Secrets management tools and platforms: where do controls still fail?

TL;DR: Secrets management platforms do more than store API keys and tokens, but scanning, rotation, alerts, and dark web checks still leave lifecycle, context, and approval gaps that attackers exploit, according to Entro Security. The core issue is not storage alone but governance of exposure, reuse, and revocation across applications and cloud environments.

NHIMG editorial — based on content published by Entro Security: What are secrets management tools and platforms?

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.

Questions worth separating out

Q: How should security teams govern secrets across code, pipelines, and collaboration tools?

A: Security teams should treat secrets as governed identities, not static strings.

Q: Why do leaked secrets remain dangerous after detection?

A: Detection only proves that a secret is exposed.

Q: What do security teams get wrong about secrets vaults?

A: They often assume the vault is the control.

Practitioner guidance

• Map every secret to an accountable owner Require a named system owner, business purpose, and expiry condition for each API key, token, and certificate so review does not stop at storage inventory.
• Expand scanning beyond source code Include CI/CD runners, Slack, Jira, Confluence, container images, and cloud configuration files in discovery so leaks outside repositories are not missed.
• Automate revocation after exposure Connect detection to disablement or rotation workflows so a leaked credential is withdrawn before attackers can reuse it across services.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• Platform-specific descriptions of how its secret scanning and enrichment workflow operates across cloud services and collaboration tools
• Implementation examples for automated rotation, alerting, and remediation inside real enterprise environments
• Vendor-specific coverage of Azure Key Vault, AWS Secrets Manager, and Google Cloud Secret Manager integration patterns
• Dark web scanning workflow details that go beyond the governance framing in this analysis

👉 Read Entro Security’s blog on secrets management tools and platforms →

Secrets management tools and platforms: where do controls still fail?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →