[ · · ]cosmicchimps
FILE 06-1023-11 · MODERN SECRETS · V1.0
BRIEF·CYBERSECURITY·INFRASTRUCTURE

Taming the
modern secrets
chaos.

Bella Baxter is a single control plane for non-human identities. It sits as a gateway over the vaults you already run — without storing a single secret itself — and replaces static credentials with short-lived, auditable access.

Identities · per employee
0 PEAK
Vaults · per stack
0+ AVERAGE
Secret TTL · with BB
≤ 15 MIN · DEFAULT
01
The Crisis

Credentials grew faster than the controls
designed to manage them.

Three forces compound: non-human identity sprawl, vault fragmentation, and a regulatory clock already running.

01 · Identity sprawl
00
Non-human identities per employee.

For every developer, between 45 and 144 service accounts, tokens and keys exist in production. Credential growth has rapidly outpaced the controls designed to manage them.

Source: industry NHI benchmarks, 2025
02 · Fragmentation
0+ Vaults
Disconnected vaults per stack.

Most modern stacks juggle four or more vaults — AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, OpenBao — without a common management plane.

No single source of truth, no shared audit
03 · Regulation
17 January2025
DORA is live for insurers.

DORA applies directly to financial entities — insurers included — since 17 January 2025, with no grace period. NIS 2 is a directive still in transposition; in Spain, not yet national law. The window to prepare is still open.

DORA enforced · NIS 2 in transposition
02
The Shift

From tangle to throughline.

Toggle the two states. The number of moving parts stays the same — what changes is the topology.

System diagram · 4 sources × 3 consumers
SOURCES4 VAULTS 3 CONSUMERSDEMAND BBCONTROL · PLANE Bella Baxter Gateway · stores no secrets 01VAULT AWS Secrets Mgr 02VAULT Azure Key Vault 03VAULT GCP Secret Mgr 04VAULT OpenBao / Vault CONSUMER01 Developer CONSUMER02 Application CONSUMER03 AI Agent
Active paths
127 −5 vs before
Policy surface
Per-vaultUnified
Visibility
ReactiveReal-time
03
The Solution

Three principles.
Less, but better.

Bella Baxter does not add another vault. It removes the work between the ones you already have.

01 · Plane
A single control plane,
not a new vault.

Acts as a gateway over your existing vaults. Bella Baxter never stores a secret itself — it brokers access and writes the audit trail.

Storage Zero
Vaults AWS · AZ · GCP · OpenBao
Deploy Gateway
02 · Identity
Keyless and ephemeral
by design.

Uses OIDC and TrustDomains to replace static credentials with short-lived, auto-expiring access. The blast radius of a leak shrinks to minutes.

Default TTL ≤ 15 min
Issuer OIDC · SPIFFE
Static keys 0
03 · Agents
Native support
for AI agents.

Integrates Model Context Protocol (MCP) so agents request secrets through a policy-checked, signed, and fully auditable interface.

Protocol MCP
Audit HMAC signed
Policy Per-tool · scoped
04
Side by side

Traditional management
vs Bella Baxter.

Same surface area. Different posture.

Dimension Traditional management With Bella Baxter
01
Visibility
Fragmented & manual

Each vault has its own console, exports and access logs. Engineers reconstruct the picture by hand.

Unified, real-time

One inventory of identities, one policy view, one stream of access events — across every vault.

02
Audit trail
Reactive & reconstructed

Audits assembled post-hoc from disjoint logs. Hard to attest to integrity or completeness.

End-to-end signed HMAC

Every secret request is signed at the source. Continuous, tamper-evident chain of custody.

03
Secret life
Infinite TTL · manual rotation

Long-lived keys rotated on calendars (or forgotten). Each one a standing risk on the balance sheet.

Ephemeral & automatic

Credentials issued on demand, expire by default. Rotation becomes an attribute, not a project.

Bella Baxter is the control plane cosmicchimps uses for itself — and the one we deploy with our clients. Let's build IT together!

+0011-0211 · cosmicchimps.com
[ · · ]cosmicchimps
06-1023-11 · V1.0 · 12500 mi