Long Live Short Lived Credentials: Auto-rotating Secrets At Scale

thank you for that brief but wonderful introduction um let me start my stopwatch here and we'll begin if you want the slides that's the tiny URL it's not that tiny but I love tiny URL shout out to them for always giving me free eternally living short URLs because this is a Google slide deck and I'm not giving you that entire thing you can have it but I'm not putting it on the screen all right oh sorry I'll give you a one two three four that's it all right so who in this room considers himself working in the world of devops awesome thank you for all of your work who in this room Works in security I originally had security team

here but uh I think we should all be on the security team and we all technically work in security so everybody's hand should go up that was a trick question all right who's on call right now really when I ask I did the same talk in bsides SF San Francisco and like five hands shot up like I am so sorry for you being on call right now uh but if you ever been on call if you ever had an incident respond um who has ever rotated multiple Secrets because of an incident like at the same time was that fun no um here's an example of somebody that had a really really bad day rotating secrets and the thing to

pay attention to is this number um because of the OCTA breach which I think I'm from this crowd I'm going to skim over over it uh attacker gets into OCTA OCTA uh they steal har files har files contain credentials for customers again super overs simplifying um used those credentials to get into Cloud Flare's stuff cloudflare said hey we got this settled don't worry but they still got into Jiro which then got into Confluence which then got into bit bucket and they're like oh no oh no we missed one key maybe two we'll still never know uh anybody from cloud here that knows the exact story in chain conven let me know um but 5,000 Keys one day that

sucks oh yeah I introduce myself I'm Dwayne I live in Chicago I've been doing developer advocacy stuff since 2016 been in devop space since 2014 in security for just about two years now and I love security space it's so much to learn I love you all um I co-host a repo uh a podcast called the security repo podcast we have everyone from Jason hadex to Jason East Street and a lot of other people not named Jason uh on be guests uh you should check it out the Link's there but just Google it we're the only thing called that um oh yeah very briefly I work for a company called GG Guardian uh we have stickers up here if you want stickers

that's it uh we'll come up later this very very sorry this is not your fault cuz you didn't ask for this but your esteemed track chairs both made outrageous speaker requests okay and I need just two minutes of your time if you don't mind to to deliver that to them uh so Sicily here here ah okay so you uh I know kind of first you just said no chicken in your speaker request uh this is not chicken so technically I'm require I'm fulfilling that request but I received an unofficial request verbally afterwards that you could change that to be uh a cat named after you so I have here a Kitty a cat themed uh sort of uh Wan uh excuse me

Wi-Fi uh War driving device that you can assemble and I have named this one seek lean after Sicily hold it up could you hold it up for her I could hold it up for her so some assembly required but there are instructions online I can help you find them if you need thank you very much okay and then you you sir I I want to read specifically from the text because you c i i i i uh uh you wrote and I quote surprise me I know how this works you cannot offend me okay so I think I'm absolved of whatever comes after this is that do you agree all right still friends no matter

Whats no matter what okay your speaker request [Laughter] run [Laughter]

[ __ ] I won't make you put it [Laughter] on anyway did I succeed yeah okay undefeated all right I'm very sorry thank you for the time yeah sound I'm sorry okay I mean you all can literally just go watch this on the uh bside San Francisco so if you'd prefer that and go do whatever you're doing now sorry uh all right I love how I didn't get anything but another speaker did um just pointing that out just pointing that out for next year feedback it's critical all right the good news oh yeah yeah so this happened just to remind you if you haven't paying attention 5,000 Keys need to be rotate in b a day uh oh yeah get

Guardian uh we do secret stuff that I'll come up later I'll explain it then we also do SCA uh Source composition analysis but our again that doesn't really come up here all right we know how attackers behave in fact we know how they behave so much that we wrote it down and we wrote it down in such a way that attackers read this and they know how to behave which is kind of a weird Paradox we live in it's like when the lapsis group not lap yeah when lapsis like somebody said hey this is the lapsis Playbook guess what we just made a bunch of copycats that now know the lapsis Playbook so Vishing is only going to go

through the roof thanks everybody doing security research and being very public about it but also the security research out there I'm sorry dude so this one's on you so you put in a request for an outrageous request please accept this talk so we have for the very first time in security bid's history accepted a talk purely because the speaker asked us to accept the talk it was pretty outrageous now uh this is the first and only presenter ever invited uh because of his outrageous speaker request uh hopefully the talk is decent because we didn't read the abstract or anything so you actually that's all Bs it's a great talk we just there you go there's your

certificate oh thank you very much I do actually appreciate that that does make me feel better about good that loophole has been closed now by the way so you're all right I'm going leave that there for pictures later I'll pose with it $5 a picture I'll go on the strip and do it there uh okay point being uh thank you security researchers who do tell us this stuff I love sofo so much I don't use any of their products but I read their reports every time they publish anything um last year there was an interesting fact that popped up across all these reports that said uh the number one root cause of all of our

breaches are credentials exposed leaked stolen that's for the first time ever that the majority and that wasn't just sofos that said that IBM says this Verizon dbr said that actually Verizon said 49% but close enough uh cisa said it's 54 um interesting enough they said uh sofo said 17% are because of vulnerabilities theoretically we're getting better at patching or we're getting a lot worse at the credential thing so attackers depend on multiple things in the miter framework our attack framework uh of your credentials working when they find them if they find a bunch of garbage they can do a lot of things with that but they're expecting them to work when they use them otherwise why

would they try so told us to come back I work for this company called G guardian and for the first prize of the day you didn't know there' be prizes but for the first prize of the day which is a surprise uh who knows how many secrets we discovered on GitHub public last year and if you ever read this report please let other people guess uh and this is prices right rules closest without going over wins uh we can look up the exact number if we get down to that um who knows how many secrets we found on GitHub public last year that were added just in the year 2023 just to GitHub public am I secret I mean an API key

something that grants access to some other system 10,000 what 10,000 10,000 another 2 million 2 million million 100 million other 10 million one $1 Bob 50,000 50,000 what million one million one 475k 475k 42 42 I love that answer that's a perfect answer for a lot of things but that wasn't it uh I think 10 was the I'm just going to cut it off there uh 10 was the closest because it was 12778 Million uh so you win a please pass that to her uh you win an octopus that I cruciate on the plane out here uh I like octopuses uh yeah this is a shockingly disturbing number to me anyway uh but the biggest problem is

this keeps going up not down 2020 when they first publish this report which is a long story another story I'll share with you over a drink uh that's how I ended up working here is because of that report um we found 3 million and then they found 6 million the next year and then 10 million that's not cumulative that's just added per year how we write this report is we're one of the companies that looks at every single new commit and every new is public event that hits at the API uh it's a 1 Point roughly one billion things actions last year that we ingested and we look for Secrets uh we sent out pro bono alerts

to all the committers if it's a working email if they're not on a ban list to say hey you did this you should fix this and we're trying to be good about it we found the research last year that we started looking for validation repeatedly so the ones we could validate out of the uh ones we did find that were valid um were still valid 5 days after they had been leaked 90% of those we talking Millions um you can go to read the full report to figure out the whole breakdown the it's free no sign up required you can do it through Anonymous window and tour or whatever so how did we get here I ask myself this

a lot whenever I'm looking at a problem like why did we do this because I believe behind every good problem there's an engineer who had really good intentions all you need to do is look at the UI on your phone and know that a developer spent a lot of time thinking about how their life could be better if they didn't have to program it and then that handed to a designer who messed it all up um but how did we get to the situation today I think it started here uh we had these things called univac and these giant machines that spread across rooms and literal bugs were literal bugs uh and how did we

guard this well the Navy was involved thanks Grace Hopper um and we lock the door we put a guard out front to shoot anybody that's trying to steal our secrets uh and if they then they can't steal our P paper punch cards that have all our data uh and they can't mess with the hardware to sabotages it's literally the beginning of the Warfare that we're still experiencing today this is why there's no difference between the civilian and National Security sector in my opinion is because it's the same game we've been playing it the whole time let's move forward in time a little bit to more modern era I just discovered this uh the other day that Steven Bourne

who wrote sh um his password was borne that blows my mind that the father of my favorite interactive thing used his own last name for a password anyway but okay we need to lock the door still can't mess with the hardware cuz these are all stupid terminals that are connect to a main frame somewh a big um Unix box but the main use case we're trying to solve is stop users from playing zoric on company time um because that's expensive and sending emails from accounts don't know that was a big problem at Stanford in the early days like you could just guess someone's super simple password and then hack your friends and have fun uh and then the

cuckoo egg happened and it kind of got very ser ious very fast raise your hand if you've never read the cuckoo egg that is your homework assignment from me I have several but that is your homework go read it it's a fun read Clifford's a great weirdo uh but he's a great writer um and then jump forward to the modern era quote unquote and we got this thing where any server in the world can be any machine in the world and it runs these things called websites and we have applications now that run on the web that anyone can access all you need is an address and a browser so hey TTL or TLS SSL great idea stops the person in

the middle attack or the uh attacker in the middle attack um and passwords still work right yeah that's how I get in that's how I admin still works and then we get to this madness thanks click it I met these guys and told them I use in the slide and they've never heard of me before so I was very happy that I got to use their stuff um we get to this world of very complex interconnected systems and what did we do we threw passwords at it but in the form of API keys and SSH keys and certificate authorities at best who works at a company that has dedicated pki team good I'm guessing it's a Fortune

100 uh that's what the numbers for see so to say um this prevents unauthorized access to your machine resources and this is good this is the what the goal is to um stop people from getting through your edmin all right next prize guess according to current research how outnumbered we are humans to machine identities very quickly um humans identity is a human who has to do something to interact with the system a machine identity is not a human who needs to interact with another system to do something that's the definition I'm using all right any any guesses how what dead what what do you get I I I can't understand what you're saying sorry the mask never heard of no

all right so um I'm looking for a number because for a prize million one million to one 100 to one how much 10 to 10 to one 10 to one 10,000 to 10,000 to one 50 to 50 to one who said 10 to one oh go there okay who said 10 to one first you said it first yes uh you won the other octopus that's much smaller because I ran out of yarn pass that back to her please um and the correct answer if we believe my good friends at Cyber Arch and I love cyber arch for a number of reasons they'll come up later too it's 45 to1 I think it's actually 46 to1 according to the

next up date which means for every thousand people that you need to identify within your system there's 46,000 machine identities running around and there are this is kubernetes workloads this is anything requesting a thing from another thing that's not a human that's what that looks like just to put it in Blunt terms this is the problem we're dealing with today we have heard a lot in this password con and I love that we're talking about it like how do we secure this person over here I think there's some good paths there I do cracking aside and all the te ways you can mean that uh this is the problem set and I think what got us to where we

are today isn't the way forward we can't just keep doing this over and over again otherwise there's no future to look forward to it's just pure hell we're walking into slowly so what do we do first I think there's these two things uh eliminate all credentials where possible for some things that's entirely possible there's a way to do that through I IM rules depending on your system depending on how your setup I'm not telling you what they are but there are ways to accomplish that you can March down that path but you'll always have the problem that eventually you need two systems to talk to each other that you can't just give a rule to think

Salesforce versus Google Cloud yes you have to interact with those things sometimes uh when humans are involved there's these things called fishing res resistant MFA paths UB key Biometrics UB ke plus Biometrics the most expensive of the UB keys but they work awesome uh I love my computer because it's an M2 that I could have a fingerprint and it opens things and with one pass uh I can do all sorts of crazy things with just my fingerprint and then the last one if you do have to use credentials let's rotate them very very very very very fast I got quoted in CSO online a few weeks ago on an off-handed comment I made to the

reporter it's like humans hate changing their passwords but machines don't care so we should be Chang them a lot faster he left off the last part so it's just machines don't care and I'm like okay um that's what I think and this is my opinion from here on out on on this point of view and you're welcome to argue with me out in the hall but I think we have a clear path for humans overall and it's called MFA it's called Uh ID verification first talk of yesterday talked about that deeply for machines it's a big old question mark sitting out there right now so instead of going down and talking about all the question marks and the ways we can solve

this I'll get to that later I promise uh I'm going to talk about what we do in the meantime and that's the auto rotation because that's something achievable that's something people grasp that's something other people in this room have given talks about thank goodness other people are talking about this out loud and I think it boils down to just do these two things you just gather all your secrets into one Secrets manager and then you set an autorotation policy and I realized that's like telling you how to fly just don't fall down a think thanks to chat GPT for making this really stupid weird image the longer you look at it the weirder it gets um like what

are those birds are those what is that what is that anyway um so word a caution before we go any further because I've had somebody at another talk say hey I want to go do this and that's like my full-time job now I'm like no no it shouldn't be uh don't boil the ocean with this you're going to have to go step at a time in fact I think you should go Bird by bird uh again if you've never read this book read it nothing to do with our field but oh it's such a great book if you're going to write a book about birds how do you do it you go Bird by bird it's that

simple uh so you go Secret by secret so you got to make a plan and that plan is going to involve multiple things and this is what I think you should be asking the first is who owns this approach uh for the third prize which is not hand crocheted I promise it's something cool um who knows at what Revenue level your average company has a full-time IAM person like that is their job is we handle I am for the corporation I'll enterpr I'll use the word Enterprise not Corporation for the Enterprise I have a dedicated full-time I report straight to the ceso and this is what I do we make IM am happen what's the what's the revenue line mil what 100

Mil 100 Mil other guesses Double Down Saloon Double Down Saloon that's not a number but okay 50 mil 50 mil 40 what what 1 million billion one billion uh what that's the last one back there 250 mil 250 million I'm going to give it close without going over I don't have it on the slide but this is I research uh from RSA it's $5 billion before a company's big enough so I'm going to not throw this because I will come up and get this later this is a a frisbee I'm going to hurt somebody this is hard plastic this will hurt somebody so come up later get that it's yours um so you got to have somebody that owns

the approach and it can't we we can't wait till $5 billion we have to get this now we have to get a jump on it right now but someone has to own this and spearhead this and be like this is the thing and be the voice in the desert saying this is got to get done this is what we got to do we're going to Shepherd this through this is the vision we're selling it we're doing it we're loving it could be your ceso could be your CEO I hope it's your CEO I would love to meet that CEO though um second you need to ask if your company is your organization is mature enough to do this

if you were two people that just started on Pro sa last week maybe not uh if you are a team of 50 that have a product out the barket for two years you're late to the game that's what I think but I think there's a map for this that's what I get the talk I gave last year and that's what that link goes to is that talk um uh not that talk the research is based on the secret management maturity model something we came up with at G Guardian to try to evaluate how people are going from all my secrets are just everywhere willy-nilly to oh this is how professional Enterprises with 20 to 30,000 developers deal with this dayto

day and we help people figure out their place in that map um will your doubs go along with it this is a question you have to ask and if the answer is no maybe you need another company cuz you that's a culture thing I don't know how to fix this is dor metrics 101 stuff this is like I don't know I don't know that one but there has to be a path for them and I'll talk about the path I think is is appropriate and then you got to ask where are our secrets the first rule of API security is knowing you have API that that's it that's the first rule um if you don't know how many apis you

have and how many end points you have you'll never be able to secure it all right so let's make a plan the only actionable one on this list I'm going to talk about as the last one because let's assume you got all the Buy in let's assume you figure out the path we'll talk about three a little bit but let's just figure out that we got we got answers to that we got a path we got a vision first is we're going to gather all our secrets into one manager this is an oversimplification and the full extent of my artistic ability uh explaining what a Secrets manager is uh developer instead of writing their secrets

to uh the specific thing they're writing they write to a Secrets manager and then call that Secrets manager programmatically from the thing they're writing that's that's it whether it's to get data whether it's you know whatever they're doing but that's how it authenticates that's how it do auen o z with it um oh sorry the wrong way uh so the basics needs for a secret manager in my opinion and the research in the the right now is it encrypts data encrypt your secrets at rest and in transit very important if you can't do it over mtls don't do it well I guess you could do it whatever you want to but as long as it's

encrypt in transit um it's available across all environments this is hard this is one of the hardest things on this list three centralized reporting might be the most important one on this list if you can't keep track of it you don't really got a vault on your hands you have a list that you lost track of um and it's got to be easy enough again for developers to say oh I can do that that's pretty straightforward in fact that's easier than what I've been doing good news if you're all in on a cloud provider like you are 100% abos there's a great solution for you it's called AWS Secrets manager if you are 100% on Azure it's called key vault

which has great documentation I'm going to give them credit where it's to do Secret manager from Google Cloud you're going to have your own exp experiences with but it's still there it's still good if you're 100% in it to win it and this is all you do this is your answer if you're in multicloud that's where hash Court Vault comes in uh this where cyber art comes in they make a thing called conjure among other things they make ailles I love those people Doppler from Down Under uh they're from Australia they are wonderful company to work with if you see them go up to their booth and they're great people if you ever had an

event with they're there so that's the secret manager I'm talking about so how do you use these if you've never used a vault before has anybody in this room never touched a vault before okay I can skip this part um you basically give a path to programmatically call something out of the Vault there's you put it in the vault programmatically there's key I'm not going to explain all the encryption herez I don't have that much time but uh you basically put a secret in it you call it out programatically so instead of writing the hard-coded secret you write this and you pull the secret out it loads it in the environment at runtime and you're good to

go so which Secrets do you put in again we're going to go Bird by bird which do you focus on new secrets are an obvious win hey we got a brand new project great Green Field is the best place to do anything but all reality we don't work in Green Fields most of the time so what's your crown jewels what when what are you guarding the hardest if it goes down where do you lose the most money that's how I think crown jewels uh walmart.com uh support portal for customer service can go down for several days and they'll be fine um uh but if their actual payment Gateway goes down then that's bad um that was was a joke

on Walmart's part uh anyway Legacy Secrets should go next and then zombie secrets are last what are zombie secrets you ask how many people know all the secrets that you have all the passwords for your entire company and for every system you've ever turned on how many know how many systems are even running in your environment yeah those are zombie secrets um so how do you find your secrets you write an email you're all company and you say you list all your passwords and plane text in an email obviously don't do that that's stupid um so how do you actually do this well there are tools for this I work at one of the companies that founded this

industry and built this stuff uh get Guardian um but truffle Hogs open source they're awesome they also have an Enterprise product uh git leaks the person who invented G leaks now works for truffle hog so is it still maintain that's a question um but awesome products again I'm not going to never not I'm never going to say anything bad about open source because they're doing awesome stuff in the open source world there's other companies like Ping safe and there's other people that do this uh but ping safe is just the first one that came up on who competes with these two all right so we scan and we find all the secrets put them one place I'm not

going to sell you on the virtues of one approach or the other but eventually they're in one place um a platform a list somewhere okay we got them all we found them all now the set an autor rotation policy the script logic needs to work simply like this you need to create a new secret for the one that's in play test that new secret will actually work through some kind of method that's optional but highly recommended swap it in for the new secret make sure that nothing broke and then clean up from the internal CLE from the step basically blue green deployment hey there's the blue one green one's right here in case you got to roll back Pat Court Bal has

this as a built-in button we got to roll back bam we're done in fact yesterday there was a whole talk about this exact thing that you can go find online right now that will talk way more about the details and the specifics of how to do this properly that I can possibly get into from this higher level talk so perfect thank you so much for giving this talk uh yesterday Ken um and go ask him if you have specific questions about implementing hash cour Vault not me um set up for Success all right so if you're all on a cloud provider this is actually really easy to do in fact where I got this list from was reading all the

scripts from AWS and how they do it this is their this is their formula but all the formula is the same it's the same cake you're baking order of operation where the testing goes a b c like whatever you're labeling them that's going to vary but again if you're all in 100% there's a path for you it's pretty straightforward in fact they wrote it for you you don't have to do anything you just like go pull this throw it in the right field and you're done you got to name some things but obviously it's you're not 100% done you're 80% done um hooray if you just want to see how this works again all open source you can just

go look at this all day and study how they did it multicloud is going to be a little bit rougher because now you have to figure out if there's a way to update or request a new secret or even interact with the secrets from the apis for most systems for most modern systems there better be and if there's not you call them and say you give me this or I'm going to your competitor that has it because this is mandatory for the future um and then you have your Vault system interact with that system this is why I like cyber Arc cuz conjur does this they have a way a path to call external apis to trigger this uh Circle

C eyes looks like that slack looks like that doesn't matter how you call it these are just trial examples the idea is the more important thing here and then I think there's a world where we can tie all of this stuff together really well um and that is we use the secret detection tools we already have and that's how we found them in the first place to further automate the process so upon Discovery because you should be constantly scanning for Secrets it's not a oneandone thing it's not Sask where you're I'm scanning for vulnerabilities right now in this version and we're good because we won't add any more problems right uh no this is every new time you touch the code we

got to remake sure that no one put a PL Tech secret here or did something that will expose a secret so let's find any secrets and then let's go check in the vault might be hopefully they are if they're not in the vault let's put it in the vault and here's the part that's a little bit tricky but why I think it will work with the developer let's go ahead and change the code let's go ahead with scripting logic to say if we're calling a password to this system here's the exact call that would look like if we were calling it in Vault and this's is go ahead and make the pr that's a lot of logic that's a

lot of steps I over oversimplified there and I'm realizing now that should be three slides but again when you write your talk three minutes before you get on stage you forget things and then eventually you rotate the secret but this is possible there's a great language called bash based on this thing called sh which a guy used his own last name as a password in which is weird but it still works bash is universal it's true python works too I guess if you like python um but if it's true that you found the secret and it's already in the vault well you still need to make the pr to replace that line of code but now all you got to do is update

the secret you don't need to put it in the vault you just like oh this is probably already accounted for somewhere let's just call it hooray we rotate we win and if you're thinking right now who on Earth would do this we did this uh minus the auto PR step but again that's a scripting lines you can you need to modify based on your specific setup and needs right yourself but we got the rest of the scripting and Logic for you it's called Brimstone is the thing we ended up calling it uh the actual GitHub repo which is linked if you click that is a really long name that cyber came up with um but

ultimately Brimstone was the name we all settled on um uh Brimstone and I forget the name of the thing it's built on um but basically brimstone's the last thing um yeah it does this Auto find with us communicate with cyber Arch lot of steps in here and right now you probably are thinking like I was thinking when I saw this oh and there's a full demo of this this is again this isn't vaporware you can go do this right now but you can also watch the videos of how we did this and it's all open source like Stone itself is open source you can dig through and see exactly how the calls are made and how we're accounting for

the fact that we can't communicate or shouldn't communicate a plain Tech secret over the wire between two systems we've already thought of that don't worry um this involves hashing and fingerprints and a lot of back flips but if you're like me and you think this is a whole new level of middleware I got to run wow that's brittle who's going to maintain that I don't disagree with you this is possible though this is this current where we go next but it's not where we're going eventually it's how es bombs are a step in the right direction but they're not the final point this is our next logical I can't possibly do the thing you're about to

talk about next but I can do this and we can get here and we can get here we can get there I think because I think instead of all this and hear me out password KH um we just accept that credentials the way we've been doing them are a terrible way to approach machine identities just fundamentally we made a mistake 40 years ago 30 years ago when we start having two servers talk to each other and need to identify that adding a password in the mix was especially a Long Live password that never rotates was a terrible idea so what do we do instead welcome to the world of spiffy I love the cloud native security com Cloud

native security Foundation I love op ssf I just spoke at Cloud native security con like three weeks ago or very end of June so wow we're already in August the very end of of June and back in Seattle and there's so much excitement and wonderful motion happen around in this world I'm going to dumb oversimplify it because again I'm almost out of time but imagine a world where everything just gets a name space that can be checked by a Federated certificate Authority system universally that says yeah you're you here is a CT that lasts just as long as your request oh you can't do it a 509 sht here's a jot not as good but here it

works hey you can have the request as soon as the request is finished bam it's vanishes it never existed anybody finds it it's useless all you know is what search look like and what a jot looks like and when it expired I guess spiffy is secure prote uh production identity framework for everyone invented for kubernetes by people that built kubernetes and expand it out to the whole rest of the world Spire is the implementation so if we think of o off as the set of ideals that we should be chasing and why it's not in a proper framework you can think of um open connect ID as the thing that you implemented Spire is the thing you

implement they're both open source ideas uh I didn't put them on the slides but uh there's companies doing this now as a service ISO is the one the tons that jumps to mind there's others they're just the first one I'm going to name take a time let's move on oh yeah so this is what it basically does uh yeah again I'm just reading a website to you at this point um but the important thing is that you can have one Central Cate Authority that might go down might be unreachable or you Federate this across everything and you side car this in the world and this just becomes how we think about this from a developer standpoint this is one extra

line of code they need to throw in and never have to think about a password ever again it just magically works that's a promise that I've seen fulfilled on stage I watched someone Implement mtls by hand on a talk that's online from cloud native security con uh imp Implement mtls by hand over the course of about 10 minutes painfully and account for it on all the clients and then she did this and three lines of code later magically mtls for every communication there is a much much much better talk than what I just gave about it from cloud native security con this year that's the link to it highly recommend you watch it this is the most

entertaining talk I've seen in years about the story of crush and how he identified and how we talked to to the postris squid and like all they they used under the sea whole thing it's beautiful but it explains the concept brilliantly in the future the problem I think with it and this isn't really a criticism is that they live three years to 5 years in the future the people building this they kind of do I love them and they're going the right direction and they're telling us where we can go next but I don't know a lot of companies that can jump to this right now small companies new projects absolutely this instead of building the other thing I

talked about you're an Enterprise this is where you're eventually going to be headed search for everything pki everywhere I am run by a team that's not security because it's I so in conclusion this is where I want to be at 3: in the morning I want to sleep there I want to be not worried about someone breaking into my stuff or that a password got stolen or that someone got in because of a password all we got to do is gather all your secrets into one place let Set an auto rotation policy it's all we got to do I know that's that's all we got do that's all we got to do I know it's like

saying just don't fall down just don't fall down but we can do this if we don't try to boil an ocean we can just do it Bird by bird and think how am I going to deal with this secret and make sure this one doesn't leak and if you only do one secret a week that's 52 secrets you do in a whole year maybe 50 with vacations that is so much better better than where we're are going right now it doesn't keep up with it so hopefully you'll go a lot faster once you figure out how to automate things but start small and it leads to very large things eventually this is where I think we're

going but we can't jump here I think for the most part because the way Enterprises work today and the fact that not all services agree on this and not all services not all Cloud providers agree on this but conjure and cyber Vault uh and hash Corps Vault both do you can use that as a springboard to get here I left that part out earlier sorry I got a little out of order anyway I'm a Dwayne I love Chicago check out the security repo podcast we have all sorts of great guests and uh if you weren't I Loved karaoke I did karaoke last night if anybody wants to do karaoke tonight we'll make it happen and with that uh

yeah I'll open up for any questions and that's where you can get the slides questions

um I'm sitting here and going back 20 years of in demain Administration and going okay that's nice in the sense of getting to one but realistically when you're talking about passwords from everything from routers to switches to laptops to lapse all the domain admin crap that you need to deal with and the Legacy crap that's still in all of our environments how do you handle that to one or do you go to two or three what what's the theory on that one to two three what meaning I like if I stand up and okay here's my experience new organizations start up Born Into the cloud opsis from the beginning totally perfect 100% organization's been around

for more than 20 years they have a legacy 80 architecture that maybe halfway split into uh azure but you still got think think of what happened with crowd strike yeah the local password was the issue for people being able to get into that machine and you use something like laps to constantly rotate that but that's not centralized into the Azure uh ad or the secrets manager within the cloud it's actually still a one-off credential that is out there so I can use one for my cloud environment but for the rest of this how do we handle that well that's where Enterprise vault like really come in um and something that somebody at Cyber I forget his name of Evan I can't

remember his last name uh cyber said in an interview I did with him once um I'm not telling everybody to put everything in cyber and we are the be all end all but you can coordinate through us to have a view into everything and if if you can get to there where you know about everything and everything is centrally accounted for that should be where we're marching to next like that that's why that's first is let's figure out what we have so it's hard so one of the problems with spiffy right now and Spire the way it exists right now is postris can't account for it you can give it a jot but that's janky at best but it's post Chris

we're talking about like how much of the internet is postc Chris right now um so this isn't a solvable problem like I have a simple Pat solution for you unfortunately but those are the conversations that are driving right now and like we're trying to solve I'm not trying to solve them but the the people that are building the stuff are trying to solve it um there's not a great answer for that other than if your Vault systems can't account for on PR cloud and all your endpoint devices you need to have a conversation with somebody that builds vaults like that makes those like hash Corp would love to have that conversation with you I'm on the other end of it I'll help you

find your secrets wherever they are you got a log I can find it any more questions for Dwayne s so I'm going to ask you a question that we had to deal with on our side right as as evangelists of this and I have a solution that I don't know how well I like so I'm curious what what yours is so no matter once you collect all of your secrets right you're going to find some stuff that is just for crap applications that never thought anyone would ever want to rotate it using an API right so the only way for you to get in and like change it is log in as a human and do a two-factor push and click

through five shiny uis and eventually you press a button that regenerates something and you got to copy that out how do you deal with that or or credentials of that type that are just not suited to automation when collecting them in a vault and trying to rotate him I wish there was a good answer to that other than business uh business case if it's a crappy service that's not being used or being used in one place that's a bad business case for using a tool if there's a clear cloud provider solution that is modern that you can hit with an API endpoint and or hit an API endpoint and do everything you need to do that is comparable in

price what's the refactor cost at some point and this is the truth every business needs to roll the dice and say if somebody took this over we would lose $5 I'm okay with that if someone takes breaks in and steals our crown jewels our company goes away and we all lose our jobs those are the very end extremes the other example I like to use on the the low end is a a picture a folder full of cat photos sure I want everyone on the internet to see that I don't care what the password is I don't care if I can rotate the credential I don't care and that's it you have to care and I

don't know what your business cares about so that's that's why it's hard question to answer um but you're describing a world with click Ops and you we got to get away from click Ops but that's a whole other discussion in doops Click Ops is dead it died years ago which just keeps lingering and Microsoft Community keeps it alive okay question no no questions one last one one last one out of time Y and I'm sorry it's not a question it's more of a Jeopardy answer okay Clifford stole the author of The Cuckoo egg yeah now runs this topological business out of San Francisco Klein flasks I didn't even get to do I'm sorry I broke it for you uh yeah Clifford

stole out of work astronomer who got a job and tried to track down 75 cents in discrepancy at a time when it was a $300 an hour to rent the machines uh it's an amazing book don't Reve this secret amazing book his current current business is selling Klein flask his largest collection of Klein flask in the world they're one-sided objects they're amazing it's like a threedimensional Mia STP yeah as we buing one just to get the AG of jokes that comes I've never bought one I'm GNA buy one today I'm buying one today uh oh my god oh I want to see this I can probably find it online but I I'm G I'm support Clifford sto other than

just read his book it's freaking amazing and also if if you're like I did not want to read a whole book want read the book but two there is a Nova special from 1990 starring Clifford stole called the KGB the computer and me it's free on YouTube uh and it's all the people the actors like every actor actually person they could get from the real real world that experienced this that's in the book they got to be in the Nova documentary so you're like getting to watch like real history unfold It's amazing And do you also know that in Germany they made a movie about that thing from seen from the hackers perspective they make movies outside of

the US that does exist yep American ever heard the phrase torrent you might be able to find it uh pirate BAS shut down man did I say that on YouTube oh [ __ ] okay yeah well okay so anyway thank you yep enjoy the rest of your bides [Applause]