If you've filled out lengthy security questionnaires before, you'll know that any organization operating a software service will be asked for their security guidelines: usually some combination of SOC 2, ISO 27001, or IEC 62443 (for you industrial folks). Certificate, password and key rotation are required in all these guidelines, but are usually left as an afterthought. Lucky for you, the best (and easiest) strategy to start uses all the systems and processes already in your automated workflows (you ARE using automated workflows ,right?), leveraging the security services offered by your cloud provider. Then you can gather feedback on what works and doesn't to inform a later purchasing decision for a dedicated security product.
In this talk, we'll dive deep into the benefits and challenges of implementing all the requirements of a basic secrets management and rotation strategy in Azure (that could be extended to AWS as well), leveraging your existing automation pipelines (like GitHub Actions). We'll also bring in the real life experience (and fun stories) of trying to run this in a constrained corporate Azure environment. By the end of this session, you'll have a strong understanding of how an effective secrets management strategy should work so you can decide on what and how to implement it for your own team (avoiding the inevitable late night manual key rotation that you put off until the next quarter to launch on time).
