Join us Thurs, June 24 at 11 AM PT for a live discussion about the growing risks of data exfiltration posed by code repos. Learn more.

Blog 3 min read

Protect credentials and secrets with Nightfall DLP

by Michael Osakwe Published Oct 02, 2020

Sensitive data like credentials and secrets are in constant danger of exposure, and this is especially true in the cloud. Due to the highly collaborative and always-on nature of cloud services, they tend to be environments where security best practices are hard to enforce without either lots of time and effort or automated controls. This is bad news for security teams trying to prevent breaches; nearly every day, there’s a new data breach in the news — and the impacts are getting bigger and more costly. Cybersecurity should be a top priority for IT teams, but business-critical data can slip through, even with strict controls on cloud systems. Organizations need data loss prevention (DLP) to secure essential data from being exposed.

What are credentials and secrets?


Credentials and secrets are sensitive pieces of data like passwords, API keys, encryption keys, tokens, certificates, and other data that should be encrypted or secured within a cloud environment and typically found in code. These credentials and secrets act as a key to unlock protected information or resources, or to identify a privileged end user or role. Thus, they should always be kept private and not shared openly within an organization. But the reality is that credentials and secrets are in danger of being exposed or shared on cloud systems daily. For example, credentials and secrets may be embedded directly in code repositories, or shared via email or chat among developers & end users.

How does Data Loss Prevention apply to protecting credentials and secrets?


Cloud adoption has become mainstream. Since many of the platforms and services we use in our everyday work are connected across the cloud, organizations face the problem of business-critical data being sprayed across multiple systems. In August 2020, 200,000 patient health records were exposed via GitHub due to embedded hard-coded login credentials left in a public repository.

DLP allows security teams to identify, classify, and protect sensitive data like credentials & secrets across cloud silos. A developer could Slack message an API key or commit one to a code repository at a moment’s notice. Addressing such incidents requires a tool like Nightfall which is capable of scanning cloud environments for sensitive data with machine learning based detectors.

By their nature, credentials and secrets are hard to detect because they are highly arbitrary and don’t follow any specific format or rules. An API key for one service can be wildly different in format from a token for a different service. Likewise, credentials & secrets can look like random strings of characters when surrounding context isn’t taken into account. Traditional methods like regular expressions and high entropy string detection often fall short because they either miss too many real findings, or they produce high volumes of false positives. Nightfall’s machine learning based methods allow for context-aware detection that yield much higher detection accuracy on unstructured data types like credentials & secrets.

How does Nightfall help with protecting credentials and secrets?


Nightfall integrates directly with apps like Slack and GitHub, so integration takes seconds. Once integrated, Nightfall scans these services for sensitive data based on detectors you’re interested in. You’ll be alerted about these sensitive findings and have the opportunity to take action on them to remediate. Learn more about Nightfall DLP for Slack here, and Nightfall DLP for GitHub here.

What does Nightfall detect that’s relevant to protecting credentials and secrets?


Nightfall’s detectors are suited to detect 200+ types of credentials & secrets in both structured & unstructured data, like messages and code files. These include things like API keys, tokens, encryption keys, cookies, UUIDs, and other identifiers for platforms like AWS, GCP, Azure, Slack, Stripe, Twilio, Heroku, and many other popular services. Nightfall’s detectors are trained and tuned on vast amounts of data, so they work well out of the box – you don’t need to specify the exact types of credentials & secrets you are looking for.

Calgary Public Library keeps credentials and secrets safe with Nightfall DLP for GitHub


Through Nightfall DLP for GitHub, the Calgary Public Library IT staff can integrate Nightfall’s ability to scan for hundreds of types of secrets and credentials directly into their custom workflows. With Nightfall automatically scanning for data that could leak, Calgary Public Library doesn’t have to worry about exposing data that could compromise their systems. Nightfall’s deep learning based detectors deliver higher accuracy and fewer false positives than traditional approaches. “Our programmers can sleep better at night,” says Anton Chuppin, Manager of Calgary Public Library’s IT Interfaces Group. “Now we can spend our time developing enterprise applications instead of custom solutions to lint our code for secrets.”

How do I learn more about Nightfall and protecting credentials and secrets?


The Nightfall blog contains news and information about cloud security, DLP, and Nightfall products to help infosec leaders level up their orgs’ security posture. Find more information about Nightfall and protecting credentials and secrets in these posts from our blog:  

Subscribe to our newsletter

Receive our latest content and updates

Nightfall logo icon

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.


Schedule a Demo

Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at

call to action

Ready to get started?

Schedule a demo