What is Secretless?
Secretless Broker relieves applications of the need to directly handle secrets. When an application requires access to a TCP-based service, such as a database, web service, or SSH connection, it can connect to the local Secretless Brokerwithout credentials rather than connect to the service directly.
You can configure Secretless Broker to retrieve credentials for each connection from any of several credential stores and inject the credentials into the connection request. Once the connection is made, Secretless Broker seamlessly streams the connection between the client and the service. Secretless Broker can coordinate connections to multiple services simultaneously.
The Secretless Broker solves two problems.
First, it prevents the loss or theft of credentials from applications and services, which can occur by:
|Accidental credential leakage||For example, when credentials are written to a log file or checked into source control.|
|An attack on a privileged user||For example, phishing or developer machine compromises.|
|A vulnerability in an application||For example, remote code execution or environment variable dump.|
Second, Secretless Broker manages how applications interact with secrets vaults. The Secretless Broker eliminates the need to modify code to fetch requested credentials and the time spent implementing and maintaining connections to vaults. Time better spent delivering business value.
Prevent credential loss and theft
Keeping secrets in a vault is good practice. However, when a client application requests a secret from the vault, it often is stored in unprotected application memory, adding the application to the threat surface. Even if an organization implements and enforces stringent best practices, such storing secrets in a vault and application hardening, this can guarantee 0-day vulnerabilities in the application, underlying framework, or programming language used.
Focus on adding business value
Instead of focusing resources on mitigating the risks of end users and developers passing secrets to applications, use the Secretless Broker which abstracts away the security to a specialized module that can be audited and expanded with custom plugin. The Secretless Broker supports a variety of vault solutions and secures the secrets consistently across technologies and platforms.
The client does not have to know how to fetch credentials.
Secret rotations are handled seamlessly.
The client/app no longer has to directly interact with a secrets vault and no code must be changed to fetch credentials before opening a connection. If the vault used changes when the environment or platform changes no changes in code are required, thus reducing the probability of human error and bugs.
The client is not part of the threat surface.
The client/app no longer has direct access to the password, and therefore cannot reveal it.
The client doesn’t have to know how to properly manage secrets.
Handling secrets safely involves some complexities, and when every application needs to know how to handle secrets, accidents happen. Secretless Broker centralizes the client-side management of secrets into one code base, making it easier for developers to focus on delivering features.
To find out more about currently-supported Target Services, visit Secretless Service Connectors.