyless patented version of dynamic secrets. A dynamic secret is one that is generated at the time of use and discarded at the end of the session.

The secrets are encrypted. This is not new, but the method of encryption is new. “We have developed a patented technology which we call DFC – distributed fragments cryptography,” said Onn. “We have two patents that allow us to do very secure cryptographic operations on data in a zero knowledge manner.”

External Secrets Manager

By zero knowledge, he means nobody other than the customer, neither Akeyless nor the cloud provider, can gain access to the keys – secrets will remain secret. It eliminates the concern some companies still retain over storing highly sensitive data in the cloud. Technically, the mathematics involved resemble multi-party computation (MPC) without the requirement for multiple parties nor the usual associated costs.

“We found a way to do encryption of data, using fragments of encryption keys without ever combining the fragments,” he continued. “Those fragments are placed in different locations. They are never combined. They never leave their location – and they make our solution a zero knowledge solution.” An attacker would need to simultaneously gain access to all the distributed encrypted key fragments, and the secret and make use of the secret during the course of the current session usage.

The product, named External Secrets Manager (ESM), was launched on June 14, 2023. In the announcement it is also called ‘Bring Your Own Vault’.

Tel-Aviv based Akeyless was founded by Shai Onn, Oded Hareven (CEO), and Refael Angel (CTO) in 2018. It raised $65 million in a Series B funding round in November 2022, bringing the total raised so far to $79 million.

Related: Cloudflare Unveils New Secrets Management Solution

Related: Entro Raises $6M to Tackle Secrets Sprawl

Related: Critical Vulnerabilities Found in Passwordstate Enterprise Password Manager

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.