Akeyless Wants You to Throw Away the Encryption Key
Digital transformation, automation, and cloud technologies are supposed to make things more efficient, right? Then why are they causing security teams so many problems?
The culprit is secrets management.
In the grand scheme of things, this is a relatively recent problem. “It’s only about five years ago that awareness and understanding of this problem was beginning,” reflected Oded Hareven, co-founder and CEO Akeyless, with whom I spoke to get to the crux of the problem.
Long story short, it’s because we’re living in a world full of non-human identities.
Living Amongst the Machines
No, it’s not the robots taking over. But there are now 45 times more machine (i.e., non-human) identities than human identities, a 2022 CyberArk report revealed.
This is due in large part to the collective shift towards digital transformation, automation tools, and cloud environments — particularly multicloud environments, which 71% of surveyed organizations told Expel and the Cloud Security Alliance (CSA) they now use. No matter which way you look at it, the cloud is where the action is happening; 71% of organizations also say they’re now building applications in the cloud, per the Enterprise Strategy Group’s (ESG) 2023 Technology Spending Intentions Survey.
Is the future a world where machines and non-humans (i.e., pods, containers, etc.) continue to grossly outnumber employees? It looks like it.
The HashiCorp 2023 State of Cloud Strategy Survey reports:
- 53% of high-maturity organizations are using multicloud to save money
- 74% of high-maturity organizations say multicloud helps them attract, motivate, and retain talent
- 92% of multicloud users say multicloud is helping them reach their business goals (or they expect it to within a year)
- 56% of companies actually boosted their cloud spending the last year
Bottom line? The cloud is helping businesses make and save money — secrets management woes be damned.
The Many Skeletons Hiding in the Cloud’s Closet
As productive as it may be, the cloud nonetheless comes with some serious baggage: lots of non-human identities with lots of secrets.
“Every workload uses secrets, e.g., credentials, certifications, keys,” explained Hareven. “They’re all over the environment — within the source code, within DevOps platforms, etc. So now you get into a position where an average large organization of five to 10,000 employees has around 100,000 secrets.”
And those secrets are all sprawled. Meaning, the secrets are so drastically littered throughout an organization that there’s little oversight or control of their whereabouts.
One report from GitGuardian reported a 67% year-over-year increase in new secrets detected. This is not good news. As Hareven reminded us, “Each secret is a potential vulnerability since attackers can use compromised secrets to access critical systems and resources.”
In other words, the more sprawled secrets there are, the more entryways there are for bad actors, as this is one of their main means of infiltration and attack. In fact, Verizon’s 2022 Data Breach Investigations Report revealed that almost half of data breaches are a result of credential theft.
Learning to Protect the Machines that Surround Us
But Hareven said the real secrets management problem isn’t just about having more secrets to manage. It’s about a mindset shift.
“All of this necessitates a huge change of thinking for security teams who now have to transition from managing people and their permissions to also considering the droves of new non-human identities — all without slowing down DevOps teams or delaying deployments.”
Rightly so, a lot of security teams are struggling. Hareven affirmed, “This becomes a real headache for security teams to manage as organizations continue down the path of cloud migration and other transformation efforts.” A particular thorn in their side, he added, is moving applications from one environment to another, which becomes a laborious hassle for development and security teams.
Worse still, as difficult a challenge as this already is, security teams are often ill-equipped to handle it.
First, it’s no secret that security teams are exceedingly busy and short on resources. But internal friction between security teams is causing problems, too, divulged Hareven: “In some cases, if you have multiple DevOps teams, then you end up hearing that some are leveraging different cloud secrets management solutions, some open source solutions, and others access management vendors. And disjoined DevOps security policies can slow down development.”
This Is No Ordinary Security Challenge
The thing is, secrets management isn’t like tackling any other security problem, as Hareven explained. “Of course, things like firewalls are important, but they’re not in line with the production. Most of the security infrastructure, if it’s off — the business continues to work.” But with secrets management, it’s a whole different ball game. “Secrets are needed by the workloads themselves, so if there’s a problem, then it means your production is compromised. And that means you’re losing money.”
Thus, Hareven argued that organizations need to approach secrets management differently than they do other security issues — and not the way they’ve been trying so far:
“When organizations decide to start taking secrets seriously, they usually jump in with cloud management solutions, open source solutions, or access management solutions. In the end, they find themselves creating clusters and clusters of those secrets management services in their environment to be replicated between regions and cloud environments. It’s a mess — and to actually take care of it requires a lot of effort.”
The Secret to Secrets Management?
This is where Hareven claimed Akeyless is filling a gap in the market.
About five years ago, he, Shai Onn (Akeyless Co-Founder and President), and Refael Angel (Akeyless Co-Founder and CTO) came together to try to solve the secrets management dilemma, each bringing a background from business, tech, and product. They’ve since been in business for three years and have expanded to 100 employees.
“The story begins with our technology when Refael had an idea for managing keys for multicloud, non-trusted environments.”
That technology is Akeyless DFC (Distributed Fragments Cryptography) technology, whereby encryption keys are created as distributed fragments in the cloud. This means there’s no key and, thus, no vault to manage.
It’s a stark change from other secrets management solutions, which usually involve storing an encryption key with a cloud provider or another third-party facility. Hareven said he doesn’t have confidence in this kind of solution: “They provide promises, but then you hear about them being hacked or being required to turn over data in compliance with the CLOUD Act.”
Notably, Hareven also points out that their DFC technology is all SaaS, which he says means no deployment, no management, and no headache for companies. “We call it secrets management without the management.”
Or perhaps, secrets management without the key? Could that be the key to security teams’ troubles?
