Vault

A vault is a protected storage system for secrets that controls who can retrieve them. It does not, by itself, govern where secrets are copied next, how they are used, or whether they remain valid after exposure, so it must be paired with lifecycle monitoring and revocation.

Expanded Definition

A vault is a controlled secret storage boundary for credentials, tokens, API keys, and certificates. In NHI operations, its value is not just encryption at rest, but controlled retrieval, policy enforcement, auditability, and integration with lifecycle processes such as rotation and revocation. The term is sometimes used loosely across vendors, but no single standard governs this yet, so practitioners should distinguish a vault from adjacent controls like secret managers, key management systems, and runtime identity platforms. A vault can reduce exposure by centralising retrieval, yet it does not automatically prevent a secret from being copied into tickets, source control, or chat, which is why NIST Cybersecurity Framework 2.0 style governance still matters for identity and access discipline. NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets reinforces that storage choice is only one part of secret security. The most common misapplication is treating the vault as a complete control plane, which occurs when teams assume retrieval protection alone also governs downstream secret use.

Examples and Use Cases

Implementing a vault rigorously often introduces workflow friction, requiring organisations to weigh stronger control over secrets against added dependency on automation and policy tuning.

• A platform team stores database credentials in a vault and issues short-lived retrieval tokens to application workloads instead of embedding passwords in deployment scripts.
• An identity team uses a vault to centralise certificate retrieval for service accounts while pairing it with rotation jobs and revocation checks after incident response.
• A DevOps pipeline pulls build-time API keys from the vault during release, then invalidates the session token immediately after the job completes.
• A security team reviews duplicate storage paths after reading the Guide to the Secret Sprawl Challenge, then removes copies from wikis and issue trackers.
• An audit team traces vault access logs against the NIST access review model to confirm that only approved agents can retrieve high-value secrets.

Used well, a vault becomes the retrieval layer in a broader secret lifecycle system rather than a hidden repository for static credentials.

Why It Matters in NHI Security

Vaults are central to NHI security because they directly affect how much blast radius a compromised token can create. The risk is not just exposure, but persistence: once a secret escapes, every copied instance becomes a separate remediation problem. NHIMG research shows that 62% of secrets are duplicated and stored in multiple locations, which means a vault can only reduce risk if it is paired with discovery, expiration, and revocation controls. The same research also reports that 50% of organisations are onboarding new vaults without proper security approval, which creates misconfiguration risk from the start. In practice, a vault should support least privilege, short-lived access, and clear ownership for each secret family. It also needs telemetry that helps investigators answer who retrieved what, when, and from which workload. Organisations typically encounter vault limitations only after a token leak, at which point secret retrieval and revocation become operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is a secrets vault and which tools are available?
• How should security teams reduce vault sprawl without disrupting delivery?
• When does vault sprawl become a real security risk?
• What is the difference between secrets sprawl and vault sprawl?