Christian Schwarz

Ashish Rajan: [00:00:00] We were talking about secret management scale and almost your approach to security. What was your approach in thinking there and why go on that path?

Christian Schwarz: I work for British TechCo. The company itself is a hundred year, 80 years old. And 180 years also means that it's a hundred years of legacy, some degree.

Previously we had this thinking about there is a perimeter moat and a castle, and when you're in the castle, you're all good. So this implicit trust. Is an issue.

Ashish Rajan: But in a one 80-year-old world of technology, I would imagine it's a quite a challenging task. You will start,

Christian Schwarz: it's very scary because you suddenly see tens of thousands, hundreds of thousands maybe credentials.

Yeah. In your estate. So the thinking here is really is take all of this away from the beginning. It reduces their competitive load. My objective and the company's objective is really to get to this intrinsic motivation where everybody wants to do the right thing. Yeah. Automatically.

Ashish Rajan: If you work in a telecom company with over 180 years of history, and there's a lot of complexity you carry in the organization in terms of the kind of compute you have, the kind of environment you'll have, you probably [00:01:00] even also have actual devices that are physical tower that you care about.

This fascinating conversation with Christian Schwartz from a BT or British Telecom, he shared the experience he had deploying a standardized secret management across his entire organization, and also share why his approach to having no passwords for developers to log in into a server was crucial for his vision of what security should look like.

While we are working on enabling developers, the interview with Christian was recorded at Hashi Day's London. 2025, and it's a great conversation for anyone who's starting to build that standard secret management, which may be cloud agnostic across their entire complex ecosystem of historical as well as modern infrastructure.

Overall, I enjoyed this conversation. If you know someone who is going through this process and perhaps is already in a telecom themselves or in a really large organization. Which is complexity and history. I would definitely check out this episode and share this episode with someone who you know is going through a similar journey or is [00:02:00] interested in this topic.

As always, if you have been listening to classically podcast for some time and have been really enjoying the episodes, I would really appreciate if you can take a moment to hit the subscribe button if you are watching this on YouTube or Linkedin, or hit subscribe, a follow button if you are listening to this on Apple, iTunes or Spotify.

I look forward to hearing your feedback on what you think of the episode with Christian. For now, let's get into the episode. Hello. Welcome to another episode of Cloud Security Podcast. We at HashiDays London and I've got Christian with me. Hey, man. Thanks for coming in. Hey, thanks for having me. For people who probably actually, maybe good place to start, could you give a bit of background about yourself and where you company and the company you work for?

Christian Schwarz: Yes. Yeah. So I work for a British TechCo called British Telecom. Yeah. Short. BT Group. And so in there I look after security engineering in an area that is called network services, which essentially provides our private cloud state, but also fixed and mobile connectivity.

Yeah. And as part of BT we operate quite a bit of what is called critical national infrastructure as well. Yeah. Yeah. For example, the 9 9 9 [00:03:00] platform, which is the UK equivalent of the 9 11 call. Yeah. As people know in the US and beyond. Yeah. So we operate this we have also the merchant service platform.

Yeah. Network. We have air control towers, stuff like this. And there's quite a bit of underpinning of key infrastructure within the uk quite a bit of history as well, but exactly. Yeah. And then the the company itself is 180 years old. Yeah. And this means there is a lot of claims to fames around having invented this and that because, innovation happens.

Yeah. Obviously for really know its research campus in Ipswich, But 180 years also means that it's a hundred years of legacy, some degree. And this obviously impacts the work I do. Yeah. From a security engineering point of view. This also means that we have a long history of preferred suppliers.

Yeah. And ways of operating. And this has rapidly been evolving as has the threat landscape

Ashish Rajan: fair. And I think for the American counterparts, like the AT&T and that's kinda that's what BT is for the UK. Is it just UK or is it in Europe as well?

Christian Schwarz: A couple of years [00:04:00] back we were still a really international business.

We had a big center in Malaysia as well. Yeah. Okay. And we had ambitions to, there was BT International at the time already, which is a little bit of a fun story in the sense that we created a new entity called BT International last week. Oh okay. That we separate now out from the more UK centric main part of BT.

So we want to really focus ourselves now on UK.

Ashish Rajan: Yep.

Christian Schwarz: There are some interesting tidbits first of all, UK is an island. Yeah. But this also means that we are still have connections to Europe and other countries. And Northern Ireland largely operates on the EU laws as well. Many of the products and services that we need to provide need to follow and comply with EU regulation as well.

Ah, so I, there are often people forget because, there's this famous Brexit bonus. Yeah. But actually the complexity shows that in, in Ireland Yeah. In Northern Ireland. Particular for our products like home hubs and stuff like this, we absolutely need to abide by EU laws as well.

Ashish Rajan: Interesting. And maybe to talk about some of the security other security things as well. We were talking [00:05:00] about secret management at scale and almost your approach to security. I think the two common themes we wanted to focus on is secret management, as well as not having enough secret with people who wanna access services. What was your approach in thinking there and why that, why go down that path?

Christian Schwarz: Yeah. Let me step a little bit into the threat landscape first. And there has been a big evolution and so previously we had this thinking about there is a perimeter moat and a castle, and when you're in the castle, you're all good.

If you're outside of castle, it's it's very problematic. Yeah. The wild West if you want. This evolved over time. So there is no longer this firewall that you can set up and that protects everything in inside and where you can just trust anybody and any service and stuff like this. So this implicit trust is an issue and it's no longer today really a principle that you can follow.

Ashish Rajan: Yeah.

Christian Schwarz: Hasn't been for a long time, but for the Telcos, they ignored this for a while. Let's put it like this. To come to your point a bit more about the secret management, this also means that if you look at how threat actors are [00:06:00] actually compromising and then going from there, they go about high value targets.

So there are teams that go do ransomware. So they try to encrypt your estate and then extra money from you, essentially. Yeah. But most of the others, they try to compromise some of your platforms and from there, go further. Yeah. And the game is essentially to find either a very privileged account.

Take this over or even go after the holy grail of password storage, credential management Yeah. Or stuff like this. A central, so if you use something like active directory, you would have an active directory storage, which has encrypted pass keys and usernames and all of their stuff.

So often attackers will go after this. Yeah. So what you really want to do is reduce the amount of credentials that are there in the first place.

Also make it much easier for teams to live in a world that has, doesn't have friction. And anytime you need to enter a password or think about a passphrase or generate one or something like this, it introduces friction.

It introduces a friction [00:07:00] when you create something, a new service. Yeah. And it introduces a friction when you operate the service. Yeah. So the thinking here is really is take all of this away. From the beginning, make sure that you've got design patterns and templates that actually reduce the amount of credentials that you have in the first place.

Yeah. And put this somewhere else, potentially decentralized, but very securely stored.

Ashish Rajan: Interesting. And to your point about it reduces the recess risk exposure as well based on new threat landscape. We called out. Yep. But. In a world, in a 180 year world of technology, I would imagine it's a quite a challenging task.

You start. It is. So what were some of the challenges you came across and for people who are thinking about doing this in their part of the world, what were some of the things you kinda learned that people can take as a Okay. These are some of the challenges you face as you go through this in an already established company.

Christian Schwarz: Yeah. So the Teleco world is maybe a bit specific towards, if people think about big companies like Google and others that are very Software, everything. Yeah. And software from the be [00:08:00] to the end, mostly in the Telco world. Until a couple of years back, most things were, most services were provided by a appliances.

Yeah. So essentially every 10th building in London, for example, would have been a BT building. You had this, all this real estate where it put in one box after the next Okay. By voice connectivity, IP connectivity, all of these services. And it would all be specific appliances from Cisco, from Ericsson, from Nokia, from Huawei and so forth.

So you would have all of this real estate and it's all dedicated machines. A lot of black boxes essentially, because they're all managed by third parties. Yeah,

Ashish Rajan: yeah.

Christian Schwarz: So the last couple of years. This has changed quite dramatically. So we moved to a world where most of our services are now software defined.

Yeah. Software first, or software only as well. This also means that we can virtualize the underlying platform more. Okay.

Ashish Rajan: Yeah.

Christian Schwarz: And then transition over there. So to answer your question about credentials and passwords and is really in the beginning, we didn't know anything about those because they're ma [00:09:00] managed by third parties.

So essentially they were hidden in the appliances. Oh. And some people were given a password or pass phrase or a credential, something like this to connect. Yeah. Yeah. The other problem is, and this is really a lesson learned, is that at the time, because it's operationally much easier or simpler, they would only give you a single password that operates on all of these appliances.

Yeah. Yes, you need to keep it secret, but it's, if you have it, you can connect to all of those. That's all. Okay. And this is obviously problematic. This means if this gets leaked or shared or something like this then game over essentially. Yeah. So this evolved. So we moved from a world where you had all of these master passwords.

If you want to a world where you have a dedicated password for a dev dedicated host service or something like, that's much more fine grains.

Ashish Rajan: Yeah. Yeah.

Christian Schwarz: And then there are two, two aspects that I really want to mention. The first one is. It's about storytelling, and most people forget that you need to take your teams with you.

Not everybody wants to [00:10:00] think all about security all the time. Yeah. But they need to understand that security is important and that it's really for everybody to action security. Yeah. Okay. So we have, for example, a very good red team. So the red team is performing internal attacks. Yeah. Yeah. In a benign way, Uhhuh, but they use the best best technologies that are available.

Really modern techniques, like a big threat act or even a nation state potentially would do. Different scenarios sometimes assume compromise and stuff like this in order to really show you what happened. And they're really good at storytelling and these frontline stories are really important.

Interesting. And the second part is, since you've got all of this legacy. The other part is once you start getting into more software defined services, you can use, tools that gives you visibility on all of the secrets and credentials that are being used. Yeah. And it's again, a very powerful element of storytelling.

It's very scary because you suddenly see tens of thousands, hundreds of thousands, maybe credentials. Yeah. In your estate, all of these GitHub and GitLab repos, software left and right, containers [00:11:00] provided by third parties and so on, so forth. And it's really scary a moment. Yeah. But then you think about, hey, okay, how can we improve this?

And this is where you come back to security engineering. We look into okay, how can we rotate those secrets? How can we make sure that we replace the supplier provided secrets with our own? How can you move this into a state that, that you run? Yes. There's also HSMs and hardware security that you want to leverage in some areas in order to just take away all of the angles of it could leak.

No, you don't want to have a password that you actually need to enter. You want to operate. On a cryptographic secret, but you don't want to ever expose it. Yeah. Secure enclaves, HSM stuff like this are key for us as well.

Ashish Rajan: Yeah. And what role, to your point, 'cause as you mentioned that I'm already thinking that you have IOT devices as well.

You have, so those have passwords. Then you have the actual users, the machine users, the complexities is too intense. What's a good starting point? Because you almost, it could quite, it may come across quite overwhelming task to just start something like that.

What [00:12:00] was your thinking in terms of, hey, this is what's a good place to start for most people who, now that you've done this for some time, what's a good place to start this standardization process for secret management?

Christian Schwarz: There? There's no surprise here. So the answer here needs to be threat modeling. So you need to understand what is your attack surface.

What is your threat landscape? And then from there you look into different services and you start maybe at the macro level on, Hey, this is the mobile network. Yeah. Okay. Or the broadband, fixed broadband, something like this. Yeah. Then you look into, okay, let's break this down into components. So this is the mobile antenna?

Yeah. Or mobile tower if you want. What is the attack surface of this and the threat vectors and what are threats and what can I do about those? And they are very different from, for example, our mobile core, which is the brain. If you want of the mobile network. Yes. Which is completely virtualized and sits somewhere that BT really owns it.

The real estate is owned by BT, so we have capacity of protecting this as well. The mobile antennas are out there. Everybody can walk up to them. Yeah. Rip open a [00:13:00] casing and try to plug in a device function. Yes. So the threat model is very different. So it's really starting with threat modeling, understanding what are the real world threats.

And then the other part is that we have and most bigger companies have, and depending on independent of the industry is regulation.

So we have regulatory requirements where we need to protect certain parts of the business in specific ways. We need to be able to show upon an audit or inspection or something like this that we have applied best practices that we put in place.

Modern technology, modern ways of working potentially as well. And yeah, we are getting, we are being regulated by a number of different regulators. Ofcom is the biggest one in the uk. Yeah. And they also talk about the telecom security act, which is impactful for telcos Yeah. Uk. Yeah. And where we need to closely collaborate with our suppliers as well, and.

Ashish Rajan: How has this changed now that you've standardized this? What's what's the upside of this? Obviously like this, basically it's selling the dream, for lack of a better word. Where are you today and how does it work for secret management and sharing [00:14:00] secrets and stuff?

Christian Schwarz: Yeah I would say we haven't won the war yet.

Okay. Certainly it's still the series of battles there, but, the teams all across the business start understanding or really understand now that this model of where you outline the story and the threats and you have design patterns, templates, architectural guardrails and stuff like this, can, that can be easily applied.

And where the existing solutions and best practices readily available is game changer for them. It reduces their cognitive load. They don't have to think about security all the time. Yeah. They know that, hey, I've got these risks. I can map those to existing solutions that we have already implemented the other parts, so I reuse something that we have.

Yeah. Okay. And being part of a big company means that we also have lots of areas where we can really plug in. I do not need to care about secure and claims anymore. We have solved this. Yeah. There is an API, you can hook up to this. API. Might be rolled. Yeah. HSMs combination thereof, so we've got all of these repeatable patterns and so this is getting easier and people start [00:15:00] appreciating moving towards a simpler world reduction of cognitive load.

And if you're not Dan Pink.

Ashish Rajan: Yeah.

Christian Schwarz: Ted Talks and YouTube personality, he talks in this book drive about intrinsic motivation. Yeah. Motivation 3.0, you don't have to hunt for the food anymore, which is your previous motivation. It's really about you want to do something because it's the right thing.

You understand that's right. And so my objective and the company's objective is really to get to this intrinsic motivation where everybody wants to do the right thing. Yeah. Automatically. And on their own motivation.

Ashish Rajan: That's a great way to look at security. I wish more people were talking about this, so I'm glad we are having this conversation.

That's kinda like most of the technical things that I have called. Three fun questions for you as well. First one being, when you're not trying to solve secret management or removing secrets as a challenge, what's your favorite activity to do?

Christian Schwarz: At work or outside of work?

Ashish Rajan: Yeah, at work or outside

Christian Schwarz: as well. I'm a keen cyclist. Alright. So I like going out in the countryside quite a bit or to fast no, not at all. I've got a Gravel bike Oh, which allows me to do the right thing, the right mix between road and [00:16:00] off road.

Oh. Basically, way, and I find this a really nice, and I like to spend time out and thinking in nature stuff like this. I also cycle to work. Oh. Which through London can sometimes be a bit of a challenge, but it's getting better. And so this is really something that I enjoy quite a bit of, but also family obviously.

Yeah. That I look after there. So we are quite active.

Ashish Rajan: And maybe related as well, what is something that you're proud of that is not on your social media?

Christian Schwarz: I'm fairly proud of the fact that I have always created innovation where I was. So I have a good amount of patents from previous companies as well.

And I have been driving innovation and been part of Innovative Cycles and all of the companies that I participated in. And it's tricky for me to express this really in a way, or LinkedIn very easily. But yeah, it's something that I really like. I like to learn new stuff. Yeah. And really think about creative novel ways of addressing a problem. And yeah, so I'm fairly proud of this.

Ashish Rajan: Have you figured that out for AI yet?

Christian Schwarz: So we use AI across the business. [00:17:00] Increasingly. We have internally built up infrastructure to use it safely as well. Yeah. And mostly around inference, starting to refine models and retrain some of them as well.

So certainly, we sprinkle in AI where it makes sense. Yeah. And for us, for example, it also helps for me as a security person, I have a certain jargon, I use acronyms and stuff like this which for my sins I shouldn't do too much. But, so the AI helps the lay person to interact with security and.

Talk English, French, German. Yeah. Italian and not all. Whatever. No, exactly. Not being overwhelmed. And it also helps with accelerating some of the tasks where we previously had to go through a register of what is available services, what are the patterns that exist off like this? We can look into matching those with AI as well.

Then get proposals and say, yeah, this looks good. And it's all driven on of you need to trust it to some degree, and so you need to also validate it. So you need to find this right loop in there. But yes, it's certainly something, it can [00:18:00] accelerate workflows quite a bit on security lifecycle.

Ashish Rajan: Well, I look forward to hearing the innovation there as well, that you guys make. Final question. What is your favorite cuisine or restaurant that you can share?

Christian Schwarz: So my wife's French. Okay. So I'm a big fan of French cuisine in general. I'm not sure if I've got a particular favorite food or something like this, but I like cooking as well and we do quite some sophisticated foods from time to time.

Wow. Wow. And . Somewhat as an outlier. I'm also a big fan of Ethiopian cuisine. Oh yeah.

Ashish Rajan: Enjoy bread

Christian Schwarz: and all of that as well. Yeah exactly. And it's there's, especially the vegetarian options are really good. Yeah. Yeah. So we love the doing this and regularly go to Ethiopian restaurants while to have a really good meal be shared with France and stuff like this, and amazing coffee towards, they have a nice coffee ceremony and all of this stuff, and it's the best coffee there is.

Ashish Rajan: Wow. Okay. Awesome. I'll need to check that out. But where can people find you to connect with you? Maybe talk more about what you do with secrets management and other things in BT or we can people find you on the internet?

Christian Schwarz: Yeah, so on, on LinkedIn. Yeah. It's probably my most social, most on [00:19:00] Strava for the fitness guys because you, I live there exactly it's LinkedIn.

So CH Schwartz, or just search me up as security director for network services at BT Group. I

Ashish Rajan: will put that in. But thanks so much for coming in. Thanks so much for having me. Thank you. Thanks everyone tuning again. We'll see you next time. Thank you so much for listening and watching this episode of Cloud Security Podcast.

If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about AI cybersecurity. We also have a system podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do an in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow.

Thank you so much for supporting, listening and watching. I'll see you next time.

‍