Secrets Management for Hybrid Cloud – TechStrong TV Interview

Enjoy this very informative and interesting interview where Oded Hareven, Akeyless CEO & co-founder, chats with Mitch Ashley of TechStrong TV about his journey in cloud security and how Akeyless provides a secure SaaS secrets management platform for the enterprise.

Video:

Below is the transcript of the interview:

Mitch Ashley: Well it’s a pleasure being joined today by Oded Hareven who is CEO and co-founder of Akeyless. Welcome. It’s good to be talking with you today.

Oded Hareven: Well thank you very much. It’s a pleasure to be here.

Mitch: Well, would you tell us a little bit about yourself Oded and tell us a little bit about Akeyless and what your company does.

Oded: Sure. So a bit about myself. I’ve been in the cybersecurity business plus minus around 20 years, minus a small stop, but basically with the Israeli Defense Forces in the cybersecurity realm. I’ve been an officer in reserve for several years, later on in CA, Computer Associates back then, as an architect and later on as a senior project manager, specifically for cybersecurity projects in that realm. Then I took a short break for some B2C things with a great company named Moovit that was recently acquired by Intel, and this is where I am. Three years ago we started Akeyless. And this is where everything started in a nutshell.

Now, for your question and Akeyless in a nutshell is a secrets orchestration platform. We call it Akeyless Vaultless Platform, that basically manages different types of secrets which can be API keys, passwords, certificates, encryption keys and so on, that’s unifying for all of those use cases, both for machine to machine and human to machine.

And there are three major modules on top of that platform. One is that classic secrets management for the CI/CD pipeline, provisioning or injecting all of those secrets that are required in the CI/CD orchestration platforms and so on.

The second module is the realm of a secure remote access which is kind of a PAM 2.0 solution together with the zero trust application access, where we are providing a whole solution to secure the access to any workloads within the internal or external world while we are creating credentials on the fly, short-lived certificate, short-lived credentials (just-in-time access).

And the third model is around data protection by providing our own technology as a virtual HSM to act as encryption-as-a-service, full key lifecycle management, and in that realm of encryption and cryptography.

Mitch: Okay, good. I was just going to ask you about key lifecycle management, which is a whole other challenge. Often times it’s easy to get started, but then, you know, when does this expire and what happened, where is it at, how did we get it updated everywhere, all that?

Oded: Yeah yeah. Totally.

Mitch: So, interestingly enough, I ran an organization that did managed services for keys for the entire cable industry for all the support boxes and wi-fi and for a number of energy devices, so I get that problem very much – fun challenges of it.

Well, that’s actually a really cool mix of technologies or solutions around secrets and PAM and key management. Are you cloud-based or are you combination on-prem and cloud? How do you work?

Oded: SaaS first. Well, we are providing a SaaS platform which, for on-prem environments we basically provide a hybrid offering, where we have some kind of extension of the SaaS to the internal environment, it requires some kind of connectivity – we never approach from the SaaS directly to any legacy on-prem network, so we have some kind of a connector for that sense. It’s an API Gateway that connects between the internal world and the external world and the public network.

So, by that we’re able to provide a solution for legacy, on-prem private clouds, hybrid environments, and of course, multi-cloud, which is one of our great advantages.

Mitch: Well, interesting. So, the PAM, the secret management, key management – that’s not a new market. Why did you decide to go after this?

Oded: Well, first of all everything started back then, back in 2018, when we started with the technology. The technology that we started with is called Akeyless DFC, Distributed Fragments Cryptography, specifically for cryptography and encryption key management. The problem was that we thought about, you know, our CTO came with the problem of how to run root of trust in a non-trusted, distributed environment such as the cloud.

Because hardware obviously can no longer be the solution – it doesn’t scale well, you don’t manage your own hardware, there’s the CLOUD Act thing for federal governments that can grab your keys. And basically, there must be some kind of a revolution in the way that we look at root of trust.

So this is where Distributed Fragments Cryptography came to the world, where this is our core IP, our core technology, where we’re able to perform cryptographic operations using fragments of encryption keys without ever combining them.

So we’re basically creating fragments of encryption keys on different regions of cloud providers so there is no one cloud provider that can grab your encryption key somehow, and those fragments are never combined – not when they are created, not where they are being used – because the encryption takes place on the customer end.

By that and by having a customer key fragment on their own facility, we’re getting to a model where we’re providing zero knowledge. So it means that even Akeyless cannot somehow access the customer’s keys.

And then we understood that we can go into the secrets management world, because you asked about– you know, “PAM is not new. What made you go to that way?” So we did not start with PAM at all. We started with the cryptography and the problems in that realm. After that, we understood that the best thing in order to leverage that technology is there in the realm of secrets management, which is specifically for workloads. This is definitely a new world. There’s several competitors there, not a lot. The cloud service providers are running their own, and there is definitely a place for innovation in terms of how to provide that.

Just to cut things short, eventually we understood that we are in a very good position to provide a beautiful combination, a very innovative one, between the HSM to KMS to secret management to privileged access management, and to ssh management, and all of those in one platform, and to provide all of those goodies from one SaaS platform for all of that.

Mitch: Cool. I’m curious, are you doing your own kind of root offline storage generation to use third parties to do that, or are you offering that as a service as well?

Oded: In terms of the virtual HSM?

Mitch: Yeah. Setting up the whole key hierarchy and starting with the offline storage and things like that. Or do you work with other third-party certificate providers?

Oded: So everything is proprietary by Akeyless. Basically, we are FIPS validated by the US NIST, so we are on our own. We’re basically running on top of several regions. We’re a multi-region and a multi-cloud operation where those fragments that are never combined they are acting as the root of trust, they are constantly refreshed. Malicious attackers that would like to gain access to your root of trust will need to attack several places at the same time, so it’s a highly secured environment. And this acts as the those master keys and private keys that are being protected in a distributed way, and this is basically where everything starts – and it runs all in our proprietary technology that we have invented.

Mitch: Okay, good. Well, interesting approach. I can see where you’re differentiating and my experience is more kind of the offline HSM, but also online services.

Oded: That’s, you know, that’s exactly what you just said by the way, Mitch. That’s exactly the thing. The on-prem world, where I came from also. I guess that you’re mostly familiar also with basically we are used to the HSMs that are offline somewhere with whatever rack that we put them on. But today, in a highly connected world, in a highly distributed world, where everything is multi-region and hybrid and so on, you can no longer go that path and you need to have trust in an untrusted environment and needs. And this is exactly why we brought to life Akeyless.

Mitch: Yeah, I can particularly see because I’m from– my own personal experiences we’re managing especially like in manufacturing globally things like that, partner ecosystems, you know, where are those things being stored. Is it some laptop on some manufacturing line maybe?

Oded: All right, yes. Oh yeah.

Mitch: That whole thing gets down in the laptop, you know, whatever. It’s sort of managing that part of it is pretty challenging, so I can see where the cloud-based management of that and distribution of keys et cetera would be extremely useful. So, cool, I appreciate what you’re doing.

Oded: Thank you.

Mitch: Because people don’t realize how big of a challenge that really is. It would be great if everything was stable and not changing, but you know, once those keys are out there they’re out there.

Oded: You’re right. And it’s always about where is the emphasis? People are asking us, where’s the emphasis, where are we attacking the market, where are we going?

So, first of all, to begin with, the primary objective that we’re currently chasing is the realm of workload security the realm of making your Kubernetes free of secrets – that secrets will be injected automatically on runtime. Your Jenkins jobs would be empty from secrets. Your source code would be empty from secrets by just fetching those secrets in runtime from Akeyless to provide dynamic access and credentials for any container that spins up.

This is the realm that we’re focusing at right now, but definitely because we have brought with us such a great cryptography world that lies right at the base of our platform, and because we understood that, we can provide not just the machine to machine use cases, rather than also the human to machine and the privileged access and so on and to add more offerings, then we were able to successfully have all of those offerings at the same place.

Mitch: And I can see you tackling the sort of software tool chain, dev tool chain. As an interesting approach too, one of the things that usually typically happens, I’m sure, it’s not news to you, is those environments because tool chains get set up, right? And we don’t necessarily do good secrets management best practices all the time when that starts out.

You know, good intentions, but there’s a lot of things to do and so we might, you know, put clear text passwords or store keys and codes and secrets on servers and things like that. Oh, you have to rotate those? Yeah, I didn’t know that… exactly. And so, usually there’s a “okay, now let’s go and do this properly and kind of get that cleaned up. Help make that happen.”

What are the kind of things that you can do to help people go from, let’s say loosely managed, not best practice in secrets management, distributed cloud storage where we’re not storing anything in scripts et cetera, and in tools. How do folks go from where they are to where they should be using your product?

Oded: Sure. So there are two things that we find over and over. One is to tackle the Greenfields. Obviously this is a known deployment strategy that we tend to find a lot, where, you know, always there’s a new environment that it’s easier to start new processes, especially in large enterprises, medium-sized enterprises, and so on. But the enterprise world, go for the Greenfield and then let’s talk about the new processes.

And actually, you’ll be amazed how DevOps and IT guys, not necessarily related to security, are all into secrets, they are all into understanding why this is so risky. And we’re very thankful for that because it seems like this is not one of the realms that we need to explain why is it that important. Everyone understands that. So Greenfield, that’s number one.

Number two, we actually offer an automatic fetching and migration process where we are able to just fetch secrets automatically from known repositories of secrets. For instance, if you’re using a Kubernetes secrets, right, most obviously you’re going to have a lot of secrets there and if you would like to start managing it centrally right within a platform, then instead of taking either one by one, or even writing some scripts, we’re doing that for you.

So, with time, we’re going to expand more and more those automatic migration tools to have it as seamless as a single click of a button.

Mitch: Okay. Excellent. Well, you had a recent funding announcement that just came out around Series A.

Oded: Yeah, I admit it. It was happening quite recently, we’ve announced it, I think today or yesterday, right? Very exciting. We’re very happy to have Team8 joining us and JVP all together as one big family. Both by the way are two of the most respected cybersecurity venture capital. Both of them have great successes, both of them have great reputation, and both of them offer a great added value. In that sense, we’re very excited to have them and we welcome them and Team8 into our team and the management.

Mitch: Excellent. And just so folks know, they’ll watch this next week, so the announcement went out on the 29th of April.

Oded: Yes. We’ve announced the total funding of $14 million.

Mitch: Yeah. Great. So tell us, you know, usually folks that are Series A are investing this a lot in product, maybe building up the sales team, how that’s going to happen. Are you doing direct sales with your partners? How do you work?

Oded: Yeah, so we’re doing both, obviously. You know at the beginning direct is happening more, but we understand that we need to do both and we are very into working with channels. It seems like a very successful way to do business, so we welcome those and obviously, you know, when I thought about what are we going to do with that money. What we’re going to do with our funding.

And some of it is cliche – we’re going to expand the development, to expand the sales team, to expand our marketing team – and so on. But you know most of it and as you can as you can imagine it’s not just about the expanding the team, it’s about the acceleration the business, acceleration of the products, the growth, the understanding of how to go deeper where in places that we have some plans. But we think that would do good to go deeper with that to be able to expand our understanding of what is actually needed. So it’s not just about you know recruiting more people, it’s actually doing better and accelerating the business as is.

Mitch: Yep. Accelerating, growing the business, exactly. Well, congratulations on the funding announcement. That’s always exciting, and bringing on your Series A folks and hopefully leading to more events like that in the future as well as success.