Disclosure: I was an invited speaker for Teleport Connect and they paid my expenses. However, they have not seen or approved this blog post in advance. I live-blogged the conference here.
I attended Teleport Connect 2022 conference in San Francisco earlier this month. It was Teleport’s inaugural conference, and they brought together their tech team and customers to talk about the future of a platform that never uses passwords or secrets. It was fascinating to be along for the ride!
What is Teleport?
Teleport is an Identity-Native platform that does not use any passwords or secrets. They believe that if you eliminate secrets and adopt passwordless access, you won’t have to worry about them being leaked or stolen. You can remove the main cause of infrastructure attacks. This video explains how it works.
I love how the scenario involves an SRE getting ready to start his day. It reinforces how devops teams just want to log in and get to work. It’s the job of operations to provide the platform that makes that possible.
Security needs to be the Department of Yes
The keynote was given by Kevin Hanaford, Head Of Security Engineering @ Discord. Almost every talk returned to his theme during the day. He started out reminding us that the security teams have always been seen as the Department of No. This was done for good reason, to protect people from themselves. But when you think about it, people are at work to get their jobs done. If your rules make it hard to get their job done then they are just going to circumvent your controls to make it easier to get things done.
Kevin made a really good point, if they have to circumvent controls to get things done, then the controls have failed them. People will always go around policies that don’t make sense, and the only perfect security would be to shut the company down completely.
Security also makes the workplace more stressful to employees. For example, if developers have to switch context to log in to another platform/server/database, it creates friction and can be super frustrating. This is actually where human performance comes in! This is my favorite human performance book – I really should write about how platforms like Teleport are changing the landscape of performance interventions.
Kevin said that security orgs must become the Department of Yes. It can only be built by becoming approachable, helpful, and business-aware. Understand what security needs to do, and include your internal customers. Know what you’re protecting, understand the culture, understand your obligations (i.e. regulations), and listen. People WILL tell you what’s wrong if you listen to them.
Teleport Connect from the CEO’s vantage point
Ev Kontsevoy, Teleport CEO gave the second keynote. It as about scaling infrastructure access. I liked the definitions he gave. You have to admit that as we start to scale platforms to run multi-cloud workloads, our definitions are going to have to change.
- Access: connectivity, authentication, authorization, and audit. Can one solution do all of these things?
- Infrastructure: hardware, software, peopleware.
- Scaling infrastructure: scaling access (pain and risk) for infrastructure access.
Scaling software introduces complexity because there are so many layers, and the layers have their own log in, RBAC, etc. Scaling hardware is hard right now because all of it changing. And scaling people is hard because they come and go, use their own devices, work from home (or a coffee shop or on vacation..).
This is a lot to manage by itself, and then you have to figure out how to secure it all. You have to secure it without getting in the way of productivity. That’s hard, because security and productivity are in opposition to each other.
Most successful attacks follow a pattern: humans do something they shouldn’t, and attackers exploit human error. Attackers get in via the exploit, but then pivot to go after more critical systems. So try to design access systems so they doesn’t rely on human error. Secrets are leaked because of human error, so move from secrets to true identity. Teleport considers secrets vulnerabilities.
Continuous Same Day Teleport Delivery
This presentation was given by Sako M, Sr. DevOps at Gladly. I really enjoyed it because he discussed his automation journey. He reminded us that toil increases with every tool you add. Of course, toil impacts developer performance and makes everyone slower.
He developed a five level hierarchy for automation.
- L1 = manual, but this is where you build a playbook
- L2 = semi-automation, team comes together and decides what can be automated
- L3 = conditional automation,
- L4 = high automation, find more interesting work to do! Your job is safe, there is so much work to do1
- L5 = full automation, end to end, no intervention
Your Golden Path will be reusable, well-architected reference model. You can use a git repository to get started. And no matter where you are in this process, select the software that is appropriated to the level. He chose Teleport because it helped him scale his team.
I liked this talk a lot, it was very pragmatic. If you believe everything that is being marketed about multi-cloud workloads, you would think everyone has everything figured out. When in reality, only a few companies are at L4, let alone L5. Start where you are, and at every level improve your vocabulary and understanding of what it takes to become even more automated. This is how you end up with deploy metrics your org needs. As operations you are building the platform that helps devs deploy fast and frequently, without availability impacts of introducing new bugs.
Empowering the next generation
I was on a panel moderated by Mary D’Onofrio (Partner at Bessemer Venture Partners). The other panelist was Ada Lin, a security engineer at Teleport who has just made the jump to the platform team from the IT team. We talked about what it was like to move from ops to dev. But we also talked about how important the role of ops is. Some of us have been in ops for 20 years. It is amazing to see the tools and software improve to make an operator’s job so easy!
I don’t think 20 years ago a security department could have ever thought about being a department of yes, we just didn’t have the tools. And using a platform that thought passwords were a vulnerability? I can’t imagine that even being a consideration. But now it’s almost a necessity. If we are going to scale workloads, we’ll need the knowledge we’ve accumulated over the years as well as the tools that can actually get us to L5 automation.
What’s next?
If you’re an operations veteran, this is a great time to be in tech. So much is changing that it feels pretty chaotic. So listen, read, and learn as much as you can. It is critical that we learn why the new methods to do things like security are being introduced. It’s important to bring your experience to these new tools, but make sure you don’t dismiss them out of hand. Let’s evolve and help the next generation so they don’t have to go through all the toil that we did.
I’ll be at AWS Re:Invent next week. I’d love to get your thoughts on evolving into the multi-cloud world.