Glossary Terms: S

Shadow Credentials

NHI security threats

Shadow credentials are undiscovered, unmanaged authentication secrets associated with workloads, service accounts, or applications that exist outside an organization’s official inventory and governance controls. They commonly accumulate in CI/CD pipelines, legacy scripts, and cloud environments where credentials were created ad hoc and never tracked. Shadow credentials are a significant NHI risk because they cannot be rotated, audited, or revoked, making them attractive targets for attackers looking for persistent access.

Service Mesh

IT concepts

A service mesh is an infrastructure layer that manages and secures communication between microservices and workloads within a distributed application. It handles mutual authentication (mTLS), traffic routing, observability, and policy enforcement at the network level without requiring changes to application code. For workload identity, service meshes provide a control plane where authentication and authorization decisions can be made consistently across all service-to-service interactions in a cluster or multi-cloud environment.

Service Principal

Identity types

A service principal is a non-human identity created for an application, automated workload, or script that needs to authenticate and access resources in a cloud environment. It acts as the machine equivalent of a user account, with its own credentials and permissions. In IAM for workloads, service principals are common vectors for credential sprawl and over-provisioning when not managed with dynamic, policy-driven access controls.

Secret Zero

IAM concepts

Secret Zero refers to the foundational credential a workload needs to access a secrets manager or credential store in the first place. It is the bootstrapping problem at the heart of secrets management: how do you securely deliver the first secret without embedding it somewhere static? In workload identity, solving Secret Zero means replacing that initial static credential with cryptographically verified workload identity.

Secretless

IAM concepts

Secretless architecture eliminates static, long-lived credentials (passwords, API keys, tokens) from workload environments by using cryptographically verifiable identities and just-in-time credential issuance.

Secret Versioning

IAM concepts

Secret versioning maintains multiple immutable versions of credentials rather than overwriting them on rotation. This gives security teams a rollback path after compromise, a staging mechanism for zero-downtime rotation, and the audit trail that compliance frameworks require.

Security Assertion Markup Language (SAML)

IAM concepts

Security Assertion Markup Language (SAML) 2.0 is an XML-based framework standardized by OASIS for exchanging authentication and authorization data between identity providers and service providers. SAML enables federated identity and single sign-on (SSO) by allowing users to access multiple applications across organizational boundaries with a single set of credentials.

Secrets Manager

IAM concepts

A secrets manager is a centralized security system for storing, controlling access to, and managing the lifecycle of sensitive authentication credentials such as API keys, passwords, certificates, and cryptographic keys. These systems encrypt secrets at rest and in transit, enforce policy-based access controls, provide comprehensive audit trails, and automate credential rotation to reduce the risk of unauthorized access and data breaches.

Secret Rotation

IAM concepts

Secret rotation is the systematic process of periodically replacing cryptographic credentials (passwords, API keys, tokens, certificates) to limit the exposure window of any single credential and reduce the risk of compromise. According to NIST SP 800-57, rotation establishes a defined “cryptoperiod” during which a specific credential is authorized for use, after which it must be replaced with a new one.

Secret

Security concepts

A secret is sensitive credential material or key data used to authenticate or authorize access to systems, services, or data. In modern infrastructure, secrets encompass API keys, passwords, tokens, certificates, database credentials, SSH keys, and OAuth client secrets that workloads and services use for machine-to-machine authentication.