It is nice to see an article covering that quite an obvious principle saying “secrets must be secret”, but very often not followed end-2-end by implementors. Thanks for that.

Referring to access control and practicality vs security (they always seem to be at the opposite ends), very soon Azure KeyVault will be the tool to store and manage access to secrets. Although currently it is not possible in KeyVault to set ACL per secret, Microsoft announced it should be possible at the beginning of 2020. Then, we will be able to give READ access to Azure DevOps as well to the privileged ones such as Live Operators. It seems you cannot lock everything down and retain the ability to react when something goes down.

Cheers