Posted by Joyce Ling
March 1, 2023
One of the underlying themes of the Akeyless Vaultless Platform is that we put the control of data in your hands. Applications are inherently leaky, especially in the cloud. So how can you trust a SaaS platform with a mission-critical aspect of infrastructure like secrets? We understand this challenge, so here at Akeyless we’ve created a lightweight container that sits on the organizational infrastructure, called the Akeyless Gateway. Easy to deploy, the gateway is an extension of the SaaS into the organization’s infrastructure, and it communicates with Akeyless via an outgoing connection.
An organization exposes its environment without a gateway.
Simply, a SaaS that manages secrets needs to have access to internal resources. To accommodate that, an organization would need to open up ports for that SaaS to access elements of internal infrastructure. These ports are potentially accessible to malicious internet traffic. Instead of exposing these ports unnecessarily, the Akeyless Gateway only opens ports to our SaaS, eliminating traffic from unknown sources and reducing attack surface area.
It’s difficult to deny the utility of SaaS—with zero deployment & low maintenance, secrets management is undeniably easy for our users. Our goal is to provide that convenience without compromising security.
There are three critical benefits the Akeyless Gateway offers, made possible by its unique placement in the organization’s environment. We’ll discuss these one by one.
- Zero Knowledge encryption
- Advanced secret types like rotated and dynamic secrets
- Caching and performance enhancements
Zero Knowledge Encryption in the Akeyless Gateway
Zero Knowledge encryption means even Akeyless can’t access your data—ultimately, you get full ownership, because neither your decrypted data or your encryption keys leave your private network. This is possible via the Akeyless Gateway.
Akeyless uses a patented encryption technology that prevents hacks by separating encryption functions. Akeyless keeps never-combined parts of the encryption key in different cloud providers. The final piece – what we call the customer fragment – resides within the Akeyless Gateway, where only the organization has access to it.
In other words, no one can decrypt your data outside of your environment, and you have full ownership and control over the keys that decrypt your data.
RESOURCE: Learn more about DFC™ and how it keeps your data safe.
Advanced Secret Types in the Akeyless Gateway
The Akeyless Gateway gives our users the ability to use rotated and dynamic secrets.
Dynamic secrets are temporary, expiring after a set period of time. They are the safest option for securing access to your data, as it never assumes long-standing access. Users get access only when they need it—no more, no less.
Akeyless users can request for a temporary account with the right level of permissions. Akeyless issues the temporary account to the user. Once the account expires, Akeyless also manages the removal of the temporary account.
Rotated secrets, on the other hand, are secrets you periodically replace. You might use this for longer-standing accounts where security or compliance requires you to rotate credentials every set period of time.
For Akeyless (or any other platform) to provision temporary accounts, it needs access to internal resources. Since the SaaS connects directly to the Gateway, which sits in the organization’s internal environment, the gateway can securely facilitate the creation of temporary and rotated credentials. With direct access to the systems that house sensitive data, the Gateway acts as an internal orchestrator for temporary and rotated credentials.
Caching and Performance Enhancements
Akeyless also enables organizations to have live fallback and continuous service capabilities via caching in the Akeyless Gateway.
Since the Gateway sits on the organization’s local network, it plays an important role in performance. It determines which secrets to store locally, how often, and when to remove them.
For example, the admin can specify whether to cache secrets for a set amount of time, and when to delete secrets from the cache. Like a browser cache, this setting improves performance and lowers lag time. The gateway deletes secrets when they are not being used, downloading local copies during frequent usage.
In addition, the Gateway allows proactive secret fetching, which can store backups of your vault locally. If you ever disconnect from the vault, you can have peace of mind that everything will carry on as if nothing has changed.
Conclusion
The Akeyless Gateway makes secure secrets management possible in the cloud.
The Gateway houses the core functionality that makes the Akeyless Vaultless Platform unique. This includes Zero Knowledge encryption, advanced secret types, and caching mechanisms to improve performance and disaster recovery. It helps us achieve the goal of making secrets management both easier and more secure.
To learn more about the Akeyless Vaultless Platform, book a custom tour of the product today.