It’s secrets chaos! There are passwords, credentials, SSH keys, AES encryption keys, code signing keys, critical credentials, and many other types of machine identities. As cloud adoption picks up speed, we've seen a marked increase in the number of those secrets in the last few years. With so many more components in our environment to communicate with, the more and more credentials we have to manage and protect. Add automation to that equation and you have machines that need to operate other machines. Everything needs to communicate with everything, and authentication becomes even more critical.
Enter Akeyless to control the storm of secrets.
Akeyless has built a unified vault platform to secure DevOps credentials and access to production resources across hybrid cloud and legacy environments. With sponsorship from the Machine Identity Management Development Fund, they’ve added Venafi’s expert automation capabilities into the Akeyless SaaS secrets management platform. In this regular interview series, I recently spoke with Oded Hareven, Co-Founder and CEO of Akeyless, about their involvement in the Development Fund.
First, please tell us all about Akeyless.
Oded: Akeyless is a single platform for secrets management and workload identities. It’s basically an all-in-one shop for secrets—such as credentials, certificates and keys—which provides three pillars on top of one platform. The first pillar is classic secrets management: to manage, inject and provision secrets for the DevOps environment. Pillar number two—Zero Trust Privileged Access—enables human-to-machine remote access by injecting short-lived secrets into the remote session while ensuring audit and compliance via recording and auditability. The first two offerings were designed to provide our customers with a just-in-time access, least privilege approach to support a vision of zero-standing privileges. The third pillar is all in the realm of data protection, where we manage encryption keys and provision them either to an external cloud KMS or provide encryption as a service and signing as a service on top of our virtual HSM technology.
Describe the machine identity management challenge your customers face that led you to partnering with Venafi.
Oded: Well, simply put, our customers need to manage workload and machine identities, represented by credentials, certificates, and keys in various scenarios. A good example would be to provide SQL credentials to Kubernetes container, or perhaps providing short-lived certificates to enable an SSH session initiated by a privileged engineer. Well, simply put, our customers need to manage workload and machine identities, represented by credentials, certificates, and keys in various scenarios. A good example would be to provide SQL credentials to Kubernetes container, or perhaps providing short-lived certificates to enable an SSH session initiated by a privileged engineer.
Although Akeyless can function as an internal CA, there are cases where our customers require us to issue certificates from an external, existing CA (private or public). They also need to monitor and manage those certificates in Venafi, and they would like to do so within their known and easy-to-use Akeyless interfaces, SDKs, plugins, Infra-as-code providers etc.
To fulfill those customer requirements, it was clear that we should work closely with Venafi to satisfy their needs.
How would you describe the “fastsecure” results this integration brings to DevOps and InfoSec?
Oded: Well, I think that it's all around seamless and frictionless work. DevOps teams are used to working with DevOps oriented tools like Akeyless. Akeyless provides the interfaces for DevOps teams, and they're used to using those interfaces to unify their entire workload identities—credentials, API keys, SSH keys, etc. For them, it's typical that they don’t interface directly with the internal Venafi machine identity management team that often works mostly on-prem. By nature, DevOps teams are very cloud thinking, both public cloud as well as the private one. They do not necessarily wish to interact with the traditional on-prem environments. So, for these developers, it is now becoming frictionless and seamless to just ask Akeyless to "bring me that certificate" where they actually mean “I need a certificate issued by the internal existing CA or specific public CA”.
Now Akeyless can automatically report and monitor and even issue the certificate via Venafi in a way that is completely transparent to the DevOps engineer. It's the efficiency of the process. It's the seamless combination of those two solutions working together to streamline operations. If it wasn't like this, then the DevOps engineer would still need to communicate with the security teams and ask "Hey, what about that certificate?" In that case, they would jeopardize the benefits of automation, or they would have to use some kind of other tools that they might not be familiar with. Of course, it’s possible for DevOps to do this, but for them, it is convenient to have all the secrets management needs from Akeyless Vault Platform.
Want to see how Akeyless and Venafi work together?
The Venafi integration with the Akeyless Vault Platform is now available! Visit Akeyless on the Venafi Marketplace for more information. And stay tuned for future interviews with Machine Identity Management Development Fund recipients.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.
- DevOps and the Proliferation of Secrets
- Leaked Development Secrets Threaten the Security of Apps and Data
- Certificate Management for DevOps