#fastsecure: Where Secrets, Devs, & Security Meet In Machine Identity
Kevin Bocek, VP Ecosystem + Threat Intelligence, VENAFI
Kevin Bocek is responsible for security strategy and threat intelligence at Venafi. He brings more than 17 years of experience in IT security with leading security and privacy leaders. His research identified how Secretary Clinton’s email server did not use encryption for her first three months in office and how Edward Snowden used cryptographic keys and digital certificates to breach the NSA.
Great to see everyone. So, we’re going to have a little bit of fun. There’s a mark here. I don’t know if I should stay in here. That’s probably going to be a problem. We’re going to have a little bit of fun talking about how our jobs have changed, especially those of us on security teams, and how we actually can take what we’ve learned here this morning about secrets management and machine identity and put that to action. As we’ve gone through this tremendous change over the last year and actually our businesses have changed. And all that’s going to come in this new idea that you’re actually going to be able to take away right now, fast secure. It’s not fast and secure, not secure and fast, but fast secure. Are you ready? Let’s get started.
Alright. So, go figure, somethings changed in business over the last 2 years, okay? You’d be like, “Duh, yeah, it has.” But what I’ll tell you though, actually, is that fundamentally, business has changed. Business has changed so that now, your business is going from being whether you’re a retailer, or whether you’re a bank, whether you’re in logistics, whether you’re in telco, you’re now a software company. Now go figure, go tell your CEO or a managing director about that. We’ll come back to that just a little bit later. But you’re now a software company. Which means then the competitive advantage that you had is changed too.
I don’t know if you read in The Wall Street Journal, this last weekend with the whole, some might say downfall of GE, that it’s proven that the competitive advantage of business has changed. It’s not people, gray haired people like me, that are the advantage, aka management, but it’s actually these people, the developers. These are the competitive advantage now that we have in business. Which those of us in security, we’ve seen some of them, yes. You probably then, as you probably already thinking, “Hey, you know what? If this is now the competitive advantage in business, and we’ve now changed, then we probably have to change too,” don’t you think? So, our role in what we do has fundamentally change. And the way that we need to think about helping those that are creating the competitive advantage has to drive what we do each and every day.
And that’s why I like to bring this idea to you, which is that we need to think much like a Formula One engineer, like the race engineer, like the team back at the factory, like those actually on the pit lane. Yeah, you know what? Drivers are advantage. But it’s that whole team behind them. And at the same time that a driver is trying to win the race, they have to go both fast safe at the same time. You can’t just go fast because you will wreck, and you can’t just go safe because then you will lose. And that’s now our job is to go fast secure. It’s all at the same time, all at the same time.
And when you take a look at modern Formula One car, actually, much of the car is about going safe as it is fast. Yeah, there is the power plant that is superfast that performs. But actually, it’s the brakes, is the aero, it’s the chassis, all there of helping us win safely, that we can get to the optimal levels of performance. And so, this is fast secure.
Now. I’m going to get to then in just a minute, about how this all relates back to secrets. And we’re going to dig into machine identity too. But this is a big, big change. And the way that we have to think as security professionals. We’re not just the security team. We’re the fast secure team.
Alright, so let’s get into it right now. So, as we’ve been talking about, our business now is out there. It’s somewhere out in the cloud. It’s maybe at the edge. Yes, you do still have some data centers, yes. But what makes the difference though between your cloud, my cloud, the bad guy’s cloud? Well, we’ve been talking about it this morning. And this idea, of course, isn’t new, that identity is perimeter. But so much though, a business, we’re all ‘software companies’, that actually means then, you know what? Most of what makes us today as a business is then machines. It’s all those workloads. It’s all those Kubernetes clusters. It’s all those Amazon EC2 instances, they’re spinning up and down. That’s what makes our business. And therefore, the perimeter then actually is the machine identity perimeter.
We’re pretty boring as humans, when you think about it. They’re like 8 billion of us, there’s only so many customers that you can have. But there is an infinite amount of Kubernetes workloads or serverless functions that you can scale up and down. And so, machine identity is this new perimeter.
Now, good news is, good news is we know these machines already. I mentioned some of them. And almost all of them actually in cyberspace. Yes, some of them are physical. Some of them might fly or swim. Maybe they’re IoT devices. But most of them, though, are out there in cyberspace. They are the application servers. They are the cloud instances. They’re our Kubernetes clusters. Even the blockchain and a smart contract, those are all machines. And of course, they all have identities.
Now. If you’re a security engineer, well, you already know where I’m headed, because we’ve met some of these machine identities, and we’ve been talking about them before. But machine identities form a whole spectrum. It could be everything from a TLS certificate that we know very well. Might be a code signing certificate. Might be an SSH key or an SSH certificate these days. Loads of API keys. JWT tokens, SPIFFE IDs, you name it, Macaroons, you put them all in there, there’s a whole new set of machine identities of all of these are machines and machine identities. Okay?
And go figure Gartner said, “You know what? Read into it again. We’ve all become software companies.” And machine identities actually establish what is good or bad, friend or foe. We can’t actually operate in a digitally transformed world, the world that we fast forward to now. And again, we’re all software companies. This is why machine identity, which you work on as security teams, CISOs, security engineers is so important.
Alright. Now, you might be wondering, “Hey, as we get to the clouds, this solves itself. You know what? Isn’t machine identity is supposed to be built in? Isn’t it supposed to be easy?” And even the coolest kids like LinkedIn still are finding challenges. Because if you’re a LinkedIn user, you felt the failure of machine identity management multiple times. Over the last few years, you’ve seen LinkedIn just go off, out, just simply because a machine identity, in this case, a TLS certificate, expires. So, this is obviously not easy. And it’s obviously not going to get solved out in the cloud. So, we’re not going to go fast secure. It’s not that the engineers have this sorted. Now we’re going to have to help them in our role as fast secure. Okay?
Now, this has also become with machine identity. This is, again, you can tell this to your CEO, this has become a life and death issue. Yes, we think about things like, “Oh, yeah, but we’re not available. Customers can’t get access to us.” But this is now a life and death issue with machine identity.
HHS Secretary Ghaly (video): Good afternoon. It’s nice to be with you again. On July 25th, a server outage created a delay in lab records coming into our lab reporting system. Simultaneously, we discovered that we were not receiving data from one of our largest commercial labs for a period of 5 days, between July 31st and August 4th. This was due to a certificate that the State neglected to renew time when, which resulted in data and not being able to transmit to the State. I became aware of the magnitude of the data backlog in the late afternoon on Monday, and alerted the Governor and his senior staff shortly thereafter.
Kevin Bocek: So, this is now a real life and death issue. You had hundreds of thousands of COVID results not be reported. That’s tens of thousands of positive COVID case at the height of the pandemic not being reported to local health authorities. This is serious. So, what we do now as fast secure engineers, it’s really critical to the business. Again, Gartner has said that. And you know what? You can’t get to a future world where you can run in the cloud, where you can be as agile without machine identity.
Alright, so what do we need to then think about building, which is a lot of the common themes we’ve, we’ve heard here today already at KeyConf? Well, developers, they need something that’s consistent. They need high-performance, low-latency works everywhere. Obviously, you’re already starting to fill in the blanks. Those are things that, wow, obviously, Akeyless, great at.
Now, what do we then as security professionals, the fast secure engineers, also need? Well, we need the observability. We need to know actually what is going on. We heard Admiral Rogers talk this morning, you can’t have a foundation of advanced security if you actually don’t know actually what’s there. You need to have confidence actually that policy is being followed. It needs to work with what you’re already using. You’re not just going to throw away, even as we’re going fast, we’re not just going to throw away what we built up from security over the last 5, 10 or more years. And of course, last time I checked, you know what? The fast secure engineers, we’re not growing on trees. So, it has to have a really, really low impact on what we do. Obviously, it has to be automated. So, these are things that, in that intersection of fast secure, that we need to build for.
Now, next, what we’re going to dig into then as how right now, you can go and actually achieve these types of outcomes about like, for example, stopping outages, about driving faster automation right now after this session, and go and sign up and start using what Akeyless, for example, what Venafi is offering to help you right now. You actually can go and do this right now.
Now, before we get there, though, Gartner said, and again, this is to bring back to your teams, you know what? You cannot actually go and run in the cloud, across clouds without machine identity management. You’re just not going to be successful. You’re going to have all those types of failures and more that we saw.
Alright, so this is our role of fast secure. Let’s see where we had to. Now, next, as we dig into actual use cases, what can you do right now? Okay, so there’s some common design patterns, in that secrets management actually allows us to take and deliver this fast secure experience for our teams. Okay? Because it’s consistent. There’s one way to access. It’s observable, we’re going to know, high-throughput, okay, low-latency, it’s going to work everywhere, and it’s available. It’s available, as we heard. That’s the one difference. Now, when you can meet engineers at this one place, at the secrets manager, that’s where we can now, as the fast secure engineers, meet them.
Now, 2 use cases then we’re going to talk about. So, giving easy, anywhere access to machine identities, whether that’s from a public trust, maybe you need to deliver that to an application server, so it can be trusted in a browser, or maybe it needs to be from your private source, it’s going to be an internal app, just 1 API, you’re going to deliver, okay, 1 service. And that’s how Akeyless and Venafi, right now you can go and sign up both at Akeyless and also Venafi right now and experience this today.
The second thing I’m going to demonstrate to you, show you is how you can do this right there in Kubernetes. Actually, probably the ingredients are probably already being used by your Kubernetes engineering team. And you can connect it like that back to Akeyless and on then to Venafi. And that’s the power of Akeyless jet stack in Venafi. I guarantee you, go talk to one of your Kubernetes engineers, you can already go and connect that to Akeyless right now.
Alright, so first use case, developers, polyglots, they’re using any language. This is now the power that you can give them, which is 1 simple method to get machine identities, things like TLS certificates, whether it needs to be from a public certificate authority, like DigiCert, Entrust, GlobalSign, or whether it’s from your own source of certificates. Maybe he’s still using Windows PKI.
So, how do you do that? Well, Akeyless is that secret store, whereas fast secure engineers, we meet developers. Okay? And they can either be delivered instantly, locally from Akeyless and then reported back, or you can actually go back get them issued by Venafi, which then the power of Venafi too is giving you access to over 40 different sources of certificates.
You might be operating in Germany, might be operating in France, you may be operating in Singapore, and you have different sources of machine identity that you need to use. You get those instantly issued from Akeyless via Venafi delivered out there to your developers consistently fast. And you know what? You get single machine identity policy, single machine identity policy. So, now you as the fast security engineers aren’t running around and you’re not having, again, those life and death issues that are very real right now.
Alright, second use case. And again, you can do this right now. Again, I won’t be offended if those of you at home are starting to go to Akeyless, going to Venafi and sign up right now to test these.
Now the other great thing is that with Kubernetes. So, you might be using Kubernetes. It might be bare metal Kubernetes. You might be using Amazon, Google, Azure’s flavor. You might be using Service Mesh. You might be using Ingress Controllers, you have to deliver machine identities for all of them. Well, the great thing is, with the power that JetStack has built with Cert Manager, you can immediately connect that right now with Akeyless. Your Kubernetes engineers are already using Cert Manager. It’s built into Amazon’s version of Kubernetes. It’s built into Tanzu from VMware. It’s already there. Your Kubernetes engineers already use it. All you have to do is, just now, use the Akeyless provider. And then you’ll start getting machine identities, not from wherever in Kubernetes, start getting them from Akeyless, which of course, then if you’re connected to Venafi, now connects you onto your 40 plus different sources of machine identities. So, that’s easy, fast machine identity management in Kubernetes right now with Akeyless and JetStack.
Alright, that, I would say, is fast secure. Now, good thing to know here, which is, as we’re working, how are we measuring success? We need to know, are we actually making a difference in the business? Well, we’ve gone now, and just those 2 use cases, we now know all the machine identities that are being issued, okay, whether that’s in the modern app development world of Kubernetes, or whether that’s in our existing infrastructure out in the cloud. We’ve reduced the time now to issue, renew. Actually, it’s instantaneous. And the things like the outages that we saw, even that the cool kid cloud engineers are still letting happen, we’ve eliminated those. We can measure the applications, the teams that are consuming the service, and I’m sure there are more that you can think of in your business.
Well, that is fast secure. At the same time, going fast, allowing our teams to go faster and go safer, just like a Formula One engineer. Now, remember, I mentioned that something had changed in your business. So, last thing I want to suggest to you was maybe the third use case, which is, you know what? Take this opportunity right now as well to write an email. And I’d say write an email from you to CEO, which is, you know what? You’ve got some exciting news, “Hey, guess what? Dear CEO, we’re now a software company. And that’s pretty exciting.” I imagine, just imagine your CEO going and telling Wall Street, for example, investors, “Hey, we’re now a software company.” Can you imagine the growth in your share price?
But the reason I say that, though, is that imagine what happens to the thinking across the business? “Wow, we’re now a software company.” That will change, I think, and it’ll change certainly the way in security, how we think about how helping our developers go fast and safe, fast secure. That is a big change. And I really, those of you out there, I’m looking forward to getting replies from your CEO on that.
Alright, so fast secure. What are we now able to do? Okay? We’re actually able to… this is the thing, we’re actually able to build something that developers love. When was the last time…? And we’ve heard this morning that, actually, we’re building something that engineers love. This is the difference now with fast secure thinking. We can do this immediately. Machine identity management, secrets management, this is a big win that we can start to change the way that engineers think about security, think about us as security engineers. And it’s, it’s easy. It’s everywhere. It’s from the cloud. Again, go to Akeyless, go to venafi.com, you can sign up right now and start using this right now this second. This is really fast secure. This is how we can make a difference. And it’s super fun to be here with you guys. And I look to hear more about your fast secure journey, machine identity management, secrets management in the future. Great. Thank you very much. See you guys.