Delegated Machine Credential (DCM)
What is a Delegated Machine Credential?
In a DevOps world, workloads (applications and services) running on a virtual machine or VM require a service account to authenticate to the vault and check out passwords in an Application-to-Application Password Management (AAPM) context.
With the potential for many hundreds or thousands of applications and services, this increase in service accounts carries significant risk by increasing the attack surface for privilege abuse. To combat this, the Delinea vault can grant a machine its own identity, which can then be delegated to trusted local workloads.
When the machine first enrolls in the Delinea Platform, they establish mutual trust. The Delinea Platform creates a unique Delegated Machine Credential, machine identity, and service account for that machine. Local workloads can then piggyback off that machine identity, leveraging the Delegated Machine Credential to authenticate to the vault, exchanging it for an OAUth2 bearer token it can use for subsequent API calls.
Thus, the only service account required is that of the machine itself, versus the hundreds or thousands if each workload were to require its own.
More Resources:
Blogs
Service Account Management 101
Service Accounts vs User Accounts
Application and Service Accounts: Half Protected is Half Not