Add a meeting Rate this page

A

So.

B

Good morning we've got folks coming on in and elena, are you ready to go?

B

Yes, I am okay. That was my check. That's fine should I.

C

Share the slides I got it.

B

I have all of it all this product.

B

Awesome.

B

I'm going to give it a couple more minutes, because I don't have anyone that came by my desk and said regrets this morning. So we'll.

B

See.

B

Oh yeah, hello,.

B

Liz I will pass to you about when we start just kind of waiting on a few more folks to be able to come on in.

D

All right, yeah, just having let's see who's.

D

Only a couple of minutes past give them another.

D

Minute.

B

It is also that delightful week of what is time anyways. I so nearly got this wrong.

D

This week, that was.

E

Yeah yeah.

B

It's that wonderful week it's my favorite.

B

Week.

D

All right looks like we have stabilized on 28 people at the moment. So hello, everyone welcome, let's get started uh normal introductions apply hello, you made it welcome uh okay and we have the tech radar. This will be very exciting. I can't remember who do we have to present the tech radio do we have? I have.

B

Elena, on there.

F

Hello.

C

Hello to you, elena, thank you all right, um hello, everyone, my name is alina. I'm a software engineer at apple and one of the cncftocs, and today I'm going to be presenting the cncf and user technical radar on secrets management that got published last week. Secret management involves tools and techniques to manage secret data like token passwords and certificates, and it becomes more essential and complicated as the cloud native ecosystem grows, because the micro services need to talk to each other and they need to talk to each other in a in a secure manner.

C

Next piece: now: what is a technology radar technology radar is an initiative from the cncf end user community um and that's a group with over 140 companies that meet regularly and discuss challenges that are involved with the cloud native tools. Adoption um and uh the goal of cncf technology radar is to share the tools that actually being used by the community and tools that end user companies recommend to use. It is a community driven.

C

The data is contributed by cncf and user companies and created by the community representatives, and the adoption of the initiative focuses on the future adoption. That's why we went with three rings: adopt trial and assess adopt is when the technology is clearly recommended by the end user community trial is that companies use it with success and recommend looking at it and it says, is companies try it out and find it promising and recommend you keeping an eye on it?

C

Next, please 79 companies participated in um in the secret management technology radar, and the results were somewhat interesting and surprising. The variety of tools that are used for secrets management by different companies was wide. Yet we are able to identify some exciting themes of how people use secret management tools.

C

Next, please much of the uh radar team uh was initially surprised. Oh please! Next just so, we can see the first theme that walt was the clear winner as it got the broadest adoption across many companies. Vault is a very mature solution by the hershey corp. Yet it's not the easiest one to use, and it is a rather complex, complex tool with a high operational bargain, but the adoption was high and the more we looked at it, the more we realized that uh it makes sense.

C

If you're a small company, uh you would most likely offload your secrets management to the company. Who knows how to do that, um and also it is a very. uh It is a very good uh tool, because it's a cloud agnostic tool and, if you're, unsure of what cloud you're going to operate on or if you are creating across multiple clouds, public and private vault is a great solution for that.

C

That was our first theme next, please, and the second thing was that we've noticed that the companies tend to choose um the solution, secret management solution uh that is native to the cloud where they run their workloads um and it's and it's very natural, because you tend to look um at the solutions that are available out there and the tools that we got listed in the technology radar, uh where uh aws uh secrets, management, gcp secrets, management, azure keyword.

C

um And although it's a very natural move to use the secrets management solution from the cloud where you're operating, uh we recommend you taking like a broader, a broader look and um and consider using the cloud agnostic tool, because, uh especially if you're, considering um extending your footprint across multiple multiple clouds.

C

uh Next, please, uh the third, a very interesting thing that we found that the certificate manager got a very uh high adoption in a very short time in the kubernetes ecosystem.

C

Certificate manager is the kubernetes native tool that is used for managing the certificates, rotate them on the regular basis and ensure that they up to date. It offers the high integration with the rest of the kubernetes ecosystem and we believe that secret management is a in top of mind of everybody who uses kubernetes.

C

That's why secrets management is such a widespread solution, uh next piece and other solutions.

C

Besides vault public cloud solutions and certificates manager were very fragmented in the technology radar, we usually offer the list of the tools to go by, but then, as a user before worrying, you can put your own solution that you use in-house and something we didn't think initially that, for example, people were using encrypted data backs with devops tools like chef and puppet ansible, and um these solutions were one of solutions offered by people and put on the list by people, but they did not get a wired adoption across companies.

C

That's why you don't see it on the radar, and um one result that we were surprised is uh some some solutions like expire, for example, that is an incubated cncf project, uh didn't get um uh didn't, get enough adoption yet to be uh to be put in the um on the radar, and I think we know the reason why it's a rather complex tool uh that covers many.

C

uh Many areas and people are experimenting with that, and it might take time for them to um to get a full adoption and put it in one of the uh in one of the technology radar categories.

C

uh So these are the four themes that we've noticed in the secrets: management, um a radar process, and we are curious to hear your feedback and hear about the secret management solutions that you use in-house. That's it! Thank you.

B

One question in chat: actually there's quite a few questions in chat. Take it back um so where do you want to start because first, one is: how does this particular tech radar response, compare to other subjects done previously um and then there's a question from liz as well, so, jim liz? Do you want to be able to like raise your questions by voice.

G

Yeah I uh jim st ledger just looking for some comparison. I don't know if I think cheryl chimed in you know: 29 companies 79 votes, you know is that a good is that a better or worse response than past tech, radars we've done.

H

It's similar number of companies, who've responded.

H

um The number of votes in this case was lower for the ones that actually went into the final radar, because there was a very long tail of projects and products that only had a handful of votes each okay and it was thought that, with only a few votes, it wasn't fair to make a judgment on them.

G

Right: okay, thank you.

G

Welcome.

D

Liz I'll pass to you next yeah, I I I mean elena mentioned spire, not making it onto this assessment, and I just wondered whether, because it's not really some general purpose secrets. As I understand it, I think it's more around like identity.

C

That's right, that's one! That's one of the reasons.

D

Yeah, so not necessarily.

C

Comparing.

D

Apples with apples.

C

That's that's right. It was mentioned it was mentioned on the list, though it just didn't, make it to the reader.

D

Yeah, okay, yeah! I don't think we need to. I guess what I'm saying is. I don't think we need to read anything negative in about spire there, because it's no, no.

C

They wouldn't have been central.

D

To this, isn't it not.

C

At all, yeah.

D

Were there any other tools missing that we might have expected to see there.

C

Good question: I guess it's a good question to to audience as well. Are there any tools that you think should have been there and you don't see.

D

Yes, conjure does come to mind.

F

Cheryl didn't remember if we had it on the list. Yeah conjure was on the list.

H

Aspire was as well as you said,.

H

Secretless, I don't think so. um They came down to the companies that were contributing to it, so if they they could add extra suggestions to the list of products and projects. uh I guess in this case they didn't keywords was on there as well.

C

Yeah start manager search manager is here, it is what certificate managers on the on the radar.

I

It's it's really not a a secret store or a secrets, management solution per se. It's more a certificate distribution mechanism right.

C

That's right yet it ensures that your certificates are secure in a way that they're rotated on a regular basis and maintained in a in a reliable and insecure way.

I

Yeah there there's seems to be the the contention between what we call a secret traditionally like certificates or more identities than secret material, and perhaps the scope should be brought into authentication technologies which encompasses both touches both on the proof of possession as well as identities and recognition technologies. That's like spire and cirque manager would be.

C

A good point: yeah.

J

So hi I'm from hashicorp, um so it's good to see vault up here, but the way we think about this often is um in order to worry about identity.

J

um There's a sort of a dividing line between human and machine and human to machine authentication and identity is very different from machine and machine identity, um recognition and differentiation, and so um sometimes we wind up in a situation where people are talking about their identity or secrets management, and you have to kind of like chop down to the next level about what they mean by that um so authentication and authorization.

J

For you know, individuals to access machine services or capabilities service endpoints.

J

um It's traditionally handled very well by lots of like single sign-on providers, octa and uh microsoft solutions, but the machine to machine market is where the secrets management winds up, becoming the most sort of like natural thing to do, and people have gone by with certificate rotation, but once they actually realize they've got to do some real secrets management. That's where vault points are becoming super popular, and so we noticed that a lot well. This chart um on the radar looks very much like what we see when we're talking to customers.

J

The only obvious one that is missing is cyber arc, which is usually the solution incumbent solution. If someone's got something like this, that we're displacing when we're talking to them so.

J

Yeah, that's that's true. It's a fair point bought support for both secrets. Mpki, maybe maybe the root cause for this.

D

What what were people thinking of when or what's included under the encrypted repositories item, I guess one question I have when I see that is well. Where is the secret store that decrypts whatever's being held in the repository.

H

hmm My impression was that the secret was actually in the repository, and that was the bit that was encrypted, but I don't know in enough detail to confirm. I don't know because it yeah.

D

Because I guess you could you can have um encrypted, you have encrypted images. I guess you can have encryption in the repository itself, whether we're talking about images or or some other entity, but you you need to get hold of a secret somehow to unlock that. That's quite intriguing.

K

Yeah, I think that uh that's master key right. I think that's what you're talking about right.

D

Yeah yeah.

K

Yeah, I think in vault, is, um I don't know if if it has changed over the years, but uh I looked at it like a few years ago and then and they were in keeping that in memory. uh So essentially you uh you had a cluster, so they recommended redundance redundancy where you had like several several nodes, like you know, maybe three nodes and that key was actually stored in all of the nodes.

K

So if one of the nodes actually went down, then you still had the master key lying somewhere, but then the question came up, but what, if all the nodes went down? Where would that master key? Be right? So, but I don't know if they've actually changed some of that implementation over the years they might have.

K

They also have some capabilities for hsm, which is a hardware encryption appliance. I guess that you can. You can store it, maybe master keys and some credentials.

D

I think hashicorp or vault has some really nice technologies around secrets that can only be used a limited number of times or for a limited time frame, which is really good for that bootstrap problem.

D

You know if you've got a one-time use, key you're, either the legitimate user of it when you use it or you're not, but then you know when you try to use it that somebody illegitimate already used it.

I

Yeah.

H

I hear a couple things from from.

I

What lewis and ricardo just said to lisa's initial point there? There are a number of databases or repositories that can be encrypted. That will act as your secret storage.

I

In addition to that, what ricardo said is, if you're placing any any secret in there you're going to need a description key to take it out and in order to secure that decryption key or like storing that decryption key somewhere.

I

You need yet another secret and it's turtles all the way down, and that's often what's referred to as secret zero and then there's an overlap there with identity systems as well as you can break that turtles, all the way down by say, using cert manager using spire to use that identity of the decryption key and don't have to worry well at runtime.

I

You can attest the provenance of this or the shape and size of this or the code fingerprint, and based of that, you no longer need decryption keys, because you can use that as the master key.

I

So, with with everything that is, that is discussed, it would be really good to extend the report or like do a write-up in addition to it, because there's plenty of nuance: that's not getting covered and I'm afraid that people who are seeing this for for the first time would walk away with the wrong ideas or or the wrong perception and like actually not know of a bunch of other ecosystem components that can be elevated or can be discovered and put in use to to have better security in place.

D

Yeah, I wonder whether it makes sense to have you know security. Is that obvious contact point here but to to maybe add a bit of color around this.

D

Cheryl is this, so this is already published.

H

Published right, it is published, I mean we can do whatever we want right. We can um make changes to it. I so the the radar team that created this- I don't want to speak on their behalf. I don't want to change things. The judgments that they made with this. I think, if security wanted to publish, take this as a starting point and then publish a more nuanced discussion or suggestions on it. That would be fantastic.

H

I think that would be great.

D

It might be very interesting. Actually ricardo's just suggested this idea of breaking down the different solution by categories.

D

I wonder if it would be possible to go back to the end users and say here: are I don't know 20 different tools but broken down more into those like? What's pki? What's certificates? What's application secrets, however, we want to break it up.

H

And this is actually a really interesting. um We had quite a lot of discussion when forming this report about whether this truly was secrets, management or whether this covered various categories and which ones so I agree. Actually, the the range of products and projects listed here don't quite match just secrets management.

H

um We're unlikely to revisit this exact topic again, because every quarter we pick a different topic, do something differently, but I mean ricardo. If you wanted to shoot me a email afterwards, then maybe we can figure out something you could do.

I

Cheryl- and I am- I am andreas one of the tl's for sex security- happy to work with with the unrecorded as well.

H

Great yeah that would be fantastic, just um I'll drop my email into the chat, and I think this has always been just a starting point. I mean it's always opinionated, always biased and the more we can use to expand on this and give experts like yourself the opportunity to respond to it and add more nuance, like I think, they're better for everybody.

D

And it's point in time right things are always gonna move on, but I do think this is very interesting.

C

It's also very similar feedback to uh to the previous technology readers like on observability and databases everywhere we can benefit from from nuances and and the follow-up reports and conversations um and to be more detailed and and in categories in categorizing. The items from there from the reader.

D

Our cornelius pointed out that key management is a separate category in the landscape compared to security and compliance.

D

I seem to remember: there's all sorts of areas of the landscape that are perhaps not quite um you know it's. Those categories were drawn up some years ago. Maybe it's time to revisit those.

L

There is security landscape work on going on trying to improve that that area as well, I'm not sure actually where, where it's at exactly but there's been some work on that.

A

I think there.

L

Was a definite unhappiness about how the thing was classified and what was in it.

I

Yeah for for the security landscape, we're treating secrets and identities, as distinct as separate solutions, have made very different considerations for the problems they solve.

I

In some cases you you can use both in combination and some other scenarios. You may solely use one over the other, but yeah. They have very different properties, very different behaviors, as systems.

H

So I have a little side project that I'm currently working on a little side group, which will provide feedback to things like cncf landscape to improve it. I wasn't going to announce it for a couple of months, because I'm still trying to get it together and get something useful out of it.

H

But feedback like this would be fantastic because then we can just go and change it and update it. So there is a mechanism, I'm trying to figure out exactly how this mechanism is going to work, to improve the cncf landscape and other assets owned by cncf other content assets.

H

That's great cheryl! Thank you.

D

Do you know when the end user technology radars are done? I know that the members of the committee for each radar can suggest whatever solutions they feel are appropriate. Do they actually look at the landscape as well?

D

They do right.

D

So if we do have some lack of clarity in the landscape, that's going to be, you know, feeding into a vicious cycle there. Isn't it.

H

A little bit yeah, I think this was again one of the ones where we looked at the landscape. I was like uh some of this makes sense, some of it not so much fair enough. Yeah.

D

That's great news that you're.

H

Revisiting that's really good um yeah, just just a teaser like the name of this group is called carte, cartagraphos cartographos, the greek for mapping technology. I think it's like the idea is that I map out assets which will help people map out how to use cloud native technologies.

D

All right any other questions from anyone about the technology radar.

D

All comments.

I

One last comment, I think, ultimately, under the umbrella of everything security.

I

It's all predicated on this building blocks so any way that we can energize the space for people not just to reassemble existing components and expect different configurations, but actually introduce breakthrough technologies and breakthrough ideas, and perhaps this this will precipitate of well if secret certificate manager. Here, maybe there's a world where there's just enough secrets and just enough identities.

I

So we can reduce blast radius of things. So I I think we might be on to something of something innovative and breakthrough ideas like I see the mention of compliance well, better governance, better compliance is predicated on strong identities and very little secrets, or only as many secrets as necessary. So I think a stride in that direction. So there's perhaps a framing that is all-encompassing of different security dimensions and a broader narrative.

D

Are you thinking of this reframing as part of what cheryl's just starting to work on with the cartographos or? Is that something that's happening in security.

I

I'm thinking in combination, it will be good to work with cheryl sounds like she's, also working in other areas around well. How do people do modern uh interpretations of landscapes like perhaps this is not a topographic map? That's more a a subway map. What station you get on and your destination dictates your journey and uh we we can take well the the report. That's been done and the data from it and either perhaps change the language. So it's not as disparaging of certain projects or like shed slide of. Why do?

I

How would this projects come into the equation, not being secret solution on their secrets management? We can add a ton of color of like how can you leverage both in combination? We can also do like the next set of things like well. What's the intersection of the two and do a write-up about it about it, uh use the cloud native security landscape?

I

That's in the works for that purpose, as well, and unlike cheryl's, renewal of the landscape, so yeah thinking thinking a little bit uh scatter-minded and and in every single direction, but starting to to hear the semblance of something that that we can perhaps form for more more thoughts around.

H

I would love to brainstorm with you on how to do those things together. um Definitely I'm open to new formats, new ways that we can produce helpful content for people um yeah just to help guide them. I think it's it's very hard for people who are not in this day-to-day looking at it to really understand the the kind of reality there's a lot of hype. There is a lot of hype right.

H

I love cloud native, but there's a lot of hype, so anything that can help people cut through that and figure out what is really truly coming down. The pipeline would be great.

D

100 agree with that, and I think we have some very good articulations of like kind of 101. You know how to adopt cloud native 101, but actually you don't have to go very far down the road before you realize. Oh there's, a ton of security, observability all kinds of other bits that maybe are a bit more confusing yeah, but I do I remain. I think these technology radars are a fantastic initiative. I think we're learning a lot about what's actually being used and that's really useful.

F

Yeah, thank you, elena, for presenting the technology radar. Thank you cheryl, and the team for working on it. It's it's very useful information.

B

I have one more agenda item. It's really like these are the votes that are currently open. Please get in there. That is all okay. I see there's nothing so yeah. Indeed, yeah.

D

Just trying.

B

To keep track, I wasn't voted for.

D

Those please go ahead: yeah! Okay, does anybody have any questions about those topics that are holding them back from voting.

D

All right short and sweet unless somebody has additional items they would like to bring up today.

F

Going what would be the next technology radar cheryl? Oh.

H

Good question: oh yeah! I should have put a link into this, so if you go cncf, dot, io, slash tech, dash radar and this links to a github issue where you can put in you can make a suggestion for what a future radar should be, or you can plus like thumbs up things that you're interested in hearing about, and then it will be up to the next techradar team to decide which one they find interesting and they think is is worth having a radar on.

H

So you will find out just like I will in about two.

H

Months.

K

Question how long does it take to go through each one of the decorators.

H

um About 10 weeks end to end we pull together a team, they decide a topic. We survey the end user community. Then the team decide on the the final radar and then we write it up and publish it.

H

Like 10 weeks.

K

They do about four a year.

H

Yeah we're doing quarterly so next one's probably june, probably just after kubecon.

D

Are you seeing good take up from andy? I mean it sounds like it in terms of the number of participants, but you know, are you getting good participation? Other end users kind of getting value out of taking part.

H

People, people love it so one of the things that is really interesting about the way this is set up is that if you're an end user, you can see exactly which company uses what technology and what they think about it. So you have a lot of private access to this data that externally, you can only see the kind of aggregated version, so internally, people really really have found a lot of value out of it. They go present it to their own teams. When they're deciding on what technologies they should be using um yeah.

H

It's a lot of fun. People love it.

D

Fantastic right, anyone with anything else they would like to bring up today, whether about tech radar or anything else,.

D

And if not, you will get 25 minutes back for your leisure.

D

Sounds good to me. Thank you. So much liz all right thanks. Everyone.

E

Have a great rest of your day. Thank you, liz bye! Thank you, bye, bye. Thank you. Bye.
youtube image
From YouTube: CNCF TOC Meeting 2021-03-16

Description

CNCF TOC Meeting 2021-03-16