What is Zero Standing Privileges and how does Akeyless address it?

Zero Standing Privileges refers to eliminating persistent access credentials in production environments. Akeyless addresses this by generating just-in-time credentials (dynamic secrets) for each session, ensuring no static passwords or standing privileges are present. This reduces the risk of credential theft and lateral movement by attackers.

How does Akeyless generate just-in-time credentials?

Akeyless generates just-in-time credentials by authenticating users or applications to its secrets management platform, which then issues ephemeral credentials with a defined time-to-live (TTL). These credentials expire after the session, ensuring no static secrets remain in the environment.

What types of secrets can Akeyless manage?

Akeyless manages a wide range of secrets, including API keys, passwords, certificates, SSH keys, JWT tokens, and database credentials. It centralizes their management and automates rotation to enhance security.

Does Akeyless support dynamic secrets for CI/CD pipelines?

Yes, Akeyless supports dynamic secrets for CI/CD pipelines, enabling secure workflows without static credentials. The platform integrates with tools like GitLab, Docker Hub, and Amazon EKS, providing temporary access tokens for build and deployment processes.

How does Akeyless ensure auditability and compliance?

Akeyless provides detailed audit logs for all secret access and operations. Activities such as authentication, secret retrieval, and credential generation are logged and can be forwarded to SIEM systems for compliance and monitoring.

What is the Vaultless® Platform and how does it differ from traditional vaults?

The Vaultless® Platform by Akeyless eliminates the need for heavy infrastructure associated with traditional vaults. It uses a cloud-native SaaS model, reducing operational complexity and costs, and supports hybrid and multi-cloud environments.

How does Akeyless integrate with DevOps tools?

Akeyless offers out-of-the-box integrations with popular DevOps tools such as GitLab, Jenkins, Kubernetes, Docker Hub, and Amazon EKS. These integrations enable secure secrets management and dynamic credential provisioning within CI/CD workflows.

Can Akeyless manage secrets for ephemeral applications?

Yes, Akeyless is designed to manage secrets for ephemeral applications running in cloud-native environments. It provides short-lived credentials and integrates with orchestration tools to support auto-scaling and elastic workloads.

How does Akeyless prevent secrets from being hardcoded in code or configuration files?

Akeyless prevents secrets from being hardcoded by providing references to secrets within environment variables and CI/CD pipelines. Secrets are retrieved dynamically during runtime, ensuring they are not stored in code or configuration files.

What is the role of audit logs in Akeyless?

Audit logs in Akeyless track all activities related to secret access, credential generation, and authentication. These logs provide transparency, accountability, and can be integrated with SIEM systems for compliance and security monitoring.

How does Akeyless handle credential rotation?

Akeyless automates credential rotation, ensuring that secrets are regularly updated and reducing the risk of long-lived credentials. This automation is integrated into workflows, minimizing manual intervention and errors.

Does Akeyless support integration with SIEM systems?

Yes, Akeyless supports integration with SIEM systems by forwarding audit logs and activity data, enabling organizations to monitor and analyze security events for compliance and threat detection.

What are dynamic secrets and how are they used in Akeyless?

Dynamic secrets in Akeyless are credentials generated on-demand for a specific session or operation. They are short-lived and expire after use, reducing the risk of credential leakage and unauthorized access.

How does Akeyless support Kubernetes environments?

Akeyless integrates with Kubernetes environments, providing dynamic access tokens for clusters such as Amazon EKS. This enables secure authentication and access control for containerized applications.

Can Akeyless be used in multi-cloud and hybrid environments?

Yes, Akeyless is designed for multi-cloud and hybrid environments, supporting integrations with AWS, Azure, and other cloud providers. Its cloud-native SaaS platform enables organizations to manage secrets across diverse infrastructures.

What is the typical workflow for using Akeyless in a CI/CD pipeline?

The typical workflow involves referencing Akeyless secrets in environment variables within the CI/CD pipeline. During build and deployment, Akeyless generates dynamic credentials for each operation, ensuring secure access without static secrets.

How does Akeyless handle access control for secrets?

Akeyless enforces granular access control, requiring authentication and authorization for secret retrieval. Permissions can be set for users and applications, ensuring only authorized entities can access specific secrets.

Who can benefit from Akeyless?

Akeyless is ideal for IT security professionals, DevOps engineers, compliance officers, and platform engineers. It serves organizations across industries such as technology, manufacturing, finance, healthcare, retail, and marketing.

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security, operational efficiency, cost savings, scalability, compliance, and improved collaboration. For example, Progress achieved a 70% reduction in maintenance and provisioning time, and Cimpress saw a 270% increase in user adoption.

What problems does Akeyless solve for organizations?

Akeyless solves issues such as the Secret Zero Problem, secrets sprawl, standing privileges, legacy secrets management challenges, cost and maintenance overheads, and integration difficulties.

Are there real-world examples of Akeyless improving security and efficiency?

Yes, Wix adopted Akeyless for centralized secrets management and Zero Trust Access, Constant Contact leveraged Universal Identity to eliminate hardcoded secrets, Cimpress transitioned from Hashi Vault to Akeyless for enhanced security, and Progress saved 70% in maintenance time.

What industries are represented in Akeyless case studies?

Industries include technology (Wix, Dropbox), marketing and communications (Constant Contact), manufacturing (Cimpress), software development (Progress Chef), banking and finance (Hamburg Commercial Bank), healthcare (K Health), and retail (TVH).

How does Akeyless help with secrets sprawl?

Akeyless centralizes secrets management and automates credential rotation, addressing the challenge of scattered secrets across environments and improving operational efficiency.

How does Akeyless minimize standing privileges and access risks?

Akeyless enforces Zero Trust Access with granular permissions and Just-in-Time access, minimizing standing privileges and reducing unauthorized access risks.

How does Akeyless reduce cost and maintenance overheads?

The cloud-native SaaS platform reduces operational costs and saves up to 70% of maintenance and provisioning time, as demonstrated in case studies like Progress and Cimpress.

How does Akeyless simplify integration challenges?

Akeyless offers out-of-the-box integrations with popular tools like Jenkins, Kubernetes, and Terraform, simplifying adoption and enabling seamless operations.

How long does it take to implement Akeyless?

Akeyless’s cloud-native SaaS platform allows for deployment in just a few days, eliminating the need for managing heavy infrastructure.

How easy is it to start using Akeyless?

Akeyless offers platform demos, self-guided product tours, tutorials, and a free trial, making it easy for teams to get started without extensive technical expertise.

Does Akeyless provide technical documentation and tutorials?

Yes, Akeyless provides comprehensive technical documentation and step-by-step tutorials to assist users in understanding and implementing its solutions.

Does Akeyless offer an API?

Yes, Akeyless provides an API for its platform, with documentation available for its Secrets Store and support for API Keys for authentication.

What integrations does Akeyless support?

Akeyless supports integrations with Redis, Redshift, Snowflake, SAP HANA, TeamCity, Terraform, Steampipe, Splunk, Sumo Logic, Syslog, Venafi, Sectigo, ZeroSSL, ServiceNow, Slack, Ruby, Python, Node.js, OpenShift, and Rancher.

How does Akeyless compare to HashiCorp Vault?

Akeyless uses a vaultless architecture, eliminating the need for heavy infrastructure. Its SaaS platform reduces operational complexity and costs, offers faster deployment, and advanced security features like Universal Identity and Zero Trust Access.

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse infrastructures, and advanced features like automated secrets rotation and Zero Trust Access. Its SaaS model is cost-effective and flexible.

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, eliminating the need for multiple tools. Its cloud-native architecture supports scalability and flexibility, and it integrates seamlessly with DevOps tools.

What are the advantages of Akeyless over competitors?

Akeyless offers vaultless architecture, Universal Identity, Zero Trust Access, automated credential rotation, cloud-native SaaS platform, out-of-the-box integrations, and compliance with international standards. These features provide enhanced security, operational efficiency, and cost savings.

What support resources are available for Akeyless users?

Akeyless provides platform demos, self-guided product tours, tutorials, technical documentation, 24/7 support, and a Slack support channel for troubleshooting and guidance.

What feedback have customers given about Akeyless's ease of use?

Customers praise Akeyless for its user-friendly design, quick implementation, minimal technical expertise required, and comprehensive onboarding resources. Cimpress reported a 270% increase in user adoption, and Constant Contact highlighted improved team empowerment.

What is the primary purpose of Akeyless's product?

Akeyless's product is designed to provide secure, scalable, and efficient solutions for identity security, secrets management, and encryption, empowering organizations to protect critical systems and data.

Who are some of Akeyless's customers?

Akeyless is trusted by customers such as Wix, Constant Contact, Cimpress, Progress Chef, TVH, Hamburg Commercial Bank, K Health, and Dropbox.

When was this page last updated?

This page wast last updated on 12/12/2025 .

Zero Standing Privileges in Production Environments

April 11, 2022
Posted by Jeremy Hess

In this demo, VP R&D Ori Mankali gives us a look into a simple application that uses GitLab in which he builds and deploys a Docker image to Docker Hub and uses that to pull the application, which is running on Amazon EKS.

The demo will show the initial state of the application and then push changes which will trigger a new workflow that will update the application all using just-in-time access with different types of secrets from SSH certificates to JWT tokens and more.

Ultimately, we learn how Akeyless Vaultless® Platform enables you to ensure no static passwords are used when building and maintaining your DevOps pipeline.

Watch the video below

TRANSCRIPT

Hello everyone, my name is Ori, I’m a VP of R&D at Akeyless. Today, I’m going to talk about how to get your production environment without any standing privileges. So in today’s agenda, we’re going to explain or maybe introduce you to some of the things that we’re doing in Akeyless, talk about recent trends and motivation for that topic today.

The evolution of modern computing that led the existing security problems to become much more severe in different environments. And maybe a little bit about how a secret management platform like Akeyless is providing, can be a good solution for that, in combination with the ability to generate just-in-time credentials or just-in-time access to certain production environments, which kind of eliminates the need to use static secrets or static credentials.

In the last couple of years, we’ve seen a clear trend, mostly from the digital transformation that led to so many organizations to move to the cloud, the workload to the cloud. The use of cloud-native technologies like containers and orchestration. The auto-scaling or the elasticity of the cloud, different DevOps tool chains. All of that has basically made a lot of applications, ephemeral applications, to run in different environments.

The main challenge is that applications require a certain set of credentials to do whatever they were designed to do. One example that I have in mind is that you have some kind of a back-end application that needs to communicate with the database. In order to authenticate to the database, you need credentials, and those are typically stored in a static fashion, meaning that they are stored in a persistent configuration, or even in workspace, inside the code. This means that those are standing in a way that a potential hacker could just grab them and use them anywhere they want, without anyone knowing or noticing that.

This could later be used for what is described as lateral movement, maybe gathering initial credentials and then accessing the database to get more information, and from there, to other hosts or other devices and so on and so forth. The SDLC, the software development lifecycle, is becoming much more advanced than it used to be in the last years. First of all, because the CI/CD pipelines are today de facto standards, you have lots of Git repos, most of them are cloud services, and then this means that your code is not residing on your host in your own on-prem data center, and you have lots of orchestrations that also require access to configuration files, and the actual code execution and so on.

This, again, opens a lot of potential attack vectors for different hackers. In all of those environments, starting from the registry of containers to GitHub or GitLab or whatever, Git repo that you have, to different scanning or security tools, to CI/CD platforms, to deployments and so on, all of them requires to have some kind of credentials sprawled across the entire production environment.

So what’s the main problem that we’re talking about? First of all, there are too many types of secrets, many of them to make life easier, are a privileged user. Meaning that they have permissive access to certain systems, and they’re not often rotated or modified, which means that they can last for weeks, months and maybe even years, without being rotated or changed.

And there is no good auditing around it, so you don’t actually know who uses a certain credential in order to access the specific system, and they could easily leak to different users or maybe malicious users, and from there, the way to a security problem is very short.

The reason that secrets management platforms were developed is mostly to protect the steady state, sensitive information like static secrets, in a way that would make the life of, or maybe accessing them much harder. For one, any type of access would require the user to be authenticated and authorized to access the secret. Secondly, you have a good way of auditing and tracking the activity, like which user or which application was the one trying to get the access to the credential.

Thirdly, the credential will be at the steady state, at rest will be encrypted, and only be decrypted by the application that requires it. Which means that there is very short period of time, in memory, where the credentials are being decrypted and used for whatever they needed to be used. So, what we’re talking about, the ultimate solution is to use a different kind of credentials, we call them just-in-time access or just-in-time credentials. In some terminology, they’re used as the dynamic secrets.

The concept behind it means that you don’t have any kind of username or password which are steady or static in that sense. Anytime an application or a user would need to access certain systems, they would authenticate to the secret management platform, which in turn, will generate dedicated credentials for this specific session. Those credentials will be ephemeral, in the sense that they have a TTL or a time to live, so they will expire after a predefined amount of time, and then they could not be used afterwards, after this TTL, at all. Which means that at the steady state, if nobody’s running or executing some kind of operation, there will be no credentials on the target systems, right?

So, let’s switch to a quick demo, what I have here is basically a demonstration of the SDLC lifecycle, right? So, this is kind of a very famous diagram that shows that you start with code, and then you’re building your application, you’re testing it, releasing deploying and so on, this is an infinite loop of development.

So, in our case, we’re going to see an application called ‘sample’, this is something, a very small application just for demonstration, written in Python. Then we’re going to use one of the Git repositories and CI/CD platforms called GitLab. This is just one of the systems that are familiar today. Later on, we’re going to make the CI/CD pipeline to deploy or basically build and deploy a docker image to Docker Hub registry. We’re going to use it in order to pull the application which is actually running on Amazon EKS, right? This is serving a web application which we can test and show.

All of those components will be secured in different manners by the Akeyless platform. So, the coding environment is actually running on a remote host, using short-lived SSH certificates to connect to. In GitLab, essentially, we’re adding dynamic credentials or just-in-time credentials to access different platforms like Docker Hub and Amazon EKS and so on, right? Same things in every place.

So, in Docker Hub, we will generate a temporary short-lived personal access token, in order to build and upload the image. The image obviously is a private image. With Amazon EKS, we would use dynamic credentials to generate an access token to the Kubernetes cluster. So, in order to authenticate to the EKS cluster, we’ll use short-lived tokens.

So, let’s switch to the demo. So, I’ll start with the code environment, maybe I’ll start with the application first of all. So, this is like a demo application that you can see here, it doesn’t do much, right? We just see the logo.

We see some requests that are coming to the application, the timestamp that it happened, and also the IP address, because we’re using a load balancer in our case, so we see basically the IP address of the load balancer itself. It’s meaningless in terms of the application, but just to show you what we’re seeing here. We also have this friend over here, which was supposed to play the guitar, but right now, it’s not moving much, right?

So, this is a sample code that I’m using. Essentially, it’s writing a HTML file. So, what I’m going to do here, just going to copy to modify that to this one. I’m just going to do some random code change, so I’m going to change the color of the Akeyless demo logo and I’m going to modify that, kind of to imitate that this was a bug fix, right? So, I’m saving the file, and I’m going to commit the changes to my source repo, which is I mentioned this in GitLab, right? I’m going to push changes to the repo.

Whenever I’m doing that, but then automatically, I can see that there is a new pipeline job that was triggered automatically, right? If I look at that, we will see that right now the code will be pulled, and there will be some certain set of actions. So, I’m going to look very quickly at the repo, to show you what the pipeline is composed of.

Essentially, it’s using a base image that we provide, it can be any image to your choice, and then there are certain annotations as you can see inside the pipeline. For example, there is this annotation which is an environment variable that currently holds this value, so the Akeyless colon slash is a reference to a secret in Akeyless and there are other variables like the Docker image name and the EKS endpoint and other attributes, right? As you can see, there are no secrets in the code, not in the configuration files and not even stored on GitLab itself, okay.

So, the authentication process is using the JWT that is received by the GitLab infrastructure. This process is essentially validating that this job is authorized to access those secrets. If so, it will use the secrets, use the dynamic secrets, to perform whatever actions required like Docker login, and then building, and then testing and deploying, right?

So, if I go back to the code, I could see what the build process looked like, it’s just simply ‘docker build’ and ‘docker push’, and then running the application and deploying it, right? So, it will be very simple to do that. This is how we do the deployment; it’s essentially using Akeyless to connect to the EKS cluster, and perform a rollout restart for the deployment.

All of that is done using just in time credentials, you don’t see any sensitive information in the code configuration file or anywhere else.

Now, if I look at Docker Hub, when I refresh the page, what I’m expected to see here is a temporary access token that was generated, like in this case, right? This was generated by the CI/CD platform, right? Just few seconds ago, right? Then when the job will be completed, this personal access token will be deleted.

Let’s look at the job and see what’s the status of it. We see that it passed like 54 seconds ago, and if I go to the application and refresh the page, now I can see the new color of the logo and this guy over here started playing, right?

If I go to the account, to the Akeyless account, to check the audit logs, I’m expecting to see all the activities that I had. So, I’m going to see, the filter by that. I’m going to see that there was an authentication, and they get dynamic secret to the EKS cluster, and there is another get dynamic secret operation. Let me filter by action, it would be easier to show that.

So, we see that there was an authentication from GitLab, to get a dynamic secret for Docker Hub producer, and then there was an access to the EKS cluster by your Kubernetes cluster, and all the activities documented and logged here, right? Those logs by the way can be forwarded to any existing log or SIEM system of your choice.

That’s about it. So essentially, I’m using a full SDLC cycle, without any static or any standing credentials in my code configuration or any environment that I have. Thank you very much for your time, and looking forward for the next session.

Frequently Asked Questions

Features & Capabilities