The State of Cybersecurity
Admiral Mike Rogers discusses the current state of cybersecurity and how we can better secure our enterprises from malicious attackers.
Oded, a veteran of the IDF Cybersecurity elite unit, specializes in Identity and Access Management technologies and has held various senior product and project management positions in both enterprise organizations and startups. Among his previous roles were Director of Product Management at Moovit (acquired by Intel) and Senior Project Manager at CA Technologies. Oded holds a BA in Management & Economics from the Open University of Israel.
Thank you so much, Dr. Cunningham. And thank you, Admiral Rogers, for your sayings. Definitely important things to remember. So, yeah, we’ll have that running. This one. So, this year has been phenomenal to Akeyless, I’m not sharing that with you to brag. I’m sharing that with you and we’re here to share that with you because we’re very much excited about the traction that we’ve seen. And the number of customers that we’ve been able to establish connections with and relationships with across segments, and industries in different sizes. As you can see here, 77% of our customers are mid and extra-large enterprises, while 78% of our revenue is coming from publicly traded companies.
Now, during this year, we’ve also been able to get certification and recognition from various parties such as SOC 2 and FIPS, as well as the analyst community, Gartner, and specifically that have mentioned us at least 5 times in the last 5 months. It seems like that we have rightfully earned to be called today a leading solution for Secrets Management. Thank you.
Now, this brings us to find the time and think about, what were the product values that we have chosen to focus on when we’ve started out way. So, the first one was enterprise scale. The second one product efficiency. And the third is innovative security. That was what we have chosen to focus on. Today, we can actually have great action examples of the way that we’ve taken, and what made those values to actually exist and to come over to life.
So, in terms of enterprise scaling, of availability, we have established a multi-region in a multi-cloud operation. We’ve had certificates, as I’ve mentioned. And we’ve taken some measurements to provide as much as logs and audits and monitoring that we can provide. In terms of product efficiency, or self-service and quick onboarding and integration center and other elements that we’ve added allowed us to go from around 45 days of POC-ing the technology at the beginning of this year or the end of last year, to actual 2 weeks of being able to demonstrate what we do, and that is extremely fast in our industry.
Now, in terms of innovative security, some of you may know our Akeyless DFC, Distributed Fragments Cryptography (and I’ll talk about it in a minute), which is basically an innovative Key Management System. But besides that, Universal Identity is also a technology that we have invented during the last few years that allows us to solve the secret zero problem.
Now, besides others, we have other features that we have added during the last 2 years that have brought us to actually the place where we’re innovating in our own space. Now, those are examples of features that we’ve added, some of them actually quite recently. The fast onboarding, the integration center that we’ve meant to basically make it very easy for developers, for DevOps people, engineers, security, architects, for everyone to be able to fastly connect their internal devices, their internal cloud forms. Insights and usage reports, of course, to be able to understand exactly, “What’s happening within my network? How many machines are asking for whatever secrets? How many dynamic secrets do I have? How many encryption keys are being used?”
And last, the SaaS extender monitoring. We have a SaaS extender that allows us to extend our service to on-prem legacy environment. And some also prefer to work with it, even with their cloud environments, because it has caching mechanisms, and other goodies.
Now, in terms of our technology named Distributed Fragments Cryptography, when we started, that was the initial. That was the root, the core technology that we have built everything on top. The reason that this was invented is in order to provide Root of Trust in a distributed non-trusted environment in which, today, we are not managing our own hardware, we are not managing our own servers, because they’re on the cloud. So, suddenly, there’s a problem where we cannot trust anyone that actually saves or protects our secrets and our keys. It’s not us any longer. Right? You’re putting it somewhere in the cloud. So, we had to come up with a system that would allow us, everyone in this room, to trust some service provider, in this case, Akeyless, to be able to protect their encryption keys and their secrets.
In a nutshell, Akeyless has the ability to perform cryptographic operations using fragments of encryption keys that are being stored on different regions and cloud providers. And the actual encryption takes place on the customer side without ever combining the fragments. By the way, this is why we’re being called Akeyless, a keyless encryption. We’re able to do that without combining those fragments. So, there is no point of time or any physical location that those fragments are being connected, not when they are being created, and not when they’re being used.
Eventually, when joining that model with, enhancing this model also with the ability to create fragments on the customer side (which means 4 fragments for that example), this kind of model assures that Akeyless and in any other party besides the customer itself have the ability to decrypt the secrets, because we have zero knowledge of your encryption keys, and eventually, we have zero knowledge of your secrets and we cannot decrypt them. This is why you can trust the SaaS.
DFC also allowed us to natively evolve within data encrypted use cases, such as managing the full key lifecycle of encryption keys, Encryption as-a-Service, KMIP protocol, and of course, to be able to manage other Cloud KMSs, and to be able to provision to those, and basically to unify your entire encryption key management within the organization.
But moving back, the most common use case that we’re solving within secrets management is machines secret. Basically, the secrets that we’re protecting are being saved on our SaaS environment, on our core environment. And whenever a certain customer application, and that can be homegrown application, that can be your CI/CD pipeline, it can be any one of your DevOps platforms, orchestration production, Kubernetes clusters, whatever, we communicate with those via plugins, SDKs, RESTful API, whatever needed. And the application itself, basically able to fetch those secrets in runtime, so that, eventually, no one would be able to grab those secrets. Later on, those applications, use those secrets that were provided and decrypted on the runtime and they use it in order to authenticate to other resources.
Now, fetching secrets, that’s a very, very basic capability. We also have the ability to create just in time secrets, which are temporary credentials or short-lived certificates whenever they’re being asked. The third very important capabilities to be able to rotate those secrets. Remember, so just in time is about having a temporary credential, but what about those administrators and root accounts in which they cannot be just in time provided, they need to be rotated, their passwords, right? So, we also provided an ability to rotate those passwords and credentials to those local operating systems and local SQL admins, root accounts and so on.
So, as you’ve heard from Dr. Cunningham a few minutes ago, this is just part of the problem. What’s happening with humans? Okay, so we’re solving the problem with machines and providing them secrets and be able to protect those, but eventually, there are also humans. What happened at the beginning that we have asked, well, basically, customers have asked us to try and provide some solution for that, having that we have provided them with a very good solution for machines, which is highly scalable and being able to act in many different environments, include also on-prem and so on. But customers have said, “Listen, something is going on here. With human access, we’re using a lot of different tools. And it takes us a lot of effort to provide remote access to our internal service.”
By the way, 10 years ago, speaking about remote access, that has been a completely different requirement. Today, when we have workloads on the cloud, everything is remote access. Everything. Once we’ve had our own network, sitting in the data center, within the same segment and doing whatever we had to do. But today, again, on the cloud, everything is remote.
So, those are the tools that, after we’ve investigated and looked for and try to understand, “What is it that customers are currently being asked to deploy in order to get that remote access?” VPN, which begins with fixed credentials before that you need to provide to a VPN infrastructure. After the VPN, you need to have some kind of password vault solution. So, you’re logging in once you’re inside the network, now you need to log into another tool. And then either break glass, copy/paste that password and then to go manually to that server that you need. Or in a better case, there is some kind of seamless login to that, but then you’re not using just in time. And then there’s another agent that you need to deploy in order to record the session, in order to monitor the activity and so on and so forth. That was a hassle. And we said, “We can do better.”
So, today, I’m very proud to announce our secure remote access product that is ready for everyone to use and try and test and sign up within our service console.akeyless.io. Thank you.
So, replacing all of that household basically with one Akeyless Bastion that would allow, and allows already, a seamless connectivity end to end from the minute you want to work, whenever you’re inside your home office or whatever, regardless of where you are, you’re able to log in seamlessly, and the Bastion would be the one to create your sessions to basically understand and justify the access to provide just in time access later on, and to make sure that you’re getting this access just once.
So, first of all, just to have some better clue about how this looks like, number 1, we’re providing a seamless experience using identity providers interfaces, that allows you also to take the passwords off, and to be able to configure multi-factor authentication via those identity providers, and then to get a portal of applications that you’re actually eligible to open.
Now, having this portal is being built dynamically according to the permissions that you have within the Akeyless vault platform. So, I’ll speak about it in fewer minutes, but just for you to know already from now, everything that I’m about to show you sits on… is basically implemented on top of the same platform that we’ve created. Although it is another offering that we’re providing, it is integrated with the same screens and administrative screens that you’re already aware of. And the RESTful API is the same, and the tools are the same. And the Akeyless CLI is the same. Everything is in the same platform, to include also the policy. I’ll go into that within a few more minutes.
So, I’ve mentioned earlier that what happens whenever you’re creating a login, and let’s say that you’re clicking on one of those, you wish to go to an SSH server and to start a session with that, then what happens is that Akeyless in the background via the Bastion would create a short-lived certificate, would inject that automatically to the session, and from now on, you can just go ahead and do whatever you want. Think of this. This is a seamless end-to-end experience where I’ve just logged in with my Okta, Ping, Azure ID, whatever, and from that moment, I’m getting access directly to that server without providing anything, without opening up any other tool, whatever. And what’s even more important, it has agentless session recording. I’ll get to that also.
Now, in terms of more capabilities, within that portal, there is in-browser command interface, RDP, also SQL that you can have with it. Basically, any type of protocols that they wish to work with, we’re enabling. And also, we are providing a web isolation for any type of use cases that involve, not necessarily privileged access. So, basically, would be able to go into an environment with, again, a seamless experience, but the browser that you’re actually running is not running on your laptop, rather as a video stream that is being streamed to you. And the actual browser is running on a docker container on the Bastion.
Third, we are thinking about those engineers, DevOps people, architects, the techy guys that really want to work natively with a command line interface. They need to run automation from their laptop. They need to do all kinds of very important stuff. And they don’t want to mess with anything about reopening all kinds of Windows, reopening other and copy pasting stuff and so on. They need to work fast.
So, Akeyless Connect, which is, again, part of the same CLI that we are providing, enables that. You can run any type of command line interface, any type of protocol basically. We support SSH and kubectl and SCP. And we support MySQL and many others. I’ve mentioned earlier the agentless session recording, this is actually within the Bastion itself.
So, the Bastion is combined out of 3 layers of protection. The first layer is actually the operating system isolation layer that isolates the user, actually creates another just in time identity on the Linux machine itself and makes sure that this session is hardened. So, there will not be any chances of 2 people going through that Bastion and being able to jump between those sessions and maybe to do some harmful things.
The second layer is actually the application itself that you’re running, either web isolation or command line interface for whatever protocol that you wish. And that is also hardened specifically to that session. And the third level is the session recording capabilities. That session recording, by the way, have some extensions in terms of HTTP connections. If you wish to have better understand and investigate what’s going on in this HTTP connection, if there’s any concerns about a potential leak, DLP processes, you would be able to connect to that Bastion and to better understand what’s happening in this session.
With a secure remote access that we have just announced, we are providing today, a unified engine that allows you to actually control what happens both with machines and humans. Everything is built on top of justify, just in time, and just once principles.
Now, I’ve mentioned earlier that we’ve done it on top of the same platform. Let me be more specific. The role-based access management, the roles basically that you’re creating within Akeyless that you once have done with a secrets management solution, having a secret, having a machine identity, and connecting them basically, with an inclusion of a access role, you would be able to do the same within the same tools and the same objects, rather than having the identity to be completely agnostic to whether that identity is machine or human. So, the language is the same, and you don’t need to invest more knowledge in order to actually start running this service.
We’re very proud about this connectivity, because the hassle of having a lot of different tools, this is something that definitely we can work with, we can help with having an all-in-one approach. Now, if you remember what Dr. Cunningham had just mentioned, in the world of Zero Trust, there are solutions, no doubt. There are 2 distinct worlds. One is machine-to-machine, traditionally has been provided solutions by micro segmentations products. There is the world of human-to-machine that have traditionally got a solution from the world of Zero Trust network access.
But one layer had the need to basically provide a solution for in the realm of IAM, the world of applications, the world of credentials, what happens if someone is grabbing credentials. So, our solution today, the unified solution of secrets management and secure remote access together provides a solution for that missing layer that we’ve been missing.
Eventually, this is how it looks like. The secrets management on the side on the right here to manage workloads, the CI/CD processes, the DevOps, the pipelines, the orchestration layers, and so on, your Kubernetes clusters, everything that requires short-lived certificates, and short-lived credentials, and so on. And on the other side, the humans, for whatever needs that they have for whatever protocol. Whether this is a privileged user or not.
Eventually, they’re all going through a trust broker authorization engine, which is the combination. This is the role-based access management, as I’ve mentioned. This is the unified platform. So, that eventually when they need to log in to wherever needs, or if they need that secret in order to operate, they will do that via this mechanism, and you will be able to understand exactly using our monitoring and log management to understand exactly what was happening.
So, I think that this is it. But before I leave the stage, I would definitely invite you all to join us on our next KeyConf on San Francisco in next February. Thank you so much for your time, and I hope you’re enjoying this day. Thank you.
Admiral Mike Rogers discusses the current state of cybersecurity and how we can better secure our enterprises from malicious attackers.
Learn how Zero Trust needs to change and how it can be done better.
See why Cimpress chose to implement Akeyless Vault Platform to secure secrets across their 13 subsidiaries.