I try not to write about ongoing work—if it is important enough to blog about then it is important enough to write about in the work product, and blog about something else. But every once in a great while, the need overrides my simple rule. After all, zealous adherence to rules is not really a thing we do well in IT.
I hit a couple of those while doing work on password management for a client. I mentioned a couple of important issues in the work product, but one was mentioned with the caveat that it was not something profound while the other was evident and necessary but with solutions other than password managers that could handle it. I didn’t belabor either point.
The wider market, though—those who either haven’t yet addressed password management or those that are just now starting to delve into it as a corporate solution—probably don’t realize that these are two issues that an enterprise requires and that DevOps needs.
The less obvious is the enterprise requirement. There is a lot of buzz out there about changes in the perimeter driving changes in perimeter security (if perimeter security is going to have any meaning, anyway). But the underlying change factor is not so much our perimeter going out to embrace items on the larger internet, but the growth of that internet. Yes, our perimeter extended to cloud or service providers (or multi-clouds or more than one service provider), but the enabling technologies making the internet and the web also extend our perimeter in less visible ways.
Right now, in your organization, there are hundreds of unacknowledged accounts at your business partners. These accounts should be known, but they’re hiding in plain sight. Accounts exist for places that provide small things—the type of stuff that used to be paid for with petty cash. The store where marketing buys the one-off items, or the emergency backup account for when office supplies run out in accounting—accounts like that. Password management protects these accounts automatically (assuming it’s being used, anyway). There’s not much your organization can do to protect those accounts from being attacked on the server side—those are not your servers, after all—but password management would protect them from the user side by enforcing things like strength policies and change frequency rules.
The more obvious but underrated one is secrets management. Most password management vendors do secrets management today, sharing in the password protection technology already implemented in the core product. And if you are a DevOps shop that is even a little bit automated, you need secrets management. Secrets management could be done elsewhere (and often is), but most organizations are using things like hardcoded credentials and API keys instead.
My rare forceful statement: “If you are hardcoding credentials, API keys, SSL certs or other secrets, stop it. Stop it now. You’re DevOps, not ‘Here are the keys to the kingdom’-Ops.” Password management can do this for you without hardcoding. So can other products, but you get two solutions in one if you use your password manager for secrets management, too. A password management product that offers secrets management with both API and command line access is huge for DevOps. To use the product in any given DevOps scenario, one of those two will address the scenario.
As always, keep kicking it. You are running the face of the company. Whether sales, marketing, PR or whatever, when people go to interact with the company (be they employees, partners or customers), it is almost always the systems you run that they’re working with. Also, remember to protect your baby. Password management is not a product-centric thing, but push for central implementation with secrets management. Drive faster with password management, deploy more with secrets management and worry less with both. I don’t generally plug myself, but I’ll come close because it might be relevant to you—if you’re interested, there is more about password management out there under my name, including my take on who you should consider.