Delinea Receives United States Patent for Delegated Machine Credentials
December 2023 by Marc Jacob
Delinea announced that it has been awarded a patent for Delegated Machine Credentials (DMC), a capability within Server PAM, its solution that provides privileged access to and authorisation for servers. DMC reduces risk and empowers automation for DevOps and DevSecOps teams building applications that require privileged access to and for workloads on cloud and on-premise infrastructure. By delegating entitlements of a specific machine to the workloads running on it, there is a significant reduction of service accounts needed, thus reducing the attack surface and improving the agility of development teams.
According to GitHub, 1 in 10 software authors exposed a secret in their repository in 2022, 67% of those are considered generic secrets like username and password. The use of hard-coded credentials is easier for developers who are under pressure to deliver code quickly, but it presents a significant risk for the organisation. A mechanism that allows developers to use fewer service accounts when connecting application layers supports their need for agility and avoids the need for hard coding credentials. The patented DMC capability makes this even more secure by utilising the federated authentication and trust already established with the machine and extending that trust to the workloads that need to be connected in the application.
Simplified privileged access in code using machine federation
For organisations looking for an alternative to a vault-centric approach already addressed by Delinea DevOps Secrets Vault, customers can streamline privilege controls on their infrastructure while providing secure and efficient machine access using Delegated Machine Credentials in the Server PAM solution.
When a machine is first enrolled in Server PAM, a client is installed on that machine and, as part of enrollment, the machine is automatically given a unique identity with roles, rights, and entitlements. With DMC, this trust relationship can be assigned to any of the authorised applications, services, containers, or other workloads running on that machine. The machine has binding trust through Server PAM which in turn is delegated to workloads, effectively reducing the number of service accounts needed from one per workload to one automatically managed per machine. When developers use these service accounts to connect components of an application, a federation token is provided rather than a static credential, leaving nothing in the code that can be compromised. Utilising the same privileged access policies for the workloads that are already applied to the machine ensures that manual Privileged Access Management tasks are minimised for DevOps teams.
Using a client-based approach and leveraging a cloud-first architecture, the Delegated Machine Credentials capability solves a headache for DevOps teams by federating access for machine identities. By streamlining infrastructure operations, drastically reducing the number of service accounts that could be used as a vulnerability, and supporting agility, practically all the privileged access requirements are fulfilled for DevSecOps teams.
By capitalising on machine trust and eliminating the need for extensive service account use, Delegated Machine Credentials empowers developers and security teams with both reliable and efficient AAPM capabilities to effectively secure IT environments while reducing service account privilege sprawl.