Smallstep aims to help developers and operators with zero trust as they work to secure their infrastructure. In this episode of TFiR: T3M, Swapnil Bhartiya sits down with Linda Brown, Director of Risk and Compliance at Smallstep, to dive into this month’s topic, Security and Compliance. They discuss how security is changing to adapt to the cloud-native world and common mistakes companies are making as they embrace cloud. She talks about how Smallstep is trying to tackle these problems with its solutions and shares some advice for how people can get started.
Evolution of security from traditional IT to the cloud-native world
- The concept of security being about perimeter has ended with people realizing nowadays it is not enough to secure organizations.
- Companies that have been resistant to cloud are now moving to it and having to rethink how they do security.
- If your human controls fail, for instance, due to phishing attacks you need to make sure your data is secure, which has pushed everything further down the stack.
- There has been a change to short-lived certificates because of the nature of Kubernetes, but organizations need to consider how they can meet demand with a centralized platform that’s scalable, with auditing and logging capabilities.
Major security concerns if companies do not make it a priority
- There is still a predisposition for people moving to the cloud to approach security by securing the perimeter of all the clouds. A mindshift needs to happen, to an approach where you are protecting all the things in all the places, in the full stack.
- Organizations need to shift culturally too so that everyone has to be aware of security, it is now everybody’s concern. There needs to be a top-down drive to make security a priority to free up budgets to make it happen.
- Smallstep can help people take a single use case, secure it, and build the security from the ground up.
What are the roadblocks for companies adopting some of the best practices?
- We need to have a maturing of products around zero trust. Many businesses are still at the stage of a single zero trust case, or part zero trust, and are moving toward a total change in perspective and methodology.
- Smallstep is also looking at how they provide an umbrella solution to secure all the other pieces of the puzzle, not just people.
- Having centralized reporting is key and that is something that is still developing in the zero-trust market.
How is Smallstep helping companies lower the barrier of entry?
- Smallstep takes its inspiration from its name, helping companies get started taking on one use case, making it practical and approachable. They can also assist with the PKI infrastructure, delivering the certificates reliably with short lifespans and high availability.
Advice for organizations
- Many companies have become good at distributing containerized solutions. Brown suggests taking the things organizations are already good at, which have set processes and procedures, and applying certificates.
- Smallstep’s SSH solution is a foundational level of access, which makes authenticating IDs much easier for DevOps all the way down to users.
This summary was written by Emily Nicholls.