Akeyless Executive Conversations

Ross Young, Former Cat Financial CISO, and Oded Hareven, Akeyless CEO & Co-founder

Oded Hareven: Hey, I’m Oded Hareven, the CEO and co-founder of Akeyless. Join me to my fireside chat with Ross Young, the former SSO of Caterpillar Financials, to talk about the current challenges of security, identity, securing machine identities, and protecting secrets. Ross, how are you?

Ross Young: I’m doing well. Thank you.

Oded: All right. Awesome. Thanks for coming over.

Ross: Of course.

Oded: All right, so tell us a little bit about yourself.

Ross: Yeah. So I’m one of those few people who always knew they wanted to do cybersecurity, right. So I did an MBA and focus in cybersecurity, had a chance to work at a number of three letter agencies, did my internship at NSA, worked at CIA for over a decade, then spent time on the commercial side. So I went to Capitol One, spent the last four years as the SSO of Caterpillar Financial, and now I’m the SSO in residence at Teammate.

Oded: All right. Awesome. So what can you share with us? I’m sure that along those years you’ve been dealing with many different types of cybersecurity issues and challenges, right? Generally speaking, things that you’ve seen, that you remember the most that they’ve impacted and maybe even made you wonder what’s happening, right? Like, what are the recent trends or the trends that you’ve seen?

Ross: I’ve seen these kind of shifts. First it was, hey, we’re going to trick the users. We’re going to phishing in and get on their laptops. Then it was, well, we want to steal the data. So let’s go after the developers, and now everything’s in the cloud. So it’s how do we go after these cloud resources and steal the data in the cloud. So different shifts and different points in time. Some things never go away. Certainly phishing still around, but bad actors are always going to go for what’s the easiest way to break in.

Oded: Yeah. Well, do you believe that there’s any way to mitigate phishing or is it going to stay?

Ross: So I think we’re doing really, really good things, like the ability to stop 99 point whatever percent of email attacks through email security gateways is much better than it used to be. That being said, the bad actors also get better. Right now they have the ability to use ChatGPT to write amazing emails that are carefully worded, instead of that broken English that we might have saw from Nigerian prince scam ten years ago.

Oded: Yeah, so you’re seeing like there is hope because we’re doing better, but at the same time, the adversaries are working better and they’re becoming more and more sophisticated.

Ross: Absolutely. Yeah.

Oded: And so we need to be sharper than ever, I guess.

Ross: Yeah. Of course.

Oded: So let’s talk about the notion of identity, right. Last few years, we’re seeing more and more focus on identity within the cybersecurity perception or how to secure an organization. Right. Back then, I remember 20 years back in the IDF, identity used to be and always have been an important pillar. But it was always, you know, let’s first protect the network, like the interest to the network, and let’s protect the infrastructure and let’s patch and things like that. And it looks like with time, identity became more and more central. What are the things that you were exposed to? Were the things that you’ve dealt with in terms of the challenges around identity?

Ross: Yeah. So the first thing is the idea of a perimeter has completely changed. I think about during Covid, everybody started working from home. So you didn’t just have one work facility that you had to protect with one central VPN. You had, you know, 10,000 employees working from home, 10,000 work centers. So that changes things significantly and how you’re going to centralize things.

The next thing about identity is what is identity, right. Is it just humans or is it computers. And this was something huge that I really saw when I was at Capital One. You know, we had a big tool called Jenkins that we used to deploy our infrastructure everywhere. So it was the admin of admins and across all the networks. So, you know, the fear was, hey, if somebody can get into that, they could laterally move through the entire organization as admins. So understanding how identity is shifted from just targeting humans with MFA to, you know, system resources that are global or are really important things to think about.

Oded: Now, it was always a concern where you have like a manager of managers of all kind of configuration managers. Jenkins obviously is a tool within the DevOps newer world. But think of other tools that have that were made in order to control other machines, right. Or other computers for that sense, like Ansible, for instance, and even beforehand. Others like Microsoft Management. Right. There was all kind of either a device management, machine management, patch management to make sure you know, that you’re first of all knowing what do you have in your network, and then patching it right and making sure everything is okay. That was the initial thing.

But with time, the concern about the identities of those machine have became more and more evident. So you’ve mentioned the remote work on Covid. What are the things that you think that have influenced the importance of now machines? What really changed? Like why is it now becoming a buzz?

Ross: So I think the DevOps movement has been largely, amazingly successful. And just think about if I have to manage a thousand machines, I’m probably not going to log into every single one with LSSH manually one by one and go update all of those things and change the configurations. It’s too burdensome. So I’m going to write a script, whether in Ansible or something else that says log into any of these machines, make these updates and apply the same thing to a thousand machines.

And that ability to do that makes one developer a thousand times more effective than they used to be. So everybody is shifting towards that maximum productivity route by using these infrastructure as code principles and other things. Which means hey, if you can get into the, the secrets into the code, then you can now use that to go after a thousand machines. So it’s a new way to kind of target companies from bad actors perspective.

Oded: You’ve mentioned automation for DevOps, right. Provisioning capability for infrastructure as code, the ability to automate a lot of tasks that we used to know from the data centers. Right. And so all of the pizza servers installment, etcetera, this is now happening on cloud and DevOps are running their scripts and tools like so maybe it’s a good point for us to differentiate that the process of making creating applications right within source code, the CICD process. Right, of compiling the application of integrating the application of testing. Right. That’s within the initial phase of DevOps, which is creating the bin, the binaries. Okay. And without the secrets within the code.

Then there is the provisioning part. Yeah. Provisioning of infrastructure as code tools like Ansible, Terraform and others that are used in order to take those code that have been compiled into binary and then to send it into the actual resources. And then there are other tools that are made in order to actually provision the resources. Okay. So there’s so many of them within what we called, you know, you and I can look at it and say, oh, DevOps is one title, but actually it says so much.

And that means that there are many of those different places where secrets can happen or secrets can be in the risk of secrets. Fall is much bigger than what most people think because, you know, it’s wider in terms of the process.

Ross: Yeah. When I used to run a DevOps organization, we had like 20 tools, right. You had GitHub because you need a source code repository. Jenkins needed a CICD tool to deploy, then you’re going to have every one of your scanning tools. Maybe you run Sonar Q for code quality. Every one of those tools you can put secrets into so that they can connect to things, they can scan things. They have the permissions to do what they need to do. Yeah. Which means every one of those things is something you need to secure.

Oded: All right. So the trend of using more automation. Let’s touch a little bit with trends like containerization. Right. Trends like the break of the monolith of software. Because when you think of it in a way, although we have not done a lot of automation 15 years back or ten years back, and we’ve and we’re now doing it’s much more it’s more than just that, right?

There’s also a major shift that in the last ten years, the way that software is being built is actually built out of more components. Micro, micro functions and in microservices. Have you seen that also, within Capital One and other places?

Ross: Yeah. So if you were to go back and say wooden servers, look like you’d update a server to a good state and then you can save that snapshot as like an MRI or something else, and then what happens is people said, wow, that’s a big image. And we don’t even remember all the steps of how we got to that good image now. So they said, let’s write everything as code. And not only that, but we want to get to a smaller image.

And so you see containers where people started shifting to very small operating systems like alpine and others, where instead of any imaging system, it’s an eight Meg system. Anyways, you take that, you combine it with, well, hey, we want to make something highly distributed, highly immutable, highly ephemeral, this dei triad that’s so popular. And now you say, well, let me, you know, cloudify everything and put everything in AWS.

And before you know it, you don’t just have an EC2 server, you have Lambda jobs and S3 buckets and load balancers and 20 other services on AWS. It is this giant thing you’re trying to like, memorize and understand and everything else to talk to all these things. And now you’re like, well, how do I make sure this has the right permission? Because I used to just have one server and one database, and now I got, you know, 30 different components.

Oded: I think this is exactly right. You know, articulated and you put into words the rise of the machines. This is what we’re seeing, right? This is the rise of the machines where recent researchers are talking about, you know, 240% rise just in 2023 with the number of identities in the world, machines comparing to humans, it’s a ratio of 1 to 45. So if back then, you could have entered into data center and to actually count the servers, right. And to get to thousands of those servers today, you can’t count those. You can’t even count those number of components, small components.

And that the break up the model this up brought with it a lot of more identity. So for 10,000 employees organization, you used to say I have less servers today. You have times 50 times more servers or machines or automated processes. And that means like half a million of those machines.

Ross: Yeah. And it’s a huge speed play as well. Right? If I wanted to change just the one major server, why I’d have everybody agree to it. And we do quarterly changes. But now when everything is a microservice, I only change one microservice. I can do that five, ten times a day because it doesn’t always affect everybody else using that same server. So that change in that speed I think is why we’ve gone down this architecture. And I don’t think it’s going anywhere.

Oded: Yeah, it’s so fast. It improves productivity. Well, now let’s get to the next place, which is now that we understand that there are far more secrets, there are far more machines. Now we’re getting into the actual reality of today, which is, you know, attacks that we see, you know, Uber or Bank of America and other examples of those API keys and SEC keys and certificates and credentials that are out there that are being revealed, or they’re being found within source code repositories and other places. What do you see in that trend?

Ross: So I think there’s a couple of things. The first is bad actors and criminals are going to do bad activities to gain money. It’s never going away. There’s always going to be that. And they figured out that I don’t just have to sell credit cards to make money. If I can sell the way to break into a company that has value to another criminal group who wants to steal from that company, and guess what? It’s a lot easier to get away with that, because they don’t even know that they’ve been breached at that point in time. It’s only once you start to steal the data and then posted that it becomes highly known.

So that focus and that shift of bad actors breaking into places only to steal credentials, I don’t think is something we’ve really thought about. And it’s happening more and more from Eastern European criminal organizations and the second thing that we’re also seeing with all of those things shifting is, hey, identity attacks are on the rise. Look at all the major data breach reports like Verizon. If you look at their attacks, identity attacks are the number one thing that’s happening. And it’s not just to small companies. It’s good big name companies like you just mentioned bank of America that spend millions, if not $1 billion on their cyber security program. So these are big companies who check all the boxes, but still they’re having issues with identity based attacks, which means we have to focus on this area now that we understand that we need to focus on that.

And now the question is, what can we use? We’ve seen, you know, when I’m looking at the different toolset that is out there and, traditionally in that realm of protecting those secrets and machine identities, right, there’s the machine identity and there’s the secret that, authenticate that particular identity. Right? Sometimes we refer to API key as an identity, but actually the identity is the account on that end, right? The account on the database, the account of within the certain IAM cloud. And then there’s the API key or the certificate that validates it. Right. Both of them need to be managed obviously. And this is the secret to be protected.

But when I look at the different tools out there, it seems like they’re so different than many of them right now to protect this whole challenge and to overcome, what do you see, when you look at it?

Ross: So you’re right. There’s so many things we have keys to, and we have to secure them. And, then maybe simplify that into a couple things. If I’m a bad actor and I’m going to target a company today, I’m going to find a developer that looks like interesting to me. Right. Maybe they’re working on a Swift account because they’re the guy who oversees that from a bank. Or maybe they’re the database admin at a health company. When I find those individuals and I fish them and I land on their box successfully, now I want to find creds to impersonate them, to get into the databases, get into the places of access.

So if I just look at the history of everything they’ve done in the command line in the terminal, do I see things that here’s their credentials to log in, and if I do and I can steal those things, then I had valid access for a period of time. Now the problem is how long is that period of time? If I only rotate my keys every 90 days or every year? That’s a lot of dwell time for a bad actor.

Versus if we get to a place to where those keys become ephemeral, hey, we rotate them once a day. We allow people to use it for eight hours because that’s a normal average workday. Then now if the bad actor gets in they have to come in every eight hours. If they want to have persistence on those machines. So that I think that mind shift of how do we make our keys more temporal, more ephemeral, or if we can even go, let’s call it the holy grail of place where you don’t even have that. Yeah, that’s I think that’s the direction of where we have to go as an industry.

Oded: Russ, you know, when I think of it, what you’ve just described should have been resolved by privileged access management tools. Isn’t it.

Ross: Kind of. But it never was configured to work well for us. Let me just give you an example. Today a developer may go to Cyber Ark. They may use a multifactor to prove who they are. And then they get the credential. But like I said, if those credentials are valid for 90 days or for a year, that’s the problem. The problem is the bad actor gets the credential after it’s already authenticated from the developer, and now they have legitimate access. So it’s not about can we MFA the developer, it’s about how fast can we rotate the credential. That’s the way we minimize our dwell time of the attackers.

Oded: All right. So when it comes to getting into the Jenkins right, or what you’ve mentioned or the CICD process or to get into the infrastructure is code to write from that point on and also in configuration file within the containers. Right. When machines speak with machine, they require those secrets, right? A container spins up, it requires some kind of a secret in order to authenticate to the database in that space. The traditional privileged access management tools are not even are not even in the game. Right. They’re not there.

Ross: Yeah. And I was surprised to see how many applications never change those things. Like, hey, you could get an API key that never changed. Right. And so if it gets stolen once, you basically have to burn it down to the ground and start from scratch.

Oded: Okay. So we’ve touched a lot around API keys and database credentials. But you know, and back to my previous statement that there are a lot of different tools out there today that a certain organization would need to implement in order to actually mitigate the problem. And we’ve just started with talking about privileged access management when you think of it as a siege certificates or it’s a siege management and certificate lifecycle management is also another tool that is required and not just privileged access.

I would also claim that TMS is also required. Right? Like private keys and encryption keys, you need to manage them. There are still secrets within your environment that need to be managed. So the claim is basically what do you you would need to find yourself seeing so many different tools, in order to create this identity fabric that Gartner is calling.

Ross: Yeah, it’s really interesting. So, you know, I think most CISOs are trying to do something where they’re blocking secrets from entering their source code repositories. And maybe you start with a couple things, like SSH keys or AWS keys. But what you find is developers come up with so many tools that you never even thought about. So it’s hey, I have to do the Kubernetes keys, I have to do this one unique Terraform key or every other thing. And before you know it, you’re patterns only matching ten keys. But the developers are using 200 keys, so you’re not able to effectively block all keys going into the source code repository.

So it’s really about an education of how do we get them to think differently and remove keys entirely or make them very temporal. So we understand that there is a problem, major problem that we all need to look at, with a number of secrets that are being used with, you know, proliferation of secrets, a secret sprawl among the whole process with lots of more identities. And there are now a lot of tools that you need to look at. And it sounds like it’s almost impossible to choose to pick and choose all of those different tools. Obviously, the Akeyless approach would be, yeah, we want to. We are unifying the whole different process, and we’re unifying all of those different functionalities into a whole unified platform that’s allow us to basically mitigate that for one place.

So we talked about many different tools that a certain enterprise would need to select, right. The process of selection is cumbersome, obviously, when you need to choose so many different vendors and work with that. What’s your take in experience with the fact that we have 5000 different vendors in cybersecurity? It’s I’m sure it’s it provides a lot of more hassle. What do you think of, you know, making yourself protected? How do you choose that once to process the hassle?

Ross: Whenever I pick any tool, I always look at the total cost of ownership, which comes from three things one. What is the cost to license X software? Maybe I buy Oracle. I got to pay Oracle licensing fee. The second thing is the hosting costs. Do I hosted on prem or in the cloud and pay an AWS fee for example? And then the last thing is the developer maintenance costs. Do I have to have two different administrators to host and maintain an app? Keep it patched, keep it up to date, add new features so those three things of licensing, hosting and let’s call it the human costs, are the three things that make the total cost of an app.

And when I look at those things, I have to say, is this solution that I’m going to give me the best price, as well as give me all the technical requirements to satisfy why I’m picking the solution.

Oded: Know, and I guess that you need to invest a lot of time of picking those solutions, right? Like the pricing, process, etc., which is a lot of burden around it.

Ross: It all depends on the consequence of the tool. For example, if I pick a tool where every developer has to make ten hours of code change to adopt that tool, that’s a very expensive tool from the organizational perspective. However, if the friction is very low, where I can just deploy the tool in ten minutes and I don’t need anybody else’s, you know, work to get done, yeah, that’s a much lower friction asset to implement in an organization, which is a great thing with the DevOps movement in which plugins are out there, and that with DevOps are so used to ours, you know, to get plugin into a certain tool or a platform in order to inject secrets, for instance, like the Kubernetes secrets injector that basically protect those secrets and inject them on demand.

So that’s definitely things that have changed recently, in the last few years of the making it easier to deploy software into infrastructure. Right? So selecting those tools, obviously, you know, the process of that, you know, you’ve mentioned resources, costs and the time that it takes to deploy. Also, you know, the self deployed solutions. Let’s talk about using SaaS for security solutions. It for a long time it has been a taboo. But it looks like in the last four years it has been like a tremendous change in how the security industry looking at SaaS solutions to secure their environments. Let’s talk about this trend because it looks like SAS is being more and more accepted.

Ross: Yeah. So historically, CISOs were very fearful of using SAS. Putting my data in somebody else’s cloud makes it easier for it to be stolen. But right now, if we go back to this total cost of ownership model, hey, lower infrastructure costs because they probably can do it more effectively at scale in AWS than I can in my own data center. And the second thing is the maintenance. Hey, if I don’t have to host and configure and install and patch and update, that’s a lot of times saved. So maybe I don’t need the 2 or 3 headcount to maintain an app, I might only need one.

And so those lower cost of ownership have really driven organizations to pursue SAS. We see it today, for example, the SIM space. Yeah. I don’t think anybody is really hosting their own sim anymore. Everybody is putting it into data lakes or cloud providers, and we’re going to see that on all the other security tools. So definitely identity is one of them. And data protection, of all of its kind is going to be is going to be there. Like SAS is definitely a king now today with security as well.

Oded: And that’s perfectly, perfectly understood. Today, do you find it troubling when, you know, when you think of SAS and using external solutions to secure, do you think sometimes of, you know, the government access and the fact that there is, there’s capability under subpoena that, you know, your cloud provider would be subpoenaed and will be, obliged to provide your data without your knowledge, maybe to a limited extent.

Ross: I think most U.S. companies are going to get a U.S. hosting provider, and that’s not a big deal. Now, if you’re talking about, hey, your services hosted in China or Russia, that’s a completely different discussion. But I don’t feel like that’s a big ask, for companies these days.

Oded: Speaking about SAS solutions, right. And I’m speaking about machine identity, the secrets that you find concerning that a SAS provider, would secure your secrets, whatever is that? They know the identities themselves. Do you find it troubling? And what are the things, you know, that you meet when you think about SAS solution?

Ross: Yeah. So there definitely is a worry that if a hosting provider has all of my secrets and you can just think of like LastPass for human secrets, right, of logging in a website, well, if LastPass gets breached and they lose all of my passwords, do I now have to log in 100 different sites and change 100 different passwords that they stored for me? Yeah, that’s a big pain, and most people are probably too lazy to actually go ahead and do that. And now they have, you know, all of these passwords stolen for years.

Right. So I think that’s a big concern for companies. And so, you know, looking for mature solutions where it’s, hey, they didn’t just steal your password because now you have a passkey, now you have an MFA or something else, an addition to that, where that provider, even if they’re breached, can’t cause you material harm to your system.

Oded: Yeah. Well, we call that the promise of zero knowledge, right? The keyless distributed fragments, cryptography that is within the core of our platform ensures that we don’t have access to the secrets of our customers. Although we’re providing SAS, it’s a zero knowledge SAS and straight to the point, the encryption key that protects those secret right is basically fragmented. It’s created as as fragments. And one of the fragments is kept on the customer’s side.

So we don’t have all the fragments of the key that is being used in order to encrypt those secrets from the first place. So the root of trust in that end is not even within our hands rather than within the customer hands. And we do that although we’re where a SAS solution so very low, footprint on the customer infrastructure.

Ross: That’s nice. It reminds me of like Apple when the FBI was trying to come after them to, you know, break into somebody’s, iPhone. Yeah. If they don’t have the keys, then there’s nothing to subpoena and requests from a company like.

Oded: Yeah, exactly. And the beauty of it that no one actually have the whole fragments new to the customer. So even if they attack your network, right, it’s not enough. They need to attack your network in our network at the same time, because all of those fragments there refresh their mathematical value is being refreshed all the time. So it’s like keep think of it like the rotation of the, of the root of trusts that constantly is happening.

Ross: Yeah. It’s like a bank vault with two keys. It’s like, yeah, it’s like, Die Hard 400 where everything is like, you know, you need to use multiple keys at the same time in order to open it.

Oded: Russ, thank you so much for coming over and, spending this time with me and talking about machine identity secrets and the evolution of, you know, the compute and DevOps.

Ross: Yeah. Of course, like I mentioned before, I think identity based attacks are here to stay. They’re the number one attacks right now. According to Verizon, data breach. We’re creating more of these every day. You mentioned 45 times more than human things. Well, guess what? If we’re not inventorying them, if we’re not securing them, if we’re not rotating them, if we’re not making them ephemeral, we’re going to have an issue.

So that’s why I think it’s so important that CISOs pay attention, because this is an area we have to do better. What are the things that you’re currently busy that excites you the most?

Oded: So right now I’m at teammate and I have the wonderful opportunity of creating a CSO network, which means I get to talk to a lot of CISOs, understand what’s going well, what’s going wrong and where we need to improve, and then looking at the industry to say, what are the new technologies that can help us? So that’s probably the coolest part of my role right now.

Ross: All right. And how can people find you?

Oded: Yeah. So I’m on LinkedIn. That’s a super easy way. You can just search Ross Young on LinkedIn, and you can schedule a meeting directly on my profile. Or you can look at our team ID events. There’s a lot of things that are upcoming. So just follow Ross Younger Teammate. Find more.