 Good morning. We've got folks coming on in. And Elena, are you ready to go? Yes, I am. Okay, that was that was my check. Should I share the slides or will you? I have all of it. Awesome. I'm going to give it a couple more minutes because I don't have anyone that came by my desk and said regrets this morning so we'll see. Liz, I will pass to you about when we start just kind of waiting on a few more folks to be able to come on in. Right. Yeah, let's see who's only a couple of minutes past. Give him another minute. It is also that delightful week of what is time anyways. I so nearly got this wrong this week. That was, yeah. It's that wonderful week. It's my favorite week. Looks like we have stabilized on 28 people at the moment. So hello everyone. Welcome. Let's get started. Normal introduction supply. Hello. You made it. Welcome. Okay. And we have the tech radar. This will be very exciting. I can't remember who do we have to present the tech radar. We have Elena on the line. You're a liner. Thank you. All right. Hello everyone. My name is Alina. I'm a software engineer at Apple and one of the CNCF TSCs. And today I'm going to be presenting the CNCF and user technical radar on secrets management that got published last week. And management involves tools and techniques to manage secret data like token passwords and certificates, and it becomes more essential and complicated as a cloud native ecosystem grows, because the microservices need to talk to each other, and they need to talk to each other in a secure manner. Next piece. What is a technology radar? Technology radar is an initiative from the CNCF and user community. And that's a group with over 140 companies that meet regularly and discuss challenges that are involved with a cloud native tools adoption. And the goal of CNCF technology radar is to share the tools that actively being used by the community and tools that and user companies recommend to use. And it's actually driven the data is contributed by CNCF and user companies and curated by the community representatives. And the adoption of the initiative focuses on the future adoption. That's why we went with three rings adopt trial and assess adopt is when the technology is clearly recommended by the end user community trial is that companies use it with success and recommend us is companies threaded out and find it promising and recommend you keep an eye on it. Next please. 79 companies participated in in the secret management technology radar and results were somewhat interesting and surprising. The variety of tools that are used for secret management by different companies was wide, yet we are able to identify some exciting themes of how people use secret management tools. Next please. Much of the radar team was initially surprised or please next just so we can see the first thing that Walt was the clear winner as it got the broadest adoption across many companies. This is a very mature solution by the Hershey corp. Yet it's not the easiest one to use. And it is a rather complex complex tool with a high operational burden, but the adoption was high and the more we looked at it the more we realize that it makes sense. If you're a small company, you would most likely offload your secrets management to the company who knows how to do that. So it is a very good tool because it's a cloud agnostic tool and if you're unsure of what cloud you're going to operate on or if you're operating across multiple clouds, public and private, Walt is a great solution for that. That was our first theme. Next please. And the second thing was that we've noticed that the companies tend to choose the solution secret management solution that is native to the cloud where they run their workloads. And it's very natural because you tend to look at the solutions that are available out there. And the tools that got listed in the technology radar where AWS secrets management, GCP secrets management is your key Walt. And although it's a very natural move to use a secrets management solution from the cloud where you're operating. We recommend you taking like a broader broader look and and consider using the cloud agnostic tool because, especially if you're considering extending your footprint across multiple multiple clouds. Next please. The third, a very interesting thing that we found that the certificate manager got a very high adoption in a very short time in the Kubernetes ecosystem certificate manager is a Kubernetes native tool that is used for managing the certificates. You can use them on the regular basis and ensure that the up to date. It offers the high integration with the rest of the Kubernetes ecosystem. And we believe that secrets management is in top of mind of everybody who uses Kubernetes. That's why secrets management is such a widespread solution. Next please. Other solutions besides vault public cloud solutions and certificates manager were very fragmented in the technology radar we usually offer the list of the tools to go by, but then as a user before warning you can put your own solution that you're using house. And something we didn't think initially that, for example, people were using encrypted data backs with DevOps tools like chef and pop at Ansible. And these solutions were one of solutions offered by people and put on the list by people but they did not get a wide adoption across companies that's why you don't see it on the radar. And one result that you're surprised is some some solutions like fire, for example, that is an incubated since you have project didn't get didn't get enough adoption yet to be to be put in the on the radar. And I think we know the reason why it's a rather complex tool that covers many, many areas and people are experimenting with that and it might take time for them to get a full adoption and put it in one of the in one of the technology radar categories. So these are the four things that you've noticed in the secrets management, a radar process, and we are curious to hear your feedback and hear about the secret management solutions that you use in house. That's it. Thank you. One question in chat actually there's quite a few questions in chat. Take it back. So where do you want to start because first one is how does this particular tech brought radar response compared to other subjects done previously. And then there's a question from Liz as well so Jim Liz, do you want to be able to like, raise your questions by voice. Yeah, Jim St. Ledger just looking for some comparison I don't know if I think Cheryl chimed in you know 29 companies 79 votes. You know is that a good is that a better or worse response than past tech radars. We've done. We've done a number of companies who responded. And the number of votes in this case was lower for the ones that actually went into the final radar because there was a very long tell of projects and products that only had a handful of votes each. Okay, and it was thought that with only a few votes it wasn't fair to make a judgment on them. Right. Okay. Thank you. Liz I'll pass to you next. Yeah, I mean, Elena mentioned spy and not making it onto this assessment and I just wondered whether, because it's not really some general purpose secrets, as I understand it, I think it's more around like identity. That's right. That's one that's one of the reasons. Yeah. So not necessarily comparing apples with apples. That's that's right. It was mentioned. It was mentioned on the list though is just didn't make it to the reader. Yeah, okay. Yeah, I don't think we need to. I guess what I'm saying is I don't think we need to read anything negative in about spy there because it's no, they wouldn't have been central to this. Not at all. Yeah. Yeah. Was there any other tools missing that we might have expected to see there. I guess it's a good question to to audience as well. Are there any tools that you think should have been there. And you don't see. Yes, conjure does come to mind. Cheryl do remember if we had it on the list. Yeah conjure was on the list. As far as he said, yeah, secret list. I don't think so. They came down to the companies that were contributing to it so if they, they could add extra suggestions to the list of products and projects. I guess in this case they didn't key was was on there as well. So it's not a secret store manager, certain managers here. It is what certificate managers on the on the radar. It's, it's really not a secret store or a secrets management solution per se it's more a certificate distribution mechanism right. And yet it ensures that your certificates are secure in a way that they're rotated on the regular basis and maintained in a in a reliable and and secure way. Yeah, there, there's seems to be the contention between what we call a secret traditionally like certificates or more identities than the secret material. And perhaps the scope should be brought into authentication technologies which encompasses both, such as both on the proof of possession as well as identities and recognition technologies, like spire insert manager would be. Good point. Yeah. So, hi. So, it's good to see vote up here. The way we think about this often is in order to worry about identity. There's a sort of a dividing line between human and machine and human to machine authentication and identity is very different from machine and machine identity recognition and differentiation. And so, sometimes we wind up in a situation where people are talking about their identity or secrets management and you have to kind of break chop down to the next level about what they mean by that. So, authentication and authorization for, you know, individuals to access machine services or capabilities service endpoints is traditionally handled very well by lots of like single sign on providers. So, there's a lot of, you know, auto and Microsoft solutions, but the machines and machine market is where the secrets management winds up becoming the most sort of like natural thing to do. And people have gone by with certificate rotation but once they actually realize they go to some real secrets management that's where the ball points that become super popular. Notice that a lot of this chart on the radar looks very much like what we see when we're talking to customers. The only obvious one that is missing is cyber arc, which is usually the solution incumbent solution that someone's got something like this that we're displacing when we're talking to them. So, yes, that's true. It's fair point bought support for both secrets MPKI, maybe, maybe the root cause for this. What are people thinking of when or what's included under the encrypted repositories item, I guess, one question I have when I see that is, well where is the secret store that decrypts whatever's being held in the repository. My impression was that the secret was actually in the repository. And that was the bit that was encrypted but I don't know in enough detail to confirm. Because I guess you can you can have encrypted you have encrypted images. I guess you can have encryption in the repository itself whether we're talking about images or, or some other entity but you need to get hold of a secret somehow to unlock that. That's quite intriguing. I think that that's master key right. I think that's what you're talking about. Yeah, yeah. Yeah, I think it involved is. I don't know if it has changed over the years but I looked at it like a few years ago and they were and keeping that in memory. So essentially you had a cluster so they recommended redundancy redundancy where you have like several, several nodes like, you know, maybe three nodes, and that key was actually stored in all of the nodes. So if one of the nodes actually went down then you still had the master key lying somewhere. But then the question came up but what if all the nodes went down where would that master key be right so. But I don't know if they've actually changed some of that implementation over the years they might have. They also have some capabilities for hsm, which is the hardware encryption appliance I guess that you can you can store maybe master keys and some credentials. I think hash or vault has some really nice technologies around secrets that can only be used a limited number of times or for a limited time frame which is really good for that because of bootstrap problem. If you've got a one time use key, you're either the legitimate user of it when you use it or you're not but then you know when you try to use it that somebody illegitimate already used it. I hear a couple things from from what listen Ricardo just said to list is initial point there there are a number of databases or repositories that can be encrypted that will act as your secret storage. In addition to that, what Ricardo said is if you're placing any any secret in there, you're going to need a decryption key to take it out. And in order to secure that decryption key or like storing that decryption key somewhere you need yet another secret and it's turtles all the way down. And that's often what's referred to a secret zero. And then there's an overlap there with identity systems as well as you can break that turtle so the way down by say using cert manager using spire to use that identity of the decryption key and you don't have to worry while you at runtime you can attest the provenance of this, or the shape and size of this or the code fingerprint. And based on that, you no longer need decryption keys because you can use that as the master key. So, with with everything that is that is discussed it would be really good to extend the report or like do a write up in addition to it, because there's plenty of nuance that's not getting covered. So I think that people who are seeing this work for the first time would walk away with the wrong ideas or the wrong perception and like actually not know of a bunch of other ecosystem components that can be elevated or can be discovered and put in use to have better security in place. So it makes sense to have, you know, six securities that obvious contact point here but to maybe add a bit of color around this. Cheryl is this sort of this is already published published right. It is published. I mean we can do whatever we want right we can make changes to it. So the the radar team that created this, I don't want to speak on their behalf I don't want to change things, the judgments that they made with this. I think if security wanted to publish take this as a starting point and then publish a more nuanced discussion or suggestions on it that would be fantastic. I think that would be great. It might be very interesting actually Ricardo just suggested this idea of breaking down the different solution by categories. I wonder if it'd be possible to go back to the end users and say, here are I don't know 20 different tools, but broken down more into those like what's PKI what certificates what's application secrets, however we want to break it up. So this is actually a really interesting. We had quite a lot of discussion when forming this report about whether this truly was secrets management or whether this covered various categories and which ones. So I agree actually the range of products and projects listed here don't quite match just secrets management. So it's a great opportunity to revisit this exact topic again, because every quarter we pick a different topic. Do something differently, but I mean Ricardo if you wanted to shoot me a email afterwards, then maybe we can figure out something you could do. Cheryl and I am, I am in the desk one of the tls for six security happy to work with with the owner card as well. Okay. Yeah, that would be fantastic. Just drop my email into the chat. And I think this has always been just a starting point. I mean, it's always opinionated always biased, and the more we can use to expand on this and give experts like yourself the opportunity to respond to it and add more nuance, like, I think the better for everybody. And at the same time right things are always going to move on but I do think this is very interesting. It's also very similar if you're back to to the previous technology readers like on observability and databases everywhere we can benefit from from nuances and and the follow up reports and conversations. And to be more detailed. And in categories in categorizing the items from the from the reader. So I'm going to doubt that key management is a separate category in the landscape compared to security and compliance. I seem to remember there's all sorts of areas of the landscape that are perhaps not quite. You know, it's those categories were drawn up some years ago maybe it's time to revisit those. So the security landscape work on going on trying to improve that that that area as well. I'm not sure actually where it's at exactly but there's been some work on that. I think there was a definite unhappiness about how the thing was classified and what was in it. So the security landscape we're treating secrets and identities as distinct as separate solutions have made very different considerations for the problems they solve. In some cases you, you can use both in combination and some other scenarios may solely use one over the other. But yeah they have very different properties very different behaviors as systems. I have a little side projects that I'm currently working on a little side group which will provide feedback to things like CNCF landscape to improve it. I wasn't going to announce it for a couple of months because I'm still trying to get it together and get something useful out of it. But feedback like this would be fantastic because then we can just go and change it and update it. There is a mechanism. I'm trying to figure out exactly how this mechanism is going to work to improve the CNCF landscape and other assets owned by CNCF other content assets. That's great you shall. Thank you. When the end user technology radars are done I know that the members of the committee for each radar can suggest whatever solutions they feel are appropriate. Do they actually look at the landscape as well. They do. Right. So if we do have some lack of clarity in the landscape that's going to be, you know, feeding into a vicious cycle there isn't it. Yeah, I think this was again one of the ones where we looked at the landscape was I some of this makes sense some of it. Not so much. Fair enough. That's great news that you're revisiting it. That's really good. Yeah, just to just a teaser right the name of this group is called Carter Carter graphos Carter graphos the Greek for mapping technology I think. The idea is that I map out assets which will help people map out how to use cloud native technologies. Awesome. All right any other questions from anyone about the technology radar or comments. Last comment, I think, ultimately under the umbrella of everything security where it's all predicated on this building blocks. So, any way that we can energize the space for people, not just to reassemble existing components and expect different configurations, but actually introduce breakthrough technologies and breakthrough ideas. And last is this will precipitate of, well, if secret certificate manager here maybe there's a world where there's just enough secrets and just enough identities. So we can reduce blast radius of things so I think we might be on to something of something innovative and breakthrough ideas like I see the mention of compliance well better governance better compliance is predicated on strong identities and very little secrets are only as many secrets as necessary. So I think a stride in that direction so there's perhaps a framing that is all encompassing of different security dimensions and a broader narrative. Are you thinking of this reframing as part of what Cheryl's just starting to work on with the Carter graphos or is that something that's happening in security. I'm thinking in combination, it will be good to work with Cheryl sounds like she's also working in other areas around well, how do people do modern interpretations of landscapes, like perhaps this is not a topographic map that's more a subway map of what station you get on, and your life dictates your journey. And we can take. Well, the report that's been done and the data from it, and either perhaps change the language so it's not as disparaging with certain projects or like shed slide of why do, how would this come into the equation, not being secret solution on their secrets management, we can add a ton of color of like how can you leverage both in combination, we can also do like the next set of things like, well what's the intersection of the two and do a write up about it about it. Use the cloud native security landscape that's in the works for that purpose as well. And unlike Charles redo of the landscape. So yeah, thinking thinking a little bit scatter minded and, and in every single direction but starting to hear the semblance of something that that we can perhaps form for more more thoughts around. I love to brainstorm with you on how to do those things together. Definitely I'm open to new formats new ways that we can produce helpful content for people. Yeah just to help guide them I think it's, it's very hard for people who are not in this day today looking at it to really understand the kind of reality there's a lot of hype. I love cloud native but there's a lot of hype. So anything that can help people cut through that and figure out what is really truly coming down the pipeline would be great. 100% agree with that and I think we have some very good articulations of like kind of. 101 you know how to adopt cloud native 101 but actually you don't have to go very far down the road before you realize oh there's a ton of security observability, all kinds of other bits that maybe you're a bit more confusing. But I do I remain I think these technology radars are a fantastic initiative I think we're learning a lot about what's actually being used and that's really useful. Thank you Elena for presenting the technology radar. Thank you Cheryl and the team for working on it. It's it's very useful information. I have one more agenda item it's really like these are the votes that are currently open. Please get in there. That is all. It's nodding so okay. Indeed, yeah. Please go ahead. Does anybody have any questions about those topics that are holding them back from voting. All right, short and sweet unless somebody has additional items they would like to bring up today. Going. What would be the next technology radar Cheryl question. Oh yeah I should have put a link into this so if you go cncf.io slash tech dash radar. This links to a GitHub issue where you can put in you can make a suggestion for what a future radar should be or you can plus like thumbs up things that you're interested in hearing about. And then it will be up to the next tech radar team to decide which one they find interesting and they think is is worth having a radar on. So you will find out just like I will in about two months. Question that how long does it take to go through each one of the tech readers. About 10 weeks and to end. We pulled together a team, they decide a topic, we survey the end user community, then the team decide on the, the final radar, and then we write it up and publish it. That's 10 weeks. They do about four a year. Yeah we're doing quarterly. So next one's probably June, probably just after keep calm. Are you seeing good take up from and I mean it sounds like it in terms of the number of participants but you know, are you getting good participation other end users kind of getting value out of taking part. People people love it. So one of the things that is really interesting about the way this is set up is that if you're an end user you can see exactly which company uses what technology and what they think about it. There's a lot of private access to this data that externally you can only see the kind of aggregated version. So internally people really, really have found a lot of value out of it they go present it to their own teams when they're deciding on what technologies they should be using. Yeah, it's a lot of fun. People love it. Fantastic. So anyone with anything else they would like to bring up today whether about tech radar or anything else. And if not, you will get 25 minutes back for your leisure. Sounds good to me. Thank you so much Liz. All right, thanks everyone. Have a great rest of your day. Thank you Liz. Thank you. Thank you. Bye bye.