KeyConf NYC Interviews – Progress’ Journey to Secrets Management
David Spark: Richard, just to start, give us a quick synopsis of what you were talking about today.
Richard Barretto: Yeah, so to talk about today is about the future work and how part of our overall security strategy is to provide a zero trust model, right. So, the elimination or the dependency on VPN things like that. But now with the future work and especially in a in a COVID model everyone’s working from home. So, the traditional securities that would be normally in a corporate environment is now bleeding at individual’s homes which we don’t have any visibility around. So, how does secrets management fit into that whole overall strategy?
DS: Alright, let’s begin with that right there. As people, you know, at the beginning of COVID, we’re dealing with work-from-home security, I don’t think secrets management was on the top of their list.
RB: No.
DS: Not at all. So, where does secrets management come in a work-from-home security strategy and why is it critical?
RB: Well, yeah. One, the risk is not now in the aiming at the corporate environment. It’s aiming at the individual user and then because they’re working on these secrets, they might have them on a file, on a sticky, and or yes, somewhere in in their computer virtually, right. And we needed a good way to ensure that we had visibility around the secrets. But because like Akeyless, they have ephemeral secrets that for me from information security on risk management perspective that gave me much more comfort. Because right now, developers are probably have their secrets in in different places where they could have it hard coded but I don’t have visibility or control around their environment.
DS: So, how does the dynamic change? How does your security program change when you move from secrets? Who the hell knows where they are to a more management structure? Just get like step back and goes, once you’re in this position, this now changes in your security environment?
RB: Yeah, I mean, it’s still work from home is just one reason. The other reason is because secrets live everywhere. I don’t know how the teams are protecting those secrets, whether they’re encrypted or not encrypted and things like that. But providing and adopting a solution like the Akeyless that collates all those secrets and allows me to get that visibility and control over those secrets, that’s a win for us.
DS: So, like give me a before and after environment, because I’m trying to understand like how things are changing because of it. Like before secrets management, I dealt with this. I dealt with this. I dealt with this. Now, with the Secrets Management program, I don’t deal with this and here’s a security mechanism that’s now in place that makes things more reasonable.
RB: Yeah, I mean, the nice part about like Akeyless is you can do a lot of automation, right. So, it’s no more static passwords. It can be dynamic. Those things helped. Because the risk that I’m really more concerned especially working from home is say an attacker attacks a developer, they get on their system. And now they have access to an API key. Well, with Secrets Management that key only lives has a time to live for X amount of hours or whatever policy that they have that having that solution is going to reduce my risk. Like before they have it would be on a text file or somewhere cached into memory. It gets scraped and now they have full access to whatever service or system.
DS: Which by the way this seems to be the most traditional way attackers get into system seeing plain text passwords, plain text secrets, hard coded wherever, living for God knows how long and indefinitely. And by the way so low cost for them to attack when it’s in that environment. So, while again nothing is 100% secure. You’re just creating a more difficult experience for the attacker.
RB: Yeah, the point is to drive cost, right?
DS: Right.
RB: So, drive the cost upset it becomes you know, not attractive enough to even try and attack. Yeah, I mean, that’s really it is just try to drive the cost and just we’re trying to be pragmatic in a sense to try to secure the and treat every end user or even every system eventually with the Zero Trust model as hostile. And if you follow that model, you’ll reap benefits.
DS: So, give me an idea of an environment that you are, let me say it this way. What’s a problem you’re no longer dealing with now that you’re dealing with it? Let me say it one more time. What is a problem you’re no longer dealing with? It’s no longer HD for you because you’re doing Secrets Management.
Well before Akeyless and I’ve talked about this is open source. So, we’re using HashiCorp Open Source. And it was not scalable to kind of get the same service or resiliency that Akeyless would give me. I would have to have a team which I only have a very small team that means overhead, hardware, whatever virtual licenses. It’s just overhead that I could truly just you know, give up. If I can outsource that like with the Akeyless services, now I get like 24 by seven uptime. I got premium support and I got the resiliency across the globe. Now, why does that matter to us like a progress software is we’re building SAS services. Any services have to be up all the time.
DS: Excellent. Well, thank you so much. I was speaking to Richard Barretto who’s the director of Infosec over at Progress.
RB: Thanks.