A self-hosted secrets platform is a credential vault that the organisation installs and operates on infrastructure it controls. The tool may manage passwords, tokens, and keys, but the tenant owns hosting, patching, backup, and recovery obligations.
Expanded Definition
A self-hosted secrets platform is not just a vault, it is an operational control plane for passwords, API keys, tokens, certificates, and other OWASP Non-Human Identity Top 10 concerns. The organisation owns the environment where the platform runs, which means responsibility extends beyond access policy into patching, backup integrity, disaster recovery, network segmentation, and auditability. In NHI programs, this distinction matters because hosting location does not automatically create stronger security; control only improves when lifecycle duties are enforced consistently.
Definitions vary across vendors on whether a platform is “self-hosted” if the software is installed on customer infrastructure but managed through an external service layer. For governance purposes, NHI Management Group treats the term as applying only when the tenant holds operational accountability for availability and secret protection. That makes it different from managed secrets services, where the provider absorbs more of the uptime and maintenance burden. The most common misapplication is assuming on-prem deployment equals secure governance, which occurs when teams overlook patch lag, weak backup protection, and overprivileged admin access.
Examples and Use Cases
Implementing a self-hosted secrets platform rigorously often introduces operational overhead, requiring organisations to weigh control and data locality against the cost of running a highly available security service.
- A regulated financial services team hosts its vault inside a private cloud so certificate material never leaves its controlled network boundary, while access is logged and tied to RBAC.
- A software engineering organisation uses the platform to issue short-lived tokens to CI/CD jobs, reducing hardcoded secrets in build pipelines and helping contain exposure like the cases described in the CI/CD pipeline exploitation case study.
- A platform engineering group mirrors the architecture behind Ultimate Guide to NHIs — Static vs Dynamic Secrets by replacing long-lived credentials with time-bound issuance and automated rotation.
- An enterprise security team chooses self-hosting after internal audit requirements prohibit third-party custody of signing keys, but it must also build patching and restore testing into the operating model.
- Security teams studying the Guide to the Secret Sprawl Challenge often use self-hosted platforms to centralise discovery, approval, and revocation workflows across fragmented application estates.
Why It Matters in NHI Security
Self-hosted secrets platforms can reduce dependency on external custody, but they also move failure modes into the organisation’s own change, backup, and incident response processes. That tradeoff becomes critical when secrets are exposed outside code repositories, when revocation is delayed, or when a vault outage interrupts production authentication flows. NHIMG research shows the average time to remediate a leaked secret is 27 days, even though 75% of organisations report strong confidence in their secrets management capabilities, a gap that self-hosting can either improve or worsen depending on operational maturity. If patching slips, the platform itself becomes a high-value target rather than a control.
The NHI security impact is therefore not limited to storage. A self-hosted platform must support governance around lifecycle, encryption, access review, and recovery testing, or it simply relocates secret sprawl into a private datacentre. The risk is especially acute in attack paths documented in the Reviewdog GitHub Action supply chain attack and the Shai Hulud npm malware campaign, where exposed credentials quickly became operational footholds. Organisations typically encounter self-hosted secrets platform weaknesses only after an outage, compromise, or failed rotation event, at which point the platform’s reliability and recovery model become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Secret storage, rotation, and exposure are core NHI-02 concerns. |
| NIST CSF 2.0 | PR.AA-03 | Credential protection and access enforcement map to identity assurance. |
| NIST Zero Trust (SP 800-207) | Zero trust expects continuous verification for privileged secret access. |
Inventory, protect, and rotate secrets with controls that prevent static credential sprawl.
Related resources from NHI Mgmt Group
- When does a cloud-first identity platform matter more than a self-hosted one?
- What should teams check before replacing a self-hosted identity platform?
- How should security teams respond when an automation platform holds privileged NHI secrets?
- How should security teams protect self-hosted AI runtimes from memory disclosure?