Sarah Polan: [00:00:00] I asked my employer if I could attempt to hack it and they said, yeah, feel free, but you're never going to get in. And I think within 24 hours I had owned the entire database and realized that probably security was an awesome life choice. DevSecOps is something that as an industry, whether you're small, medium, large, it's something that we have to adapt to.

The question is, how do you start scaling that? I'm tired of zero trust and also platform engineering being buzzwords that people just throw around. Without a clear idea of what they're actually trying to achieve.

Ashish Rajan: DevSecOps and Kubernetes may not be the most important topic in your mind right now, but ever since we've come to KubeCon, DevSecOps, Zero Trust, some of these conversations have sprung up, especially in the platform engineering context.

We had Sarah Polan from HashiCorp, she's a field CTO, and we spoke about what does DevSecOps in the world of Kubernetes look like? Why is it important right now, Zero Trust and machine identity the role they play at? And the platform engineering parts to DevSecOps aswell, all that, and a lot more in this episode of Cloud Security Podcast, this [00:01:00] is your Kubernetes special coming in live from KubeCon Paris, 2024. If you enjoy this episode, like many others, I would really appreciate if you drop us a like and review. If you're listening to this on iTunes. Apple, Spotify, but if you are watching this on YouTube and LinkedIn, definitely drop us a like and subscribe.

I'll see you in the next video. Enjoy the video. Welcome to the show, Sarah. To start the conversation. If you can tell us a bit about yourself, your background, where you are these days.

Sarah Polan: My name is Sarah. I'm field CTO for HashiCorp. I cover Europe, Middle East and Africa, typically.

My background in the tech world is software development. So I started my career Typical software developer, Ruby on Rails, all that good stuff. Oh wow.

Ashish Rajan: Yeah. Yeah, Ruby on Rails. It's still relevant, yes. Yeah, I like to think so

Sarah Polan: and then realized at that point in time that there were probably some pretty major security holes in terms of development practices and what we were trying to push out. So one of the applications I was working on at the time, I asked my employer if I could attempt to hack it. And they said, yeah, feel free, but you're never going to get in. And I think within 24 hours I had owned the entire [00:02:00] database and realized that probably security was an awesome life choice cause there was probably a lot of work to be done.

Ashish Rajan: And you walked into that one though,

Sarah Polan: yeah. So then obviously went down that rabbit hole quickly and started studying it a little bit more formally and then pivoted into the more DevSecOps space to help some financial institutions build out some programs.

Ashish Rajan: Since we're in KubeCon, probably worthwhile asking, how do you define DevSecOps in the whole Kubernetes cloud native context?

Sarah Polan: So I think what we're seeing right now is really an iteration of DevOps. I'd say when we're looking at DevSecOps, it's really about how do you build, run, and own security for an entire application life cycle. So looking at that from the moment you start the deployment, how do you make sure that you're using golden images, golden pathways to make sure that you can track all of these things and have full control over your application? SAST, DAST worked in secrets management all the way through deployment into production. And then making sure that also that you can [00:03:00] understand, yes, the protective controls that are in place for that entire life cycle, as well as being sure that you can detect and more importantly, remediate. I think as security people, we're very keen on how do I protect my application and how do I make sure people can't get in?

And the reality is as these ecosystems become a lot more complex, we move towards the service oriented architecture. The reality is we're just not going to catch everything. And we can't because that creates such a cognitive load for all developers and requires such expertise from all developers.

We need to look at, how do we centralize this within the team and be able to really remediate these things. And so to that extent, I think something like Kubernetes is hugely important for the ecosystem. Because that gives us the opportunity to work with less and less state, or at least with state that's consolidated and create these immutable applications.

And that gives us the opportunity then to say, Yeah, you know what I have somebody on the inside. Somebody's attacking my application I'm just going [00:04:00] to shoot it all down and build it up from scratch and then I know I can at least get them out of my application So that I still have that mean time to recovery that I need to and I can keep things running and with a certain amount of resiliency and then I can build around either some fixes or patches or make sure that I'm running, the correct baseline.

So you have a lot more opportunity to be able to do some of those things in tandem.

Ashish Rajan: Is this only for large organizations? Because I feel like KubeCon obviously is a mix of people who've come from smaller companies, larger companies, SMBs and all of that. Yeah. A lot of times the DevSecOps conversation sounds a lot more like it's only for larger organizations.

Is that, is there any truth in it?

Sarah Polan: No, I think DevSecOps is something that as an industry, whether you're small, medium, large. It's something that we have to adapt to. The question is how do you start scaling that? So if you're a larger organization, you're probably going to look at something like platform engineering, because that's going to allow you to take those practices that we would consider traditional DevOps.

And really move those into the [00:05:00] space of scalability, making sure that you have control over your entire ecosystem within these massive organizations, and that you're not recreating the wheel every step of the way. Because what we're realizing, and I think what kind of Netflix and Google brought to the forefront, is that there's only a limited number of developers, who are these unicorns and you really just can't scale unicorns.

So how can we do this in a manner that's scalable with the skillsets that we need and knowing that there's a certain amount of attrition on the market and we're going to have to manage that. So for these larger organizations, I really do believe that platform engineering is an iteration of DevOps and a way to bring that forward

For smaller organizations, the traditional DevSecOps, DevOps, how we've always conceived of it, where you have an application you build and you run, that may need to be how you manage that because you don't have the people or it's not worth building that scalability in place just yet. [00:06:00] So maybe that actually becomes your MVP and you start moving into a more scalable model as you grow.

But baking that security in, making it part of that entire process where people consume it based off of APIs with the proper observability and making sure that you have that recovery built in. I think it's absolutely critical.

Ashish Rajan: Maybe a few examples on what does it look like at scale, because you said a few things like DAST, SAST, Secret Management. Where do you see normally, maybe even within HashiCorp customers as well, where do you see people start that journey, which is probably easier path to travel, or, and maybe if you can add some challenges onto it, as well as you go that journey.

Sarah Polan: I think we start it with culture.

That's one of the huge pillars of DevSecOps is making sure that security is built in and part of the culture and everyone is accountable for that.

Where you want to move that depends on your needs. Coming from secrets management being a secrets management expert previously, I'm always keen to start there, because I think it adds a lot of value.

Yeah. If you do secrets [00:07:00] management correctly and holistically, it's really becomes about identity and how do you manage identity within these ecosystems? And that's such a huge part of being able to either pivot later to a more zero trust approach. Or really being able to do something like identity brokerage so that you have flexibility and you aren't building in these pieces that are brittle within your ecosystem The other thing is one of the most prominent attacks that i've seen with secrets is crypto mining.

Okay, so if you're a small business or you're a medium sized business You can't really afford to have half a million in cloud spend because somebody got your credentials that were in your Git repo and started doing some crypto mining. And those are things that I've absolutely seen. I saw an article circulating the other day that most of the cloud companies, they'll give you a little bit of forgiveness if you were hacked or breached in any sort of way. So usually they'll give you about 50 percent back, but this medium sized company was still hooked with 240 K of a cloud bill that they were didn't add value to [00:08:00] what they were doing and didn't help them advance their organization in any way You know, if you look at the return on investment of that potential, there's a pretty good business case for secrets management

Ashish Rajan: Yeah, I also find the secret management is a good place to start So I implemented the DevSecOps program when I was a CISO And I found that the SAST and DAST is a really harder thing to, for lack of a better word, sell to developers but then you also need resources at your end but a secret manager is more like, hey, I just don't want you to have your secrets out in public.

I think even those simple words, people are like, oh yeah, I get it. Everyone gets it. But somehow you go into SAST and DAST people are like, okay, what am I doing here? What do I see? Is that what you find as well?

Sarah Polan: No, I would agree. I think there's also something that feels a little big brothery about SAST and DAST.

So to have something that's combing through your code or checking your code. Yeah. If you're somebody who's also privacy oriented, it doesn't make you feel good, Whereas if you're saying, okay, I'm just gonna make sure that my secrets are properly bolted and have and identity attached to them. That's very clear.

I still have full control over that. And then I think that's [00:09:00] a great place also to put your foot in for a cultural shift so that you're saying, okay, look, you have control over this. What's the next thing we can move you forward to?

Ashish Rajan: Yeah. Yeah. And would you say we were talking about identity as well?

Another conversation that keeps circling around these days, even still is the whole zero trust conversation. And even the identity management conversation as well. Is there a relationship between DevSecOps and Zero Trust and where do you see that kind of whole machine identity play a role in this as well?

Sarah Polan: To build out Zero Trust. In general, you have to have machine identity because one of the fundamental principles of this zero trust idea is making sure that your data is encrypted at rest, but also in transit. So for that, you need MTLS. In order to have MTLS, you have to have identity on both sides because then you can have your certificates and you can use those certificates then to encrypt bilaterally. The other thing, if you go through some of the information about Zero Trust from NIST, it's really about making sure that you have time [00:10:00] and context bound identity. I don't know how you do that if you haven't put in place a certain amount of identity because, yeah, certificates you need to be able to know where things are coming from and how they're coming from.

If I then take this to a really high like flyover level. What I'm looking at is Zero Trust is really about identity and contract brokering. So how can I set up my systems to do identity and contract brokering? That takes time and it's a strategy. And maybe that is not a strategy that you want to use, but it also then means you're designing security from day one because this is the strategy that you're moving to.

And you need to be able to do that also with the DevSecOps, because that's also going to inform how do you do all of these things. And conversely, security may also become more and more important, because when you're dealing with something like a policy engine, that's not something that can be breached.

So you need to make sure that is heavily fortified. And you have all of the break glass [00:11:00] procedures in place, adequate scanning, whether that's code quality, whether that's SAST, maybe DAST. Making sure that all of these things are very dynamic and continuously evolving. So I think DevSecOps probably plays an even more important role when you start looking at things like Zero Trust.

Ashish Rajan: And would you say from a DevSecOps perspective, Zero Trust, we spoke about Secret Management as well you've been in this space for a while. Are you seeing any maturity in this as well? Or from when you started working in this space to where we are today, And obviously because you work across multiple geographies as well. So I'm keen to know your geographical perspective on this as well.

Sarah Polan: I think theoretically we're getting more mature. Okay. And we're starting to see pockets of this happening in places where either we'll see MTLS or we'll see encryption on the database specifically. There are very few places, aside from some government agencies, where they've really successfully fully put in zero trust part of that's the cost, not necessarily the tangible financial cost but it does put load on [00:12:00] your systems and you have to be very sure about why you're doing what you're doing in order to move this forward. There's been some new articles put out in terms of like maturity from the NHS National Homeland Security in us.

Sorry,

Ashish Rajan: not the National Health . Oh my, that's very interesting. National Health Services giving like National Services to Zero Trust. I'm like, oh wow.

Sarah Polan: I would love to see that because obviously, I would love to data

Ashish Rajan: associated with the National Hub a hundred percent. My data's not being shared by everyone and like all of that, but Fair.

So the NHS back in the US

Sarah Polan: has back in the us Yeah. So they've put out some more prescriptive recommendations for how do you go about Zero Trust and why. So I really enjoyed that document more recently. But then things like CISA talking about the maturity model. How do you move through the various layers of zero trust and how do you go about some of that implementation and what are the assets that you're trying to do?

Because ultimately it's about protecting your assets. We're all agreed that the perimeter is dead and everything's attached to the internet. So how do we then pivot to the protection of assets instead?

Ashish Rajan: Do you see the role of platform engineers evolve? You know [00:13:00] how initially we've started the conversation by talking about platform engineerings are basically building the framework of whatever, but I guess, but in terms of which is quite a crucial role in setting up the foundation for it, what do you see their role in the whole zero trust world and machine identity, is it similar?

Sarah Polan: I think so. I would really love to see the industry really get a hold on Zero Trust. What it means. I'm tired of Zero Trust and also Platform Engineering being buzzwords that people just throw around without a clear idea of what they're actually trying to achieve.

So if I could wave my magic wand and give anything to the industry, it would be a clear picture of what is Platform Engineering? What does it entail? Why do you want to do it? And then the same for zero trust, because I think the two have a very powerful overlap. But if you don't understand why you're doing it, or in what context you would want to use it, because you may not want to use Zero Trust for everything, because it is heavy.

But you still want to have good security practices across the board, and you still want to be able to scale those security practices across the [00:14:00] board. So I think it's really important that we start focusing on the why and what are the benefits. These things actually trying to achieve as opposed to what vendor has a specific solution, for instance.

Ashish Rajan: Interesting. Maybe this may be a good final question then I guess as well then. Do you want to define what should be a platform engineering? What should their role be? And maybe 'cause you can actually put a stick on the ground and just maybe let's just define that so people at least have a starting point.

Yeah. 'cause to your point, there is so many opinions on, I'm personally biased to that as well. I have an opinion of what I've seen them do, so I'm like, oh, I guess that's what they do. Yeah. Keen to know what you feel is a platform engineer, what their role should be in an organization?

Sarah Polan: So I think we have to take this back to what is a platform at the base.

And a platform is an economic construct before it ever moved into the engineering space or before we ever started adopting it. And it's really about having a producer, a consumer, and then something in the middle that's an intermediary that's able to broker things like governance, policing [00:15:00] cost. And what we're trying to achieve with that is either a search cost reduction.

So making it easier in terms of cognitive load to find specific assets or how you would do something or how you would put something together or a transaction cost. So making it less costly to an organization to really, you know, string some of these things together and the engineering effort that would go in between these things.

Then the idea is to leverage both sides to create something that we call network effects and network effects are really about how do you get the most value off of both sides. So how do you get the most engineers in an organization using predefined architectures that you would on the other side? What we sometimes do in engineering is that we conflate A platform with a marketplace.

Yeah. And then we try to create some sort of hybrid between the two of them. And what ends up happening is you end up with this Frankenstein, where it doesn't really adhere to one or the other, and it starts breaking down a little bit. As you're looking [00:16:00] at what you want to do with your organization, you need to be very clear about, do I want a marketplace?

Do I want a platform? And then how do I contribute to either one of these things to make sure that it's the most consumable by the most amount of people possible. So it's about creating golden workflows that serve, 80 percent of your organization. You're never going to serve 100 percent of your organization.

There's always something that's going to be a little bit off, but if something's not serving 80 percent of your organization, it's probably time to look at that and say, okay, How do we reduce this a little bit to make it more consumable for more people? Do we need to break it off and look at our work streams?

Do we need to, trash it and start over? That's also, completely valid. You're never going to get it right on the first time, but it's really about how do I bring control, scalability, security, to the broadest audience possible so that they can continue to really be effective and do what they need to do, which is [00:17:00] deliver that business logic and innovation for the organization.

Ashish Rajan: Awesome. And very well defined. Cause I was also thinking, as you were saying this, I don't know how many people actually walked through and understand it. Like you hear things like, Oh, I made a secret management platform. Oh, I made a platform for vending cloud accounts, but, No one talks about the networking effects that come from it.

Like, how many people actually using it? Yeah. Is a whole another metrics that people have not even considered. Oh, it sounds like a great idea. We should make a secret management platform. I feel like that's where that comes from rather than the fact that, Oh, how many people will end up using it?

What will be the networking effect? So I'm glad you clarified it and put that statement down. So that's pretty awesome.

Sarah Polan: It's taken a lot of, personal growth and education to really come up with a lot of therapy sessions

Ashish Rajan: as well, I

Sarah Polan: imagine. My kids say they have a therapy jar. They tell me to contribute anytime I start talking to them about platform engineering.

Ashish Rajan: Fair, a lot of therapy later, now we finally understand what platform engineering does. Fair. I

Sarah Polan: hope that someday it will serve them well.

Ashish Rajan: Yeah, I think they still know what [00:18:00] platform engineering is. What are you looking forward to having more conversations about at KubeCon?

I think what's on the top of mind for you?

Sarah Polan: I'm really excited. I think we're finally to a place in the industry where we can start looking at how do you actually scale these? We've hit a little bit of a wall, I think. When I was designing distributed systems and Kubernetes, we were already struggling a little bit and it feels like we've gotten to a point that goes, okay, no, this hasn't been working.

So how do we pull this back and look at the broader adoption for some of these larger organizations as well? So I'm really excited to see the adoption uptick and the successful adoption.

Ashish Rajan: That's pretty awesome. I wish you all the best for it. Also, I've got three more questions as well, by the way.

Fun questions. Okay, hit me. First one being what do you spend most of your time on when you're not trying to solve distributed system problems or secret management?

Sarah Polan: That takes a while. I have a lot of time, actually. So rock climbing or music would be the other one. What kind of music?

Ashish Rajan: Opera. Op?

You sing?

Sarah Polan: Before I was in technology. Wow. I was an opera singer.

Ashish Rajan: [00:19:00] I'll book my tickets after this. I'm out of practice. The second one being, what is something that you're proud of, but that is not on your social media?

Sarah Polan: I don't have any social media. Oh, even better. Aside from LinkedIn. My kids, it goes without saying.

I think they're absolutely brilliant and love the people that they're becoming from the

Ashish Rajan: Send the recording to them as well so they have a , Mom said

Sarah Polan: this

I think they'd like to hear that.

Ashish Rajan: Yeah, basically just can take out the money from the jar of the therapy jar

The last question what's your favorite cuisine or restaurant that you can share?

Sarah Polan: So I grew up in the southwest and Amsterdam is not known for its Mexican cuisine So that might probably one of my favorite foods is Yeah, Mexican food and growing up. We had this little hole in the wall. Kind of greasy spoon drive through Mexican place called Los Gilbertos.

If I could eat anything right now, even though we're sitting in Paris that would be it.

Ashish Rajan: Wow. Thank you for sharing that. And where can people find you on the internet to connect with you on talking about how to implement these scale or just to continue the [00:20:00] conversation on the space.

Sarah Polan: So either via HashiCorp or via LinkedIn.

Ashish Rajan: I'll put the link in the show notes as well, but thank you so much for coming on the show. Thank you so much for having us. Thank you.

Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet.

And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity.

How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues. If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily.[00:21:00]

Otherwise, I will see you in the next episode. Peace.

‍