Skip to main content
Vermont Solutions

Glossary · Cybersecurity · Credential management

Secrets management: credentials and keys under control

Secrets management governs the storage, rotation and access to the credentials, keys and tokens that systems use. Its core principle is zero secrets in code: credentials are kept in a centralised vault, rotated automatically and every access is logged.

What it controls

  • Centralised storage — credentials, encryption keys and tokens are kept in a vault, not scattered across files, code or environment variables.
  • Automatic rotation — secrets are renewed periodically and automatically, reducing the window of exposure in the event of a leak.
  • Audited access — every request for a secret is authenticated, authorised and logged, leaving a trace of who accessed what and when.
  • Zero secrets in code — the practice of embedding credentials in repositories, one of the most frequent causes of leaks, is eliminated.

Why it matters in regulated banking

Credentials embedded in code or left unrotated are a recurring vector for incidents. DORA requires financial institutions to have robust access controls and to protect sensitive information across the ICT lifecycle, and NIS2 reinforces credential management in essential sectors. Centralised, audited secrets management provides the control and traceability the supervisor expects: it limits exposure, allows access to be revoked immediately and documents the use of each credential.

How Vermont Solutions helps

Credentials out of the code

We help financial institutions centralise and audit secrets management, removing credentials from the code and aligning rotation and access with DORA's requirements.

See governance and compliance →

Fuentes

Last updated: 2026-06-21. Editorial content by Vermont Solutions, citable with attribution.