KeyConf NYC Interviews – Secrets Management Opportunities
David Spark: You’re on a panel right here at KeyConf. What was that panel about?
Maria Schwenger: We had an interesting panel of practitioners. Concentrating on practical experience about secrets management. We touched a little bit on the history, why today the secrets management, the key management, it’s so important. What differences, what new technologies we are implementing and how to introduce this new concept, how to build the culture within our organizations.
DS: Alright, perfect. So, MS, Secrets management was not a hot topic a few years ago, but it is seem to be spoken about a lot more today. I think mostly because of the problems that we’re seeing around secrets and how they’re not being kept secret. Why do you believe we’re talking more about it today than say 2, 3 years ago?
MS: So, David, you’re right. It was not a hot topic but it’s always been a hot problem.
DS: Okay, that’s a good way to put it.
MS: Joke on the side.
DS: It’s not a new problem. It’s what you’re saying.
MS: No, it’s not a new problem. It’s the way, the news will be in the way we think about secrets management today.
DS: There you go.
MS: And the reason we have to think in a new way is because of the complexity of our environments today. We talk about Zero Trust. The perimeter-less way of us accessing and using technology from anywhere from everywhere. It’s all the new technologies, containers, Kubernetes. Now we talk about secrets management for containers, secrets management for Kubernetes, for serverless. We talk about a lot of new things, DevSecOps, agile, different ways of working. Our companies are putting pressure on our development teams to develop, to get products faster to production.
DS: So, I’m going to summarize for you quickly. Secrets management is in more places than we realize or secrets, let me say that. Secrets is in more places than we realize.
MS: Secrets is everywhere.
DS: Yes. So, if it’s everywhere, we’d like to know where it is, right?
MS: Well, that’s a good question and actually this was one of the questions at the panel. Do we have an inventory of our secrets?
DS: I’m going to go so far as to jump in and say most don’t.
MS: That’s correct. But this is something that we need to start considering. Obviously, this is not going to be like accounting inventory. But in many cases, for example, let’s say we have an incident. Well, first of all, I need to know what was exposed and immediately stop the access at this point. And second of all, I probably want to go and once I have some type of penetration, I want to go and change all of the passwords. Well, if I don’t know which they are or that might not just be a password. Password is just one simple thing part of the Secrets management, right.
The one traditional thing that we call it the secret management. There’s so many other means of secret management from encryption tokens and tokens etc. So, having the inventory is turning out to be pretty important. Also, the way we implement things today, how many companies are still creating their secrets manually. I mean we know that manually created password, 80% is going to be easy to guess, right. We do need to start relying on our systems to have system generated keys, secrets.
We need to start also to have a pretty good belief, trust that it’s going to be stored in a proper way. We need to make sure that we have the right policies and that when our policy says rotate keys every 90 days, we will have a reliable system to do that.
DS: So, let me pause you for a second. And this may sound like a dumb question but someone who just hears you saying we need to do this. We need to do this. We need to do that. Just ask why I need to do this? What’s your answer to that?
MS: Probably, my answer would be silly too. I don’t think we have a choice.
DS: We don’t have a choice because why?
MS: Because everybody from the bad guys is after our data, right. Protecting our data, protecting our applications, protecting our enterprise worldwide. Especially for the last couple of years has become a foremost task. And because we have new technologies for example, APIs and microservice management architectures we are creating, there’s not enough expertise. What does it mean to create a properly secure authentication, authorization of the APIs in the microservices? So, there is a lack of talent there is not really too many best practices that we can put in place. So, these are all factors that put a little bit more pressure on us really to come to the right holistic implementation of Secrets Management.
DS: What do you think Secrets Management is not doing today that you would like to see happen?
MS: There’s definitely a lot of opportunities for key management.
DS: And that would be?
MS: That will be probably the way the key management, we think about the key management, the culture in our companies that we create around key management. This collaboration, because think about it. I am the identity and access management, development, security teams, networking teams. There are so many database people, right. There are so many teams that are stakeholders and engaging in this process. The other thing is, imagine that I have certain keys for application than the database people are doing completely different thing, right.
This organizational awareness and proper implementation, architecture throughout, holistic architecture throughout the company in terms of key management. That’s on my wish list.
MS: And I’m trying as a practitioner to build a program so the key management will never be after talk. It will be something that we plan in advance and we implement in the best possible way.
DS: Excellent. Maria, thank you so much for your time.MS: Thank you for having me.