In this talk, Oded Hareven, Co-Founder & CEO of Akeyless.io, discusses the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. He explores how secrets management is now a MUST for DevOps and security teams of all enterprises and why the right tool needs to be cloud-agnostic, cloud-native, integrable with any DevOps pipelines, and infinitely scalable.

1. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Oded Hareven,
CEO & Co-founder @ Akeyless
Oded@akeyless.io
{Ret. Captain, Israel Defence Forces, CyberSecurity
Identity Management, PAM, Information Security Infrastructure
Dev, Product, Ops}
The Rise of Secrets Management

2. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Unique Zero-
Knowledge KMS
Technology
Akeyless DFC™
Secrets
Management
SaaS
Platform
Akeyless Vault Platform
Secrets Management as-a-service
Serving market leaders
enterprises
Pharma, Insurance,
Adtech, Online, E-
commerce,
Gaming

3. 3
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Data encryption
Step #1: Protecting Data
• Access Control
• Control who can access the data?
• How to validate his identity?
• Data Encryption
• Control who can access the key?
• How to validate her identity?
Data
Access Control

4. 4
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #2: Identity Validation
• Requires Authentication
• Human
• Machine
• Using something that only the human/machine has
• Secret = {password, credentials, api-key, certificate, ssh-key}
• If you can’t keep a Secret - you can’t protect your Data...
Password DB password
DB
User Application

5. 5
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #3: Privileged Access
• Beyond application access
• Who’s controlling my workloads?
• Internal/external personnel
• Can they impersonate?
• Admin can do everything...
• PAM
• Control human admin access - session recording
• Regulation and compliance
• Secrets Repository
• Default admin passwords rotation
Password DB password
DB
User Application
Admin
OS Admin OS Admin
Password
Password

6. 6
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #4: Root-of-Trust
• Using an Encryption key to encrypt secrets & data
+Using signing key to sign TLS/SSH Certificates = identities
• Where to place the key?
• Configuration - bad practice
• Local store - not secured enough
• KMS - good start
• HSM - considered to be most secure
• Secret-zero: accessing the key requires a secret?
The chicken and the egg...
Hardware Security Module

7. 7
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #5: Interconnectivity & overlapping
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.

8. 8
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Trends that encourage the
massive use of secrets
1. Containerization
2. Hybrid & multi-cloud
3. DevOps, CI/CD, Automation
4. Zero-Trust
Passwords
Certificate
API-Keys
SQL
Credentials
AES Encryption
RSA Signing Key
SSH Key
And then came the cloud.
Proprietary and Confidential

9. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Secrets Sprawl: Clear-text, unprotected
Source Code
DevOps Scripts Configuration Files
x
myScript
{
// App.Config
DB password = “T0pSecr3t”
API_Key_AWS = “Cl3aRt3xt$!”
}
x
//myconfig
<
// App.Config
Access_Token = “T0pSecr3t”
API_Key_GCP = “Cl3aRt3xt$!”
/>
x
Void myCode( )
{
// App.Config
Encryption_Key = “aKey43!t”
API_Key_Azure = “Cl3a3xt$!”
}
Secrets are used also within workload management platforms

10. 10
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
IAM have never been easier
• Ephemeral resources + Automation + IaC
• Perimeter-less world = data is everywhere
• Root-of-trust in a non-trusted distributed architecture
• Privileged Access (Remote, WFH, COVID-19)

11. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
11
Report:"Managing Machine Identities, Secrets, Keys and Certificates"
Published: 24 August 2020 Analyst: Erik Wahlstrom
Source:
Akeyless is mentioned in this Gartner’s report, p16. under “secrets management solutions”

12. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Secrets Management
Fetch Secrets from any platform, script or application
*****
*****
***** API / SDK / CLI / Plugins
Customer
Application
Customer
Database
3rd-party
Service
API
Password =
“Pass12#”
Applications
Encrypted Secrets Store
Human
DevOps, IT, Developers
Secrets Management

13. 13
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
First: Integrate with everything
Authentication via
LDAP
SAML
OpenID
Direct channels
Platforms Plugins (examples)
Machine
authentication
Human
authentication

14. 14
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
World-wide availability
• Scalability
• Multi-region / multi cloud
• Disaster Recovery: Replication, Backup
• Highly Available
Consider: Self-deployment vs. SaaS

15. 15
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Existing solutions varies
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.
SM

16. 16
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Existing solutions varies
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.
SM

17. 17
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Existing solutions varies
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.
SM

18. 18
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Existing solutions varies
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.
Unified Secrets Management Platform

19. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Thank you.
Further questions & thoughts you’d like to share?
Mostly invited to drop an email to Oded@akeyless.io