The Future of Work Trust’s Zero

Richard Barretto, Director of Information Security, Progress Software

Innovative, intrapreneurial, security thought leader with 15+ years of providing vision, strategic planning, and solutions for cybersecurity programs that integrates the voice of the customer, strengthens the enterprise, and improves productivity. Hands-on leader with an exceptional ability to mentor and coach teams to deliver results that exceed expectations. Relationship builder creating bridges across organizations. Highly respected subject matter expert and trusted advisor for cybersecurity, privacy, and professional consulting services.

Hey, everybody, this is it’s great. After COVID, seeing people, having conversations in person, priceless. It’s just absolutely priceless. Anyway. Hi, I’m Richard Barreto, Director of Information Security at Progress Software. I’m going to be talking about the future work and how it trusts zero. And it’s a little bit play on the on the Zero Trust.

So, just a little bit about myself. I’ve been at Progress for just about a year. I have 20 plus years in the industry. I’ve worked in healthcare, finance, technology, and startups. Previously, before Progress, I was at Cimpress. So, Conor, we used to work together, and it was a good, good time.

So, just a little bit about Progress Software, if you guys are not familiar, Progress Software’s actually been around for 30 plus years. They started off in database technology, but we’ve been growing through mergers and acquisitions. Our 2 recent acquisitions was chef.io, a pioneer in the DevOps space. And then just a few weeks ago, we announced our acquisition of Kemp Technologies, if you’re familiar. They play in the application experience and digital experience space.

Some other products is MOVEit and Sitefinity. I’ll talk about that a little bit. But as you can see from the PowerPoint, we’ve been doing business. And we’re a publicly traded company, and we can continue to grow, which is kind of falls into the strategy of future work.

These are just some of the logos for some of our customers. We’re not shy to any vertical. Because we’re mainly developing development tools, DevSecOps solutions and stuff. We provide solutions for technology, technology companies, healthcare, finance. One of our recent, we’ll call it wins, was Sitefinity is one of our products to help the World Health Organization during COVID to update their web service and manage their content. So, yeah, these are some of our customers, and I’m very proud.

So, some of you guys may already know this model. How do we run security? It is definitely a shared responsibility. I am not the person who’s pushing the buttons. I’m not the one who’s going to come in with the architectures. I can only influence and provide advisory. But at the end of the day, it’s really a lot of groups in our organization. Well, it’s the developers and product engineering, legal from a privacy perspective. But it’s, throughout the organization, if we don’t have a shared responsibility model, security could never really be as good as we’d like it to be. I have a small team. So, I have team members here. There’s a team and me right now here in North America, South America. I got 2 interns working out of Dominican Republic. And in Europe, we have a team of 2 out in Bulgaria. And hopefully, the team will grow. Like I said, without security advocates within the organization, we couldn’t run security.

Very simple, I try to keep it simple. When I came on to progress, the thing that we needed the most is to provide scalable self-service solutions that provided, enabled our teams to be more secure. Self-service, pretty straightforward. Some of the services that we provide is log management, secrets management, which we’ll talk a little about, of course. We’re also monitoring the attack surface, continuous cloud monitoring and things like that. Scale, because we’re also going through tons of mergers and acquisitions, I need to be able to assure that our organization scales and has a solution that can scale with the organization. It’s very tough when you have, and I’ll talk more about in a few slides, is when you have secrets distributed everywhere.

And then, the last but the most probably important is take security engineering away from the teams. Let them focus on their core business, their core service to the organization value. If I can take that away from them, that means they don’t have the overhead of managing a secret system or integrations or things like that. If I can provide it simple solution that allows them to do that, I’ve definitely made some progress.

And so, the future of work, especially in a COVID environment, my risk now has changed. It’s no longer behind the 4 walls, because if we’re behind the corporate network, I have different threats. Right? My threats are now more focused on individuals versus networks, more phishing attacks, more brute force attacks. And secrets management, I’ll talk more about it is, how does that fit in the future of work?

Well, some of the things is Zero Trust model. Chase talked about that. And great talk. We got to be a Cloud First Technology. Right? Reduce the overhead. Easy, simple solutions to integrate. Right? Very, very short cycles for integration and getting people up and running. Providing Central Security Services is also part of our strategy, because we’re mergers and acquisitions. If they can adopt best-in-class solutions, best-in-class products, it’s a big one for us. Tech consolidation, and modernizing security tooling, I think that’s pretty straightforward.

So, secrets really matter for us in 2 ways. There’s the machine-to-machine. So, if you’re in a CI/CD, if you’re working with APIs, that’s what machine scenario did for us. And then there’s always the human to-machine-scenario, which I think Ori just showed, especially during those secure remote access, is how do you provide a secure service, a secure capability, so that especially people working from home, you have some comfort that… and from a CISO’s perspective or a security perspective, how do you get comfortability around that?

So, this is a very tough problem in DevOps world. And the reason why, I just want to show secrets management is just one part. So, making it simple, making it easy to consume. But if you look at it, secures the CI/CD pipeline. That’s reliant on secrets management. Same thing with automated security testing. So, I just wanted to bring this that you got to make secrets management as part of like your normal hygiene. And if you don’t, and like most attackers will do, the first thing they’ll go for is look for escalation privilege. And what they’re going to look for, passwords, tokens, things like that to attack.

So, this is the before. And this is still prevalent in a lot of organizations. We have secrets in source code repos. They’re hard coded. You also have in the cloud, whether if it’s on AWS, Google, Azure. Then you also have open-source key systems, which a lot of our organizations, because we’re also integrating startups and even, we call it legacy organizations, they had their systems and their secrets everywhere. And then as well, it still happened today, it’s still on a sticky somewhere, not necessarily on their wall, but digitally, within their computer. Right?

So, this is this is a problem. Because now especially when you’re working from home, I’m an attacker, I could potentially have access to these keys. I don’t have visibility because it’s all distributed. And not only that, now I can set a minimum standard across the organization, which now gives me more comfort as a security leader to assure that I’m minimizing the risks around authentication attacks.

Right, I talked about this. Right? Secrets are just scattered everywhere. It scares me. It scares me because there’s also the not knowing what you don’t know. And it’s a good exercise to start challenging our engineers and developers where those secrets live. Now, there’s good open-source solutions out there that can actually go and sniff for those secrets in source code and files and things like that. But you have to have… you have to understand kind of like asset management, like any risk management program, you have to understand your inventory. And that’s why it’s good to understand where your secrets live.

Then, because secrets is also a very vital part of how things operate, if a system or a secrets management solution goes offline, that’s an impact to the business. Right? Business doesn’t really care so much about, “Hey, the secrets system is down.” They do, don’t get me wrong, but they’re more concerned about, “What’s the impact to the business and to our customers?” And so, having a highly available service provides us this capability, in which Akeyless does. And you’ll see in a bit.

And then also, when I came on board, again, we were using open-source solutions. Everyone knows that it’s not constantly maintained. It’s not always invested. But if you enable it, if you enable a self-service and takeaway security rate from teams, it helps reduce the dependency on teams that do that. But again, you can’t scale. So, no multi-tenancy. It’s not a self-service. There’s an integration portion to it. Just long cycles. And it’s, again, just trying to make it easier for our engineers.

So, the future. We centralized with Akeyless. Great thing is I don’t have to deal with like 2 or 3 clusters of vaults systems. Right? It’s a SaaS solution. Right? I think they’re one of the very first put this out there. Now I have coverage from a global organization, especially at Progress. We have… we’re a SaaS service and some of our products. And so, now the secrets have to be able to be resilient as well as a service. And so, this completely aligned with our strategy as an organization to provide these things.

So, it provides… let me go back. Yeah, it’s it provides self-service. It’s an edge key service, so I don’t have infrastructure that I have to maintain. That means I don’t have to hire engineers to maintain this or have my current engineers and take them away from stuff that’s adding value to the organization. Nice thing about Akeyless is that like, like a lot of organizations that’s growing through mergers and acquisitions, you’re going to have different CI/CD pipelines. You can have different repos. And so, now we have a solution that can actually glue all that together.

And because it scales out of the box, it just all adds up. Right? So, then when you look at the total cost of ownership, kid you not, Akeyless was significantly lower than the solutions that we looked at. And just when you look at the… even just the hard costs were like, “Yeah, this just makes sense.”

It also fits in line when I talked about working remotely with our Zero Trust initiative. Because now everyone’s working remotely, we’re now looking at every individual, every system as a hostile attacker or a hostile system. So, having a secrets management solution fits into that. So, with ephemeral just in time access, if someone did pop that token or that password, I have some level of comfort that I know that the access is only going to live so long.

And so, just quick summary. So, this was basically our journey into Akeyless, but I would say if you’re looking at embarking this journey of secrets management, just enable teams. Show them the value how you’re taking security away from them, making it easy. Find the team to be the raving fans in your organization, and I kid you not, adoption will skyrocket.

Start very small. Right? Don’t try to boil the ocean. If you start small, take iterative steps, you’ll definitely see the benefits. And if you get to know the new KISS, Keep It Simple and Scalable. Right. Thank you very much. And hope you enjoyed the talk.

See the Akeyless Vault in Action