Keeper launches secrets sync for multi-cloud credentials

Keeper Security has launched Universal Secrets Sync for its KeeperPAM platform, designed to keep credentials aligned across AWS, Azure and Google Cloud.

The tool automatically distributes updated secrets to external cloud secret managers when credentials rotate in KeeperPAM. The aim is to reduce cases where stored credentials no longer match those used in production systems.

This problem, often called credential drift, can create operational and security issues in multi-cloud environments. When passwords or other secrets fall out of sync between a privileged access management system and live applications or pipelines, organisations can face access failures, slower incident response and credentials that remain active outside the view of security teams.

Keeper framed the launch around a broader gap in privileged access management across cloud and hybrid estates. It cited research showing that 86% of IT and security leaders say their organisation would benefit from a PAM system, while 46% of organisations with PAM still struggle to manage privileged access consistently across cloud and hybrid environments.

How it works

Universal Secrets Sync monitors one or more shared folders in Keeper Secrets Manager and pushes their contents to configured targets, including AWS Secrets Manager, Azure Key Vault and Google Cloud Secret Manager. Keeper says this happens automatically after a secret is rotated, without manual exports or separate integration scripts.

Administrators can configure several operational controls, including a dry run mode that previews proposed changes before distribution, support for synchronising secrets from multiple shared folders in one configuration, and the use of a dedicated identity such as an IAM role, managed identity or service account for sync operations.

The system also surfaces missing secrets and permission errors automatically, so failed synchronisation attempts do not go unnoticed.

Cloud focus

The launch reflects a common challenge for organisations using several cloud providers at once, particularly where development, infrastructure and security teams rely on different tools to store and retrieve credentials. In these setups, secret rotation can become fragmented, increasing the risk that one environment updates while another continues using an older credential.

The feature is intended to support two retrieval models. Applications already built around native cloud secrets services can continue to read from AWS, Azure or Google Cloud using existing software development kits and identity controls. Pipelines, scripts and services outside those environments can retrieve secrets directly from Keeper Secrets Manager through its SDK or command-line interface.

This approach keeps KeeperPAM as the central management layer while allowing downstream systems to continue using established cloud-native methods for secret access. For companies with workloads spread across different platforms, that may reduce the need to redesign applications simply to maintain consistent credentials after rotation.

Craig Lurey, Chief Technology Officer and Co-founder of Keeper Security, described credential drift as a persistent but often overlooked security issue.

"Secrets drift is one of the most underappreciated risks in enterprise security programs. Organisations unknowingly leave stale credentials active in downstream cloud environments when distribution is manual. Universal Secrets Sync makes distribution automatic and auditable. Every secret rotation updates to all connected targets simultaneously, with Dry Run mode giving teams full visibility into what will change before anything is written," said Craig Lurey, Chief Technology Officer and Co-founder of Keeper Security.

Included in licences

Universal Secrets Sync is available as part of KeeperPAM and is included in existing KeeperPAM licences. Current users can add the feature without buying a separate product, though it must be enabled.

The launch adds to competition in the privileged access management and secrets management market, where suppliers are trying to address not only credential storage but also the operational challenge of keeping credentials consistent across cloud services, automation pipelines and internal tools.

For companies with multi-cloud operations in Asia-Pacific and other regions, the issue has become more pressing as application estates grow more distributed and machine identities multiply. The challenge is often less about creating new credentials than ensuring every dependent system receives the updated version at the right time.

Universal Secrets Sync is intended to address that point of failure by tying one rotation event to updates across all connected cloud targets.