Enterprise Secrets Management
Securing Critical National Energy Infrastructure with CyberArk
Case Study
About Our Client
Overview
Our client is a national critical infrastructure operator responsible for managing electricity and gas systems across Australia’s largest energy markets. The organisation serves as the operational backbone of the nation’s energy networks – coordinating generation, transmission, and distribution to ensure citizens have access to affordable, secure, and reliable energy.
As a critical national infrastructure (CNI) operator, our client’s systems and data are subject to the highest standards of security, availability, and regulatory compliance. Any compromise of their infrastructure has the potential to cascade across Australia’s energy supply – making robust cybersecurity not just an IT priority, but a national imperative.
The Challenge
Our client faced a critical security gap: there was no approved, enterprise-wide solution in place for managing secrets across its on-premises infrastructure. This left the organisation exposed in three key areas:
- Credentials embedded in application servers, scripts, and configuration files. This was a direct violation of security best practice and an open door for attackers.
- No centralised visibility over where secrets existed, who had access to them, or whether they had been rotated or revoked.
- An inability to use cloud-based secrets management tools, given operational requirements that mandate system availability even when cloud connectivity is disrupted or unavailable.
This challenge was compounded by the complexity of our client’s hybrid technology estate – a mix of legacy information and operational technology (IT/OT), traditional enterprise applications, and modern containerised workloads. No single off-the-shelf solution addressed the full spectrum of their needs.
The organisation engaged Avocado Consulting to design and deliver an end-to-end Enterprise Secrets Management solution – from initial discovery through to implementation, governance, and operationalisation readiness. The engagement demanded deep expertise across CyberArk’s secrets management product suite, enterprise security architecture, and DevSecOps integration.
Client
A National Critical Infrastructure Energy Operator
Sector
Energy & Critical National Infrastructure
The Approach
Avocado brought a structured, Zero Trust-aligned methodology anchored in least privilege and lifecycle-based secrets governance. Our approach was pragmatic and discovery-led – designed to address real application constraints rather than apply a generic framework.
Methodology & guiding principles
- Zero Trust Architecture: No implicit trust for any application, service, or user – all secrets access must be authenticated, authorised, and audited.
- Least Privilege: Secrets are issued on a need-to-know, time-limited basis with automated rotation to reduce exposure windows.
- Lifecycle Management: Every workload and secret has an owner, a defined lifecycle, and an automated rotation or expiry policy.
- Discovery-First: Before recommending solutions, we conducted thorough discovery to understand the true scope of secrets sprawl across our client’s environment.
Tool selection: CyberArk
CyberArk’s Secrets Management suite was selected as the platform of choice based on the client’s specific requirements. Two core components formed the solution:
Phased delivery model
The engagement followed a rigorous five-phase delivery model, enabling iterative discovery, early risk mitigation, and a controlled path to enterprise-wide rollout:
Collaboration & stakeholder engagement
Avocado operated as a trusted extension of our client’s security and platform engineering teams throughout the engagement. Regular stakeholder workshops at both technical and leadership levels ensured alignment, managed resistance to change, and built organisational confidence in the new capability. Mixed Avocado-client teams facilitated knowledge transfer, ensuring the client’s teams were fully equipped to operate and expand the platform post-implementation.
The Solution
The solution established a centralised, on-premises Enterprise Secrets Management capability built on CyberArk – purpose-built for the client’s hybrid environment and operational constraints.
Core capabilities delivered
- Centralised secrets vault: a single authoritative store for all application credentials, service account passwords, API keys, and certificates.
- Application identity services: enabling workloads to authenticate and retrieve secrets without embedded credentials.
- Support for credential rotation: eliminating long-lived, static credentials across the estate.
- Standardised consumption patterns: approved, documented methods for application and platform teams to integrate secrets management into their workflows.
- CI/CD integration: native secrets injection for DevSecOps pipelines, removing the need for secrets in source control or build artefacts.
- Full audit logging and SOC visibility: every access event is logged, alertable, and available to the client’s security operations centre.
Overcoming key challenges
Outcomes & business impact
The engagement delivered a successful, enterprise-ready secrets management capability that has been formally endorsed by both technical architects and executive leadership. The outcomes extend beyond immediate security improvements, they establish the foundation for our client’s ongoing Zero Trust journey, and satisfy the stringent compliance obligations of SOCI
Security posture
- Elimination of insecure credentials across in-scope applications and infrastructure – closing a critical attack vector.
- Centralised secrets governance with full audit trail – every access event is logged and reportable.
- Automated credential rotation reducing the risk window associated with long-lived, static secrets.
- Formally approved secrets management architecture aligned to Zero Trust principles.
Operational Efficiency
- Standardised, repeatable onboarding patterns enabling development and platform teams to self-serve secrets integration.
- Reduced operational risk through support for automated rotation, eliminating manual credential management processes.
- SOC integration providing real-time visibility of secrets access anomalies and potential misuse.
Strategic & Compliance Value
- Enterprise readiness – a scalable architecture positioned for organisation-wide rollout across legacy and modern platforms.
- Supports obligations under the SOCI Act and related frameworks.
- Positioned the organisation for sustainable growth aligned with Zero Trust principles and evolving regulatory requirements.
