KeyConf NYC Interviews – DevSecOps and Secrets Management

David Spark: Gui, you were just on stage.

Gui Martins: That’s right.

DS: And.. give us just a quick summary 30 second summary of what you’re talking about on stage.

GM: Awesome. So, during my presentation, I try to bring to the forefront something that most companies overlook when they’re talking about how their security outline looks like, which it is how they manage their secrets. And rather not what tool that you’re going to choose for that but rather what’s your mindset? How do you get there and how do you get everybody on board and thinking about those things beforehand? So, this is what I spoke about and this is what I’m trying to evangelize. I don’t know if that word is, I think we’re more used to that word nowadays.

DS: Evangelize, I think it’s appropriate here.

GM: Yeah.

DS: This gets to my first question.

GM: Sure.

DS: I don’t think in all the discussions I’ve had with security leaders. I don’t think secrets management is something that’s done the first time around the creating your security program.

GM: It is not.

DS: So, here’s my question.

GM: Yeah.

DS: How many black eyes do you need to get before you start considering secrets management?

GM: As many as you can imagine. Yeah.

DS: So, first of all, have you ever seen someone start a secrets management program that never had a black eye? And when I’m saying black eye, there’s something got compromised. Yeah.

GM: No, I got to be honest. I don’t think so. It’s something that everybody knows we need. Everybody knows we’re we have to get there. But in all honesty the friction that everybody imagines that happens. It’s so big in their heads and endure mindset.

DS: So, you think fear is what holds people back on secrets management?

GM: Not fear off the tool itself but fear of how that is going to impact your speed of delivery.

DS: And work agility.

GM: And workflow, yes.

DS: So, alright. I want to talk about where you think that fear is. Now, how do you work backwards to pull back from that fear or show example. So, where does that fear exist? Is it just here’s another level of something you got to deal with? Oh, crap. Like, is it just that?

GM: Yeah. It is part of that. So, when you look into DevOps and DevSecOps, I know it’s buzzworthy but it makes sense, right. It’s all about process and when you get to a company that has all those tools, you’re talking about silos of teams for networking, operations, development, all those guys that are introducing new tools that someone has to comply and it is not part of their workflow. It’s not part of the process. So, whenever you hear something about secret management, oh nice. Now, I have to figure out how to put my secrets in some other place that I don’t know how I’m going to be able to access that my application is not going to be able find later on. And that fear of how that’s going to plug in, it’s massive, and it’s complicated on how to break debris barrier. Yeah.

DS: Okay. So, what do you do like, okay, let me just think of a client that you’ve dealt with this before.

GM: Sure.

DS: That started in that space and they finally came around. Walk me through the steps of how you got them to that point.

GM: Right. So, what I do and that definitely works. I just take a step back and ask them, what are your applications? How many products do you have? What is your architectural diagram? What does it look like? And in those conversations, more often than not, they’re going to have a simplistic diagram as you saw in my presentation. I have a simplistic diagram that it is not realistic, but it is what everybody has in their head. And when I start asking those questions and adding the complexities and everything that they need, I start to show them that whatever the mindset they have is much more complicated than it needs to be.

If you start to put in forefront how you manage your secrets first, where they are, who needs to access to them, how they’re going to access them. It makes it so much simpler to actually.

DS: So, you’re saying the is true here in that they think it’s going to make things more complex. And you’re saying Secrets Management quite the opposite you’re going to simplify solution which by the way we talk about endlessly on our shows about the need to simplify security, because all we’re doing is making it more complex now.

GM: Well, yeah it is the opposite right? We’re trying to make it simple enough and that’s the whole part of the process itself. That everything that we need should be streamlined in such a way that it makes it simpler for everybody to use it not harder.

DS: Could you me down to bare bones as to what is happening in these steps and makes it look simpler.

GM: Perfect. Alright. So, let’s picture in this fictional company that they have being moving to the cloud and they have hundreds of products and all those products that you’re going to run into Azure, EWS, GCP. And now they have to figure out because they didn’t think about it that where their secrets are going to be. So, those are key certificates, passwords, whatever that their secrets might be. And then they’re going to have to figure out where would they put those secrets. They have to figure out later on and whatever they’re running on. So, let’s say Azure they’re going to use key vault or AWS they’re going to use AWS Secret Management Tool.

Now those secrets are all far apart from each other. Each product is going to have their own KNS system. Each product, each team is going to have their own and now you’d have to sprawl of how everything spread it apart, right. And that’s how complicated that is. Whereas, if had something centralized beforehand, if you had something outlined beforehand, and you specify a process on how people should get their infrastructure, doesn’t matter where it runs. But if they know where to get to, if they know how to get to it, that streamlines the whole thing.

DS: I like that. Alright, thank you so much for your time, Gui.

GM: My pleasure.

DS: I appreciate it.