Admiral Mike Rogers discusses the current state of cybersecurity and how we can better secure our enterprises from malicious attackers.
Zero Trust Access with Akeyless and Red Hat
Kelly Switt, Global Sr. Director, Red Hat
At Red Hat, Kelly has responsibility for the Financial Services industry strategy and the growth of industry partnership model. Over 17 years of experience in Financial Services at some of the largest global banks across all major core banking competencies. Her focused approach has led these organizations to achieve goals from securing market share through new product entrance, M&A integration management and end to end value chain digitization.
Preston Davis, Principal Software Engineer, Red Hat
Experienced Principal Software Engineer with a demonstrated history of working in the computer software industry. Strong consulting professional skilled in Domain Name System (DNS), BMC Remedy, Servers, Data Center, and Networking.
Kelly Switt: Well, thank you very much for the Akeyless team for having us. And we are excited to be here and talk to you a little bit about our partnership. I have my esteemed colleague, Preston, who will definitely get into a lot of the technical details. So, just by way of background, prior to coming here at Red Hat, I spent 20 years working in financial services, very much in the delivery management business. And the last couple of years, I ran one of the digital transformation programs. And that was my first experience on everything that has to change about the way that people work, from the pipeline in the IT organization, all the way through how the business interacts and understands security requirements of the future.
So, when I came to Red Hat, and when I look at what we do within financial services, if we’re really honest with ourselves, so much of what happens in this industry, it’s not new. It’s not it’s not super cool in financial services, though we try to make it seem cool. And a lot of it is really a big transformation that’s happening right now from brownfields into something that is rather new. So, when you think about really trying to do that transformation of the legacy, it’s very different than building new. And so, that’s a big reason why a lot of them turn to Red Hat and some of the offerings that we have, because it allows for that hybrid cloud experience, move into the public cloud, as well as create the private cloud.
And so, when you think about the security changes that really come with those changes in the movement that we’re seeing in the application space, it really requires a very different philosophy around security. And so, when we started the conversations with Akeyless, it became very clear that they were a missing piece. So, we have a lot of partnerships with a lot of different security partners in the industry. But there was a key kind of factor that was really missing when we looked at our ecosystem. And Akeyless is really providing that missing piece. And so, when we look at what some of our customers are doing, and as they move into the public cloud, the idea of really what we talk about all the time with, “Don’t get locked in, don’t lock yourself into a public cloud,” without having the right type of security architecture, and key structure, in particular, most of what’s out in the market, you’re going to get locked in, at least from a key management perspective. And that, to me, is part of what I saw is the missing piece that we had, and a key differentiator that Akeyless is really bringing into many of our architectures.
So, with that, I’m going to turn it over to my friend, Preston. And he’s going to walk through some of more of the technical value that we see coming from the partnership we’ve built together with Akeyless and even giving you a little bit of a show, a demo, if you will.
Preston Davis: Just a little bit of one. So, let’s go ahead and progress this here. So, one thing I’d like to mention before hopping deeper into the slide deck is an item that Kelly brought up just a moment ago. One of the things that we’re seeing a lot in Red Hat is not necessarily greenfield deployments for security, and that security pattern, what we’re seeing is migration or movement of the currently existing ecosystem that many of our clients have. And we see that going towards a modernization pattern. Alright? Slightly different than pretty much a lot of the items that was discussed today.
And the reason why I’m bringing that up is because, over the last 30 or so clients that I’ve actually dealt with directly, not one was greenfield. Doesn’t mean that that’s the case all over the place. Right? I’m not saying that represents all of the work that we’re doing at Red Hat or all the work that we’re seeing with our clients. But what I am saving is, what we’re seeing holistically throughout the ecosystem, the ecosystem that we deal with, which is everything from Fortune top 10, all the way down to mom-and-pop shops, what we’re actually seeing is more of a modernization of patterns. And it’s taking a lot more effort to provide the education that’s needed in order to help clients on that journey. Alright?
Well, with that said, let’s go ahead and hop into this slide deck. One of the things that we’ve heard quite a bit about today is Zero Trust. And you heard some very good speakers give a lot of great information about Zero Trust, its definition, what it’s there to do, the problem that it’s solving. One of the things I would like to add to this is, not only the problem that it’s solving, but again, the education that’s required in order to meet this standard. Right?
Zero Trust isn’t just something that we can turn around and say, “Hey, if you do X, Y, and Z, the you meet the pattern.” It’s not that simple. If it was that simple, then this magic bullet would have been shot about 20 years ago. Right? So, when we’re talking about the Zero Trust model, we’re talking about these patterns, these processes, the way that we can ensure that we have security end to end, what we’re talking about is definitely the applications, the components, the ability to ensure that we have separation between the administrators of the platform and the actual value that they’re trying to administer.
But we’re also talking about the ability to educate the team, the environment, the organization to this pattern. Because just running Zero Trust model on one particular component of your environment, it’s not end-to-end Zero Trust. It’s just an anti-pattern in one segment of your environment. Right? So, we want to go ahead and hit that target end-to-end. If you’re dealing with an ITIL shop, then we want to make sure that we’re adding into your ticketing system, your CMDB, all of these different components that help to build your ecosystem, all of that needs to match this pattern. Alright? We want a holistic approach.
So, to that end, we see Akeyless really helping out in this field. Several of the things that they offer help to provide that additional piece that has been missing, as Kelly had mentioned previously. So, things such as the integration with the larger ecosystem of your authorization patterns, the ability to separate the raw user tokens, credentials, those API calls from the actual application itself, those are critical pieces. Akeyless definitely helps to drive that their secrets management is a fantastic tool. Their total vault platform really covers the need that I think a lot of clients are missing. So, let’s dig a little bit more into this. And let’s dig into it from a Red Hat perspective.
So, from a Red Hat perspective, OpenShift is one of our flagship products. Alright? It’s one, if anyone in here is using Kubernetes patterns, they’re doing it on large scale, then you pretty much have heard of us. The OpenShift platform is currently industry leading. It is a platform that is designed to be completely your choice, as far as how you choose to deploy it. If you want this to run on bare metal on-prem, or if you want it to run in the cloud, your environment, your deployment environment, your application environment, the actual platform itself, is going to be the same. The only difference is where you deploy. Right?
So, from that perspective, when we’re looking at our baseline, again, choose your architecture. We’re not going to lock you into that. You choose your architecture. What we’ll add on top of that is going to be our immutable operating system, which is CoreOS. It’s designed to be something that you can have run that will not change unless you choose to change it. And if you choose to change it, there’s documentation that’s associated with it. There’s custom resource definitions that drive that change. That change does not happen in place. If you change your CoreOS system, then we replaced the entire base. Right? So, that VM, that instance, that deployment that you have, gets replaced with the design that you just created. If I update my kernel on a CoreOS note, I take down the old note, I replace it with the new. Okay? Just trying to level set the playing field here, make sure that pattern was understood.
On top of our base, we have the Kubernetes environment. And again, we’re not changing that. It’s standard. It’s the same Kubernetes you’re already used to, same Kubernetes you’re familiar with. Right? I’m spending a lot of time on this lower stack, because when we get further into the slide deck, we’ll see the demonstration of the Akeyless integration into the OpenShift platform. But again, the Kubernetes stack, it’s pretty much standard. The modifications that we make happen above Kubernetes.
And it’s not modifications of the Kubernetes’ core. That core is still the same. So, when Kelly mentioned previously that you don’t want to be locked into a cloud provider, we also think the same about vendors, even us. Right? So, Kubernetes, cluster services, your application stack, your runtime, all of these components are part of the OpenShift cluster. And, again, when you deploy that cluster, when it runs, that cluster will run the same on-prem, in the cloud, wherever you choose to deploy it.
Now, the portions that we’ve been missing previously, and Kelly, I’m asking you a question here in the second, the portions that we’ve been missing previously from a usability perspective has been the components in regards to control of secrets management. You’ve heard a lot of people talk about this today, secrets management is one of those pieces where you hear a lot of talk about what needs to take place, how it should look, but you don’t hear a lot of talk about the education of the client. Right? And this is a component that I believe is missing. So, my question to you, Kelly, in our FSI ecosystem with the clients that we’re dealing with, how frequently have an issue is this question in regards to secret management?
Kelly Switt: It’s one of the first things that always comes up, whether we’re doing a technical due diligence on a new FinTech or startup, it’s looking at security procedures, or we’re looking at how does this actually… how do we create, 1, the platform for our customers? But then 2, how do we actually run the applications, the deployment of the applications? The first thing that is always talked about is security. The CISOs of the world have done a fantastic job to make every developer think about security first. It’s just whether they know what the security standards are for their particular organization.
Preston Davis: Exactly, exactly. And so, one of the things we particularly love about this Akeyless Vault platform, is the fact that, number 1, when we’re talking about secrets management, secrets are created as first-class citizens. It’s not an afterthought. It’s not something that you have to build into. Right? It’s something that’s built into the system. So, you get that day 1. Right? Pretty critical. Right?
Along with the secrets management is the secure remote, which helps to alleviate some of the issues that we used to run into previously, where we would need tools like Snoopy, for example, in order to record key logging, alright, to identify what changes are being implemented on the system, or to be able to have remote playback. Right? So, it’s, it’s good to have all of these components, all of these sub pieces built together in one platform. That one platform is the Akeyless Vault platform, and it provides us with the services that we believe are beneficial in this ecosystem. Alright?
So, moving on. I wanted to briefly touch on this slide simply, because, again, you’ve heard a lot of conversation about most of these components today. These components, again, are included within the Akeyless Vault platform. And these components are things that, again, in my opinion, are not getting enough recognition as far as a need within the industry and the education that needs to go along with it. Right?
So, when we’re talking about granular machine identities, I wouldn’t stop at just machines, but granular identity management of the machine and the user. We need to be able to trace both ends of this piece and tie those pieces together. That’s something that’s not new. You’ve heard that discuss many times before. I like that, again, within this Akeyless Vault platform, it’s included as another first-class citizen.
Taking that down to least privileges. Inside of the OpenShift platform, inside of Kubernetes. In general, alright, you’ll see that the environment itself has a component called an SCC, security context constraint. That context constraint basically states that, when you’re executing a product or program, the run of that program will not use additional privileges, unless you specifically tell it to do so. So, things such as SCC for privileged or SCC for any UID.
These are security context constraints built to help to provide security as a first-class citizen, to remove that elevated privilege, so that you don’t have the higher likelihood of something executing as a root user and taking control of your ecosystem. Right? Log usage and admin tasks, analytics and insights, integrations with your SIEM. Again, in and of themselves individually. They’re fantastic tools. But when you include all of these together in one package, that’s a pretty awesome tool. And I like to add that into the OpenShift platform.
So, in order to do that, I decided to go ahead and create a simple little script to test out the deployment of the Akeyless platform to technically, technically to go through, create my access ID and my keys, to go ahead and create my roles, set my permissions for the roles, go ahead and do a test deployment, and to validate that I’m actually able to pull keys from a container inside of the OpenShift platform, just as a validation component. Right? So, that’s pretty much what you’re seeing on screen.
Now, I do have to call out one piece here, which is the SCC that has to be modified for the Akeyless integration component to work. The mutating webhook that’s used with the Akeyless integration engine (I’ll call it that) requires privileged access. So, it’s a level of trust that we have to give to the platform in order for it to do its job. Alright? If you’re comfortable with that, if you understand the implications of that, fantastic. That’s one less conversation between us. If you do not understand what that means, this is a question you need to ask, especially if you’re dealing with containers in a PaaS, or specifically, in Kubernetes. What does it mean to provide privileged level access? More on that in a second.
So, after providing that system account, I go through and create an application, create a new namespace called validation, create an application that runs through and tests the pool of secrets that are stored inside of the Akeyless secrets management tool set to validate that, in OpenShift, I can actually pull those secrets. This entire setup took less than 2 and a half minutes. I’m going to say that again. The entire setup, the deployment of the Akeyless injection engine, the integration into the OpenShift platform, the Kubernetes-based ecosystem, tying into our security standards, modifying our SCC, creating an application and being able to use that application to source secrets from my trusted upstream provider took less than 2 and a half minutes.
Kelly Switt: Oooooh!
Kelly Switt: I think that’s what you were waiting for.
Preston Davis: That’s what I was waiting for. Thank you. So, I’m focusing on that because there’s not many providers in the market today that I’m currently aware of that can provide that level of integration that quickly to that extent and with that much depth. Right? It’s a pretty nice thing to have.
Kelly Switt: I was going to say, like actually, like when I think about some of the work that we do with some of our customers, and even some of our partners, when we go to set up their security architecture, when you get to the place of actually like, “Let’s go and execute,” we end up spending usually a matter of 6 to 8 weeks. That’s probably the least amount of time that I’ve seen…
Preston Davis: Yep.
Kelly Switt: Really doing the full setup of the security architecture and getting things reviewed by the CISOs and whatnot in order to be able to move from a Dev environment into like, “Let’s go ahead and be able to build the next set of environments.”
Preston Davis: Exactly.
Kelly Switt: So, I would agree this is significant.
Preston Davis: Yeah, it’s very impressive. And as Kelly just mentioned, on average, when we’re going into let’s take a new-to-Red-Hat client, and we’re providing them with education on the current lay of the market, not only what’s available from Red Hat, but what is actual industry trends, and we’re talking about those capabilities and we’re identifying what they would like to do as a POC and identify what components they want to have, what’s a must have, what’s a good to have, and what can we do in between, when we’re doing all of these things and we’re setting up that first ecosystem for them, on average, it’s about 6, 8 weeks.
So, to be able to jumpstart this with security as a first-class citizen is critical. It is something that helps to drive the conversation to make sure that the client is aware of, not only what they’re getting from Red Hat, but what they need to pay attention to for their infrastructure, for their tools, for their people, for their machines, for everything that is part of who and what they are. Secrets management, identity management, people management, all of this is a part of the larger security ecosystem. Right?
We don’t want to just focus on one piece. But the portion that we do want to identify today is a piece that Akeyless plays within it. And it’s a pretty significant piece. Very happy with the work that we’re seeing there. So, with that, we thank you for your time. And we’ll talk to you next time.