As machine identity grows in cloud environments, enterprises report dramatic productivity gains from eliminating static credentials. And only legacy systems remain the weak link.
For decades, organizations have relied on static secrets such as API keys, passwords, and tokens as unique identifiers for workloads. While this approach provides clear traceability, it creates what security researchers describe as an “operational nightmare” of manual lifecycle management, rotation schedules, and constant credential leakage risks.
This challenge has traditionally driven organizations toward centralized secret management solutions like HashiCorp Vault or CyberArk, which provide universal brokers for secrets across all platforms. However, these approaches perpetuate the fundamental problem: the proliferation of static secrets that require careful management and rotation.
“The need to read data from AWS S3 for workloads in Azure is not ideal from a security perspective,” explains a DevOps engineer who manages a multicloud environment. “Cross-cloud authentication and authorization complexity makes this difficult to set up securely, especially if we choose to configure Azure workloads with AWS access keys.”
business case for change
Enterprise Case Study Document That Organization Is Implementing Managed Identity A 95% reduction in time spent managing credentials per application component has been reported, as well as a 75% reduction in time spent learning platform-specific authentication mechanisms, resulting in hundreds of hours saved annually.
But how to deal with the infection, and what prevents us from completely eliminating static secrets?
Platform-Native Solutions
Managed identities represent a paradigm shift from the traditional “what you have” model to a “who you are” approach. Instead of embedding static credentials into applications, modern platforms now provide identity services that issue short-lived, automatically rotated credentials to authenticated workloads.
The change extends to major cloud providers:
- Amazon Web Services pioneered automated credential provisioning IAM rolesWhere applications automatically receive temporary access permissions without storing static keys
- Microsoft Azure offers managed identity Which allows application developers to authenticate to services like key vaults and storage without having to manage connection strings or passwords.
- Google Cloud Platform provides service accounts with cross-cloud capabilities, enabling applications to seamlessly authenticate across different cloud environments
- GitHub and GitLab have introduced automatic authentication for development pipelines, eliminating the need to store cloud access credentials in development tools.
hybrid reality
However, the reality is more nuanced. Security experts emphasize that managed identity does not solve every authentication challenge. Third-party APIs still require API keys, legacy systems often can’t integrate with modern identity providers, and cross-organizational authentication may still require shared secrets.
According to identity security researchers, “Using a secret manager dramatically improves the security posture of systems that rely on shared secrets, but heavy usage perpetuates the use of shared secrets rather than using strong identities.” The goal is not to eliminate secret managers entirely, but to dramatically reduce their scope.
Smart organizations are reducing their secrets footprint by 70-80% through strategically managed identity, then using stronger secrets management for the remaining use cases, building flexible architectures that leverage the best of both worlds.
Non-Human Identity Discovery Challenge
Most organizations are not aware of their current credit landscape. IT teams often discover hundreds or thousands of API keys, passwords, and access tokens scattered across their infrastructure with unclear ownership and usage patterns.
“You can’t replace what you can’t see,” explains Gaetan Ferry, a security researcher at GitGuardian. “Before implementing modern identity systems, organizations need to understand what credentials actually exist and how they are being used.”
GitGuardian’s NHI (Non-Human Identity) security platform addresses this discovery challenge by providing comprehensive visibility into existing incognito scenarios prior to managed identity implementation.
The platform discovers hidden API keys, passwords, and machine identities across the entire infrastructure, enabling organizations to:
- Dependency map between services and credentials
- Identify migration candidates ready for managed identity transformation
- Assess the risks associated with current covert use
- Plan strategic migration instead of blind changes
