Ep. 174 Akeyless Security: Secrets Management with Sean Korten

Michael Lynn: Welcome to the show. My name is Michael Lynn, and this is The MongoDB Podcast. Today I'm thrilled to bring you a conversation with Sean Korten, a leading expert in the field of secrets management and encryption as part of the team at Akeyless. Sean sheds light on the critical importance of implementing security measures right from the start of the application development process. In today's episode, we explore the challenges and solutions surrounding identity, encryption, and secrets management, particularly in hybrid and multi cloud environments. Sean's experience and insights are sure to resonate with developers, architects, and technology leaders alike. Whether you're a seasoned professional or new to the security space, today's episode is filled with valuable takeaways to enhance your understanding and approach to these vital aspects of modern application development. If you like the podcast, please remember to hit the like, subscribe, and leave a comment. Let us know what you're enjoying about the show so we can continue to bring great, informative, and inspiring content. Enjoy the show. Welcome to the podcast, Sean. It's great to have you on the show. How are you doing today?

Sean Korten: I'm doing well. Thanks, Mike. How are you doing?

Michael Lynn: I'm doing great. Really excited to have our conversation today. Why don't you tell the listeners who you are and what you do?

Sean Korten: Sure. So my name is Sean Korten. I'm head of solution engineering at Akeyless. And what that means is I have a team of incredible engineers that love to solve problems for our customers on how to really manage and orchestrate all of the secrets in their environments.

Michael Lynn: Yeah, security has been a prime focus for MongoDB for quite some time. We've had a number of guests on recently talking about privacy and security and how developers should really be focusing their attention in this space. Talk to me about secrets. What are secrets?

Sean Korten: So secrets is really anything you need to keep private, but I think the ones everybody's most familiar with are the things like passwords, API keys, encryption keys, the things that you need as an application developer or a user to be able to get into one system or another in order to perform those actions that you need to make your application work or do your job.

Michael Lynn: And this is differentiated from PII, for say.

Sean Korten: Yeah. So PII is going to be things that you want to keep secret, you need to keep secret, so a phone number, a social security number, whereas those are things that you might want to keep secret, we do actually have a way at Akeyless to keep those things secret as well. But the big focus for me, my team at Akeyless is to help orchestrate those things that enable the communications of these complex environments in the cloud native world today.

Michael Lynn: So Akeyless is a cloud based solution. How does it surface for developers?

Sean Korten: Yeah. It's software as a service, and at the easiest, most simplest level for developers to use it, all they need to do is have a way to authenticate with the platform, and then they can use our APIs, they can use our command line utility, our SDKs, or any number of the different off the shelf integrations that we have. Super simple to get up and running, where you just need the account and you can usually do it in 10 minutes or less.

Michael Lynn: Great. So what makes Akeyless different from other privacy and secrets management solutions today?

Sean Korten: So really, being a SaaS provider is a huge differentiator for us. To my knowledge, there aren't any other secrets management SaaS providers on the market today. We handle all of the disaster recovery, high availability for our customers so that they don't have to manage multiple clusters or complex configurations. And one of the ways that we're able to do that is with our customer gateway, which is just a stateless Docker container that you insert into your environment. That's where all of your encryption and decryption operations actually handle. So it takes the place of a large on premises or on cloud cluster of infrastructure.

Michael Lynn: Yeah. So I was going to ask you about that. What are people doing today that they would benefit from migrating to an Akeyless solution?

Sean Korten: So today, people are using a lot of different solutions to manage and orchestrate their secrets. They may be using something on prem or on cloud from an independent provider, or they may be using a cloud provider's built in solution specifically. And these are great in that they're using something. If you're not using something, please use something, one of these solutions today. Please, please don't keep your secrets in the spreadsheet. But if you are in one of the modern environments where you're using either hybrid cloud, or multi cloud, or you're even thinking about going to a hybrid or multi cloud solution, you start to lose the ability to centrally manage all of your secrets, which means that you can have secret drift, it means that your developers have to learn multiple ways to work with secrets, to retrieve them, to store them, to manage the access controls. So with our solution, what we really want to do is provide a single interface for all of your secret systems. And we can do that by storing all of those secrets for you directly in our platform, but we also have integrations for other secrets management solutions. So we can provide the ability to manage your cloud based secrets through our external secrets manager, where we're not actually storing those secrets, they still live in your cloud provider, but we're providing that one interface, that one way to manage everything, so you get one set of APIs. You get one set of SDKs. This makes it possible for developers to create an application that's going to work in any environment, cloud, Kubernetes, on prem, and only have to do that development once in order to get the retrieval of those secrets to authenticate with the next part of your platform.

Michael Lynn: Well, how specifically? I know we've got a lot of listeners that are in the MongoDB space. They're probably using MongoDB Atlas. How does Akeyless integrate with MongoDB?

Sean Korten: So we integrate using the API keys, so I actually went through the other day. And I hadn't set it up personally yet, so I went to go and set it up. And it was really actually pretty straightforward. You just create your API key in the organization. This is for Atlas. You add it into your project or you invite it to your project. And then there's a little bit of configuration on the Akeyless side for the authentication method and then you provide it what those credible capabilities are, and then you can start doing things like rotating secrets, or creating dynamic secrets, or if all you want to do is store your secret credentials in there, you can do that absolutely separately and then just retrieve them from your IDE and use them to authenticate. So a bunch of different ways to do it, but we aim to be as compatible as possible.

Michael Lynn: Yeah. That sounds like a great solution. So if I can set it up and configure it once in Atlas, and then rotate the keys, you're telling me I can rotate the keys from the Akeyless side.

Sean Korten: Yeah. So that's one of the things that we really wanted to do. We actually developed the capability to create dynamic users first, so we call it dynamic secrets, where it's an ephemeral just in time user. But in order to do that, you still have to authenticate with the platform. So that's where we built the ability to rotate secrets. So using the APIs, we're able to go through and specify a rotation schedule, rotate the user that is used to provide access or to create those dynamic users, so that you always have rotating credentials and no long- standing credentials.

Michael Lynn: So just to make sure I'm understanding this, so you're leveraging from the Akeyless side. Are you using the Atlas admin API?

Sean Korten: Yes.

Michael Lynn: Oh, fantastic, so that would greatly simplify it for sure, yeah. So where do folks get more information about Akeyless?

Sean Korten: So akeyless. io, our website, there, you can find things like our documents page, so all of our documentation, fully public for everybody to read and use. We also have a tutorial site. That's pretty new. I don't know if it's linked to off of our main page, but tutorials. akeyless. io. And then we've also got a community Slack if you want to join and ask questions, or find out more information, always happy to jump in and help people sort of figure out the best way to use our platform.

Michael Lynn: Yeah. How long has Akeyless been in existence? When did you start?

Sean Korten: So we were founded in 2018. And this is where our founders were thinking about, there's got to be a better way to manage all of these secrets, because they were working with a bunch of different ones. And they went and said, " Okay. Well, first, let's figure out how we want to do this." And then about two years ago, we started selling, and we've been going like gangbusters since then.

Michael Lynn: That's great. I love to hear success stories. Do you have any customers you can talk about?

Sean Korten: Semperis was one of our first or earliest customers. And when they came to us, they were looking for a better solution for managing all of their secrets, moving from a different solution. What they really needed was something that they could roll out for their 12,000 employees and be able to do this quickly and have them be able to work with it simply and easily. And what they found within a very short amount of time is that they were able to roll it out, their entire community was able to adopt it. And this was because of the simplicity of the SaaS platform. But also because of the SaaS platform, they found that they actually had a 70% cost reduction overall, across the entire secrets management operation within the organization. On top of that, based off of the previous solution, they found they had 270% higher adoption rate due to the ease of working with the APIs and the off the shelf integrations. So if you'd like to know more about that, we actually have a complete PDF testimonial on our website.

Michael Lynn: Yeah, we'll link to that for sure.

Sean Korten: Yeah, case studies.

Michael Lynn: Yeah. So I want to get some links. I'll remind listeners that they can check the show notes for all the links to things we're talking about today. And so managing secrets is, I mean, you need some high trust. You need to be able to trust the partners that you bring into your infrastructure, into your stack. How do you go about increasing the level of trust with your customers?

Sean Korten: That is a great question. It is the most concerning question that people have when they come to us asking about how Akeyless works. And what I alluded to with the founding of Akeyless is what we built with the foundation for enabling zero trust, which is a patented technology that we call DFC, or distributed fragment cryptography. And what this is, it's a new way for providing encryption, so where we actually have multiple encryption keys that comprise the entirety of the encryption key, and we distribute those fragments or those keys across all three of the big public cloud providers within our SaaS environment. And then we provide our customers the ability to generate their own fragment using that stateless gateway. And now you are using effectively four virtual fragments to perform encryption of all of your information. So with the customer having access to one, it's... How do we say it? Having a 99% of the encryption key is the same as having 0% of the encryption key. So that is how we really enable the zero trust with the DFC technology.

Michael Lynn: So true multi cloud.

Sean Korten: Oh, true multi cloud, absolutely, cloud native, born in the cloud, and developed in the cloud, API first, microservices, all the way.

Michael Lynn: Yeah. What do you say to folks? I still run into some customers that are like, " Look, I'd love to use your solution, but I just can't go to the cloud."

Sean Korten: I understand that and I respect that. That is something that I still hear probably once a week. And that's where you're at as an organization today. And that is just the way it's going to work. We can't help you, unfortunately, if you can't use a cloud solution. But usually, we can do away with any of those misgivings by talking about how DFC works, so enabling that level of zero trust where you effectively own all of your data. It never leaves your environment unencrypted. And we're able to meet SOC 2 compliance requirements doing this. And we also have FIPS 140- 2 type one certification. So we find that for many of those people who have an objection, those objections go away unless there's something that is purely policy based or within the organization that prevents the use of any SaaS inaudible.

Michael Lynn: Yeah. So if you're ready to make the move to the cloud, this is a way to unify your secrets management.

Sean Korten: Absolutely.

Michael Lynn: That's great. You talked about some really impressive numbers with Semperis. But let's talk about scale. When in the journey of an app to success, what number of secrets does somebody need to start thinking about a solution like Akeyless?

Sean Korten: That's a fun question, and I don't know if everybody's going to like my answer. But I think the right time to start thinking about how you're going to manage your secrets is before you write the first line of code because this is one of those things that becomes built into your way of operating as a developer, as a team, as a company. If you start by hard coding secrets and sharing them through un- secure means, that's the way that you're going to keep doing it. So making a transition later to a secrets management, secrets orchestration platform is going to take up whole bunch of refactoring in your code. It's going to take a change in the mindset. So start when you start. Do not wait to do that. And that's one of the reasons why we tried to make things so easy for developers to use and adopt it is so that it is something that isn't a big barrier to entry. Look, in the world of modern software development, nobody wants to slow down in order to implement security. So what we want to do is we want to make security so easy that it just becomes part of the workflow. It's like, " Okay. Well, that's not so bad. I don't have to go through an audit. I don't have to go through and import 14 libraries. I don't have to figure out how to do encryption. I just have to make a couple of API calls and I'm done," so start at the beginning.

Michael Lynn: Yeah, yeah. That's great advice. I think that makes so much sense, especially when you consider all the decisions that you make at the outset are literally creating technical debt in some form or another. And you can eliminate that by making really smart decisions at the outset. That said, there's a cost to this. So what's the revenue model? And what can somebody expect to pay for a solution like Akeyless?

Sean Korten: So we've got three different ways that you can sign up for Akeyless. The first is, we have a free tier, so we want everybody to be able to sign up and experiment with it and see how easy it is to use. There are some limitations to that, that I can get into if you'd like. But then we've got two other ways for the more business oriented startup or enterprise oriented. So we have a team model, where you can sign up and pay monthly using a credit card, so a subscription model, and it's$ 15 per user per month, or per client per month. We're going to talk about what clients are in a sec if you'd like.

Michael Lynn: Sure.

Sean Korten: And then for the enterprises, one of the things that we found is a lot of enterprisers, they have so much secret sprawl, they have no idea how many clients they have, no idea how many secrets they have. So in those cases, what we'll do is we'll spend some time working with them to do a bit of discovery and make a best guess at what they're going to need. And then we set you up with an annual billing, either for a certain number of clients and secrets, or for an unlimited number of clients and secrets.

Michael Lynn: Okay. So let's say I have very little experience implementing a secrets management solution. Do you offer guidance in some way? As head of solutions engineering, is that part of your role?

Sean Korten: Yeah. That's what my team does. That's what we love to do. We come from a bunch of different backgrounds, but the one thing we all have in common is we just love solving those problems and helping design solutions. So yeah, come, let me know. We'll get the team on the phone and we'll discuss what your problems are, or where you are even starting and we'll help point you in the right direction.

Michael Lynn: Yeah, yeah. That's good. And speaking of different backgrounds, what's your background? How did you get into this role?

Sean Korten: Oh, goodness. So I've been all over the place, but starting in the mid 2000s, dating myself here, I spent a number of years in security. And then after being in security for a while, I went back into sort of infrastructure. So my background is systems engineering, network engineering, security engineering, then cloud engineering, everything except databases, so sorry. I've worked with many TBAs and I love them. I am so grateful for them because that's just one of those things that never clicked for me. But when I really got into the beginning of the devops movement back in the early 20 teens, started having to try and automate everything and figure out where things were. And from there, I went into consulting for devops and digital transformations. And this one problem kept coming up, which was: How do we deal with those secrets? How do we deal with identity? And that continued through various roles until I landed at Akeyless about 13 months ago. And one of my friends actually had been working here for a year and he's like, " Hey, we've got this great solution. You should really check it out." And immediately, I saw how it could solve so many of the problems that my clients and customers had been having with being able to prove identity and work with secrets in the hybrid and the multi cloud environment. So just I think it was, I spent an hour playing with the product and I was like, " Okay, I'm sold. This is something significant here," and joined up and haven't looked back since.

Michael Lynn: That's great. So what else is involved in the role? You're working with customers. Are you leading a team? And what's that like? Have you made a transition from individual contributor to a leadership role?

Sean Korten: Yeah. So I am the official head and leader, and I came in at that level. When I came in though, there was only one person on my team. Now I think we are up to seven and we're actually hiring more. I am the head of the team. I don't like to think of that. I'm a big believer in servant leadership, so I'm a part of the team. I'm out there working with customers all the time just like everybody else on the team. But we are spread across US and Europe, Middle East. And lost my train of thought. I don't know what I was trying to say there.

Michael Lynn: It's okay. You were talking about the team size.

Sean Korten: Team size, yes. So we've got three solutions architects here on the US, plus a dedicated developer that is helping us work on tools to create easier and better user experiences. And then in Tel Aviv, where we're based, we have two more solutions architects working with Europe and Middle East. And we're looking to hire more solutions architects to work with our customers.

Michael Lynn: So where can folks go if they're crafty with secrets management in the security space? Where can they go if they want to look at the job roles?

Sean Korten: Akeyless. io. And if you click on the company, you can go down to careers, you're going to see all of the postings that we have there. I think customer enablement, customer success is really important to us at Akeyless, so that's why we're investing in growing my team, solution engineering, as well as the rest of our customer success teams. I think we're looking for success managers and account managers right now.

Michael Lynn: Fantastic. Well, hopefully we can get some folks over there, raise the awareness. Again, you can check the show notes for links. We're going to have links to everything we mentioned today. There's one more thing I wanted to bring up. I mean, listeners are very aware that MongoDB is acutely tuned to the security space. We want to offer flexible options in the security space. And one of the ways we do that is through field level encryption or queryable encryption. And as folks listening may know, you can secure the data using queryable encryption. But I think Akeyless is a different solution. It's more of a unified secrets management, rather than the data at rest. Is that correct? How do you see the comparison between field level or queryable encryption from MongoDB and the solution that Akeyless offers?

Sean Korten: So I think it's great what Mongo has built into the platform for queryable encryption, and this is great. But it's like you said, we want to make it so that you have one place in order to go for your encryption. So if you need to be able to insert something in there, you have two different options with the queryable encryption. And correct me if I'm wrong here, so you have local key management and then you have the ability to integrate with a key management service. So local key management is good for development, but I don't think that is the best option for production environments because you still have the ability to potentially lose sight of that key, and you have to manage it sort of out of band from the rest of your secrets program, your security program. So when you get into the ability to use something like a KNS, this is a lot better. But again, how do you enable that across multiple cloud providers? So coming back around to Akeyless is the gateway into managing all of those different things. So what we want to be able to enable is having that one interface to manage all of these keys. The ability to manage your security and your encryption directly within MongoDB, MongoDB Atlas, is great, but here's the thing. MongoDB by itself is probably not the entirety of your application. It's not your entire application stack. So each time you introduce a new component into that, what you have to do is learn a whole new way of controlling CRUDL. You have to learn a whole new way of doing the encryption. You have to have a new way to manage your keys. And this creates a lot of, I don't know if you want to call it toil or churn when you have to do different things, different ways. And the problem here is that you either need to automate that all by learning all these different things and then automating, or you have to rely on humans to do these things. And while I love humans, humans don't really do well at doing repetitive things over and over and over again because we seek out the interesting. We seek out the novel. So these other things are best left to the machines that are going to be able to do those repetitive things for us. So Akeyless, what we want to do is make it so that you do this once and you can do it for all of your applications, and you can do it in all the same ways, so create, read, update, delete, list. Okay, what things need which of those? Let's specify that, so your application needs read and list only, so we can define that and assign that particular role to your application that is going to be interacting with Atlas. You need to do the same thing for, say, an intermediate API or a microservice. You need to be able to specify permissions. We can do that there. Or if you're bringing in another database, MongoDB, great document database, sometimes you need other databases. So how do you do that? Instead of learning all these things, do it here. We can apply that same level of access to multiple different applications at the same time, programmatically, easily, thus removing so many opportunities to introduce issues where you could specify something incorrectly and inadvertently assign some application the ability to delete, and you accidentally delete a data record. That is just a really bad thing in this modern day. The data that we have in our databases is central to everything we do. It is so important for us to be able to protect that, not just from exposure, but from accidental manipulation or deletion. Because what happens when that data is gone? You might not be able to recover it, so let's control that in a unified way and in a way that developers don't have to worry about it.

Michael Lynn: Thanks so much to Sean and to you, the listeners. Make sure you check the show notes for links to all the resources we talked about during this episode. And remember, hit the like, subscribe, and leave a comment. Let us know what you liked about the show. Thanks, everybody. Have a great day.