I’ve just returned from this year’s Cloud & Cyber Security Expo and, finally, recovering enough to start putting together some thoughts about what I saw at the show.
The most obvious first thoughts were about the scale of the event. It’s co-located with five other events ranging from Blockchain to Data Centres. More than once I got lost in the labyrinth of the exhibition hall to suddenly find myself surrounded by UPS power systems or fuel filtration devices. It all appealed to my inner-geek but wasn’t quite what I was expecting. I certainly exceeded my step count each day!
Cyber-security and DevOps
The Osirium stand was right on the boundary of the Cybersecurity and DevOps areas. A very meaningful and suitable position as it turns out. A lot of the discussion in the DevOps Expo conference program was about building security into the development & release pipeline. Security was also a hot topic in the Cloud conference program.
It’s no surprise. While the initial flurry around GDPR may be settling down now, it helped all organisations focus their minds on what they’re doing to protect their customers, staff, partners, and corporations.
There’s certainly some good work going on in the DevOps arena from the likes of Docker, GitLab and GitHub to build security into their toolchains and processes. They all put “Identity Management” or “Secrets Management” in their slides. However, it seemed to me like none of them address the challenges of separating developers and code from the services they need to be able to do their work.
For example, there are still real risks around building weak security into the code in the early stages of development. That might get a prototype running or push an “MVP” release to early adopters. Unfortunately, the time never seems right to re-architect the connections to ensure those dev/test accounts don’t end up in Production systems.
I discussed some of these issues in a recent blog post: Privileged Access Management and the secret to CI and DevOps Success.
The solution for secure DevOps – Privileged Access Management (PAM)
There is a solution though: Privileged Access Management. Some vendors that offer “password vaults” which have some limited isolation of users and passwords but they’re only a partial solution. Osirium’s CTO, Andy Harris, talked about these issues in a session added to the agenda at the last minute.
We’ll be talking about the solution a lot in the coming weeks. The key solution is to make Privileged Access Management a trivial service to add to your apps and pipelines. He showed how Osirium are using this technology to build a new, unique IT Operations automation solution (you can get a sneak peek here).
You can see more about moving beyond PAM to Privileged Robotic Process Automation in Andy’s blog post: The Journey Through PAM, PTM and onto RPA.
PAM is still under-understood and under-valued
Osirium Co-Founder and Services Director, Kev Pearce, presented twice about ensuring the right people have the right level of access to the right systems at the right time. Both sessions were well attended and the questions asked showed that there’s still a lack of understanding about PAM (this might help: Why SysAdmins Would Choose Osirium).
Conversations at the Osirium stand reinforced this and showed there is a huge interest in learning more on the topic.
In summary, I found it a fascinating show. It was a great chance to catch up with old friends and, most importantly, get insights into the security challenges facing developers and cloud service providers. The good news is that Osirium is well placed to help.