Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Graham Williamson. He is a Fellow Analyst with KuppingerCole Analysts. Hi, Graham. Good to see you.
Hi Matthias, it's great to be here.
Great to have you. And we are covering a topic that KuppingerCole is covering for the first time, at least with that focus. And the title for today is Controlling the Accelerator for Secrets Management. What does that mean and what is Secrets Management?
Okay, I've got to confess that when I commenced the research into secrets management, my understanding was, well, obviously it's person identifiers. How do we look after person IDs? It's also device IDs. We've got increasingly, as more IoT devices are deployed, we've got a device management issue as well. I thought that was basically it. But as I undertook the research, the sort of scales fell off my eyes and I saw how wide this is. And it is moving so fast that we need to make sure, and I see this is sort of an advice to CIOs, saying, look, this is accelerating extremely fast, you need to make sure that you put some governance on it. Because if you don't control it, what's going to happen is your enterprise is going to go their own route, they're going to embody it. And without the governor, if you like, you're going to... there's tears ahead if we don't properly control it.
Right. And when you say the field is so large and that the spectrum is so wide, what are the identities where you're managing the secrets? So keeping the secrets secret as long as they are required and having them at hand when they are required. So what are the identities that you're looking at?
Yes. Okay, as I said, it’s obviously people, we've done that well in the past, we just need to get better at it. Devices, as we put more devices on the network, we need to make sure that we protect the communication from those devices, probably encrypted. We need to make sure that we identify the communications from those devices, probably digitally sign it. So we need secrets to manage that. But then there's other areas like for instance, the service accounts from your various devices that are automating activities. You know, in the past, well, hopefully we never, ever do it again, but embodying a password, a username and password in that connector is just, don't do it, right? So when it becomes looking after service accounts, we need to make sure that's there. I guess the biggest area that surprised me was in machine identifiers. Now, what we’ve got in the machine space is the deployment of software packages to a wide variety of different areas. And we need to make sure that as those software packages are deployed, that again, if we need encryption, that we encrypt them, we definitely need to sign them so that before we deploy that piece of code, we are sure of its provenance where it's come from. So that whole machine identity basically managed by DevOps, is another area that we've got to put the brakes on and say, Okay, Mr. DevOp, what do we need to do to give you the tools to allow you to do this job securely and what is going to be the enterprise control over that, what do we as an enterprise want you as a DevOps person to do? So, that machine and we've got to make sure that we get control on that aspect of the secrets management space.
Right. And when you say, okay, the DevOps need to understand and embrace that and the organization needs to enforce that, that means also, again, a change in policies and processes and really also having the responsibility of the people who are acting with these secrets really in place so that they enforce that, that the policies are defined, understood and enforce using a tool like secrets management tools as they are. You researched that area of secrets management tools and it ended with a Leadership Compass. So our document of comparing these different services and products. Can you explain how organizations actually can leverage this Leadership Compass, how to use it to get the best out of it for them?
Absolutely. Thank you for that. Yeah. So I should just explain, when I say machine identity, that's sometimes misunderstood. In the United States, North America, when you say machine identity, they're talking this code that you're now deploying into typically a cloud environment. So you need to make sure that as you do that and cloud native has just made this a whole lot bigger. So in a cloud native environment, you've got containers. Those containers actually might be across multiple cloud environments and you got to make sure that that machine component as you deploy it is properly protected. Just as you mentioned. And we explain that in the Leadership Compass. So I think that an organization that wants to understand secrets management would learn a lot by going through the document and understanding these various components of it. And to a degree, I'll confess we are comparing apples with oranges, with bananas in this Leadership Compass. So the vendors that are featured cover a very wide range of secrets management. So the benefit then to the reader is you can decide or you can go through that and say, well, which of those vendors are important to me. So for instance, we provide a matrix that shows each vendor and what their strong points are across the secret management environment. So you as a prospective customer of this vendor can go through that and say, Yeah, yeah, that matches. And in the Leadership Compass we give a page description of the vendor and by absorbing that information you'll be able to, as a prospective customer, build up which of these vendors best suits my use case? And in fact we talk about four major use cases in the document. You can then, the customer can then contact those vendors, explain their specifics of their requirement and see how that vendor is going to respond to that. With the whole intention of making sure that, you know, you follow a proper procurement process where you put together a short list with the vendors in the document. The descriptions there should enable you to put a good shortlist together, and then as you proceed through the procurement, you'll find out which ones best match your requirement with hopefully, by the end of it, short circuiting all the time you might otherwise have to have to spend in properly deploying secrets management.
Right. And this is also a process where we as analysts and / or as advisors then can support in the process. On the one hand, we have your great research, which really covers the full range of these products, the customers or the people interested in such a product can use your Leadership Compass themselves for selecting the right service, the right vendor, the right product. On the other hand, we as advisors can support them in identifying their requirements and mapping that to the individual vendors and their services and products. You've mentioned the Leadership Compass is prepared by you. Is it already published? I assume so, right?
It’s being published as we speak.
Okay, that's great. So we really, I really recommend the audience to go to our website kuppingercole.com, have a look at the Leadership Compass Secrets Management provided by Graham. If they have any questions or I'm quite sure that you that they can reach out to you and contact you by email. If you have any other questions regarding this podcast or comments, please leave them below this video or just reach out to Graham or me and we are really looking forward for your feedback and if there's anything else we should cover in our podcast episodes, just let us know. Maybe we will do that as well. Thank you, Graham, for your time, for creating that great piece of research covering this, for KuppingerCole new, specific focus of research and looking forward to seeing you in another episode very soon.
Thank you very much. Bye bye.