How should Dev, Ops, and Security collaborate on secrets management?
Learn some pro tips for how to divide the work of secrets management to the three main roles in IT: Dev, Sec, and Ops.
Speakers
Jon BensonVP Worldwide Solutions Engineering, HashiCorp, HashiCorp
Transcript
When you're implementing a secrets management solution there are many stakeholders involved; many different personas that are interacting with the secrets management solution. It's no longer just something that you store a bunch of secrets in and people build their own secrets management solutions for their own application, because it's too difficult to interact with whatever was rolled out. What we want to do in this modern era of infrastructure automation technology is ensure that all the different stakeholders are agreeable with the secrets management solution that's rolled out.
If you look at the three common personas...
The developer: This is the consumer of those secrets. I'm a developer writing a Node.js app and I need Postgres credentials, I want to make it as easy on that person to be able to retrieve those secrets.
The operator: We have the operations team, which is actually standing up the secrets management solution and the underlying infrastructure for those applications to run on.
The security expert: We have the security team, which is managing access to those secrets. They're managing the governance around who can do what, ensuring that we're adhering to our auditors.
Now, the most important part is that these teams are collaborating. These teams are talking together so that no one is being left out. If we go too heavy on the governance and security side, and we're not solving for the ease of use for the application developers, they're just not going to use the tool, or there's going to be a blocker in the way of them actually rolling out their application.
We want to create efficiencies for the application developer, so that they can fix bugs, they can roll out new features as quick as possible, and by working together across the dev teams, the operations teams, and the security teams, you're able to agree on a solution that has the right amount of security, but also allows people to be innovative, and allow you to scale in the way that you need to as a company.
