Instincts, Fast Cars, and Modern Security - Why I Joined smallstep
Mike Maxey
I’ve never followed motorsports and I’m pretty crappy when it comes to fixing cars but I’ve recently become a Formula 1 enthusiast. There is something magical about how $2.6 Billion invested annually into bleeding-edge turbo-hybrid engines presents itself as a single, easy to understand concept: Speed. Drive fastest and you win. A super simple summation of the work of thousands of engineers and mechanics touring the planet to try to go 1km/hour faster.
Formula 1 appeals to me because I also endeavor to present complex systems as single, easy to understand concepts. I’ve spent my career explaining new technologies to executives, investors, and to my family every Christmas in a way that makes it not only understandable but personal. Once I have the right example and a clear diagram, then I can explain anything, and this points to one of my core instincts.
Great Expectations And A Few Small Surprises
My core instincts are exactly what led me to smallstep. I was introduced to the CEO by my friend Eliot Durbin @ boldstart.vc. When I had my first meeting with them, I wasn't exactly sure what to expect. I was new to the security space and was given a one-minute description of the company. Sure, I’d done my homework and read the blogs so I wasn’t clueless on what smallstep did but my understanding was still nebulous at best. My research told me it had something to do with PKI and certificate management.
I quickly learned smallstep’s vision is much broader than PKI and certificates[1]. It’s a vision centered on modernizing security practices using the best available technology to solve security challenges. Now you’re probably saying (as I was at this point), there are hundreds of companies out there offering security solutions to enterprises who are spending billions of dollars on modernizing practices. How much market is really left for a scrappy startup? Turns out a lot!
From Nebulous Space to a Defined Vision
To better understand smallstep’s vision, you only need to take a look at the current state of Identity and Access Management. The industry is based upon firewalls creating safe islands using network segmentation as ‘the answer’ for security. This approach has fueled years of investment with incremental progress towards an increasing number of smaller secure islands (aka microsegmentation). Then along came the rapid adoption of cloud, microservices, and containers, effectively destroying the safe island strategies of the past.
Smallstep is building automated production identity for everything (humans, services, applications, functions, devices, etc.). The implications of this are huge. When things have verifiable identities it makes trusted, secure connections easy. Instead of assuming this person has access to something because of their network address, you instead verify it is actually that person (or service, or app, or function). No wacky network rules, no iptables
to maintain, and no VPNs. To me, the vision was simple and compelling and I was down for the ride.
Formula 1 For Modern Security
I started doing my homework in the few weeks leading up to joining smallstep. In my research, I came across a couple of very valuable resources from our friends at Google that helped to frame this new approach to modern security through identities. Turns out, they too believe in identity-based security and have built the massive Google infrastructure using those philosophies. The Application Layer Transport Security documentation details how Google uses identity-based security and provides an excellent CIO-level summary up front. I also found the BeyondCorp website to be a wealth of information with links to many white papers and real-world examples of the benefits gained when adopting this modern security approach.
I’m now a few weeks in and I’m even more excited. Like the simplicity of speed in Formula 1, I’m focusing in on the simple and best answer for modern security; production identity. It’s a new concept for the industry and one I’m starting to understand via a firehose of learning and what feels like a never-ending stream of questions from me to the smallstep team.
Like the makings of a thrilling race at its beginning, the starting lights have just gone out. I’m making quick progress, something I intend to share with others through this Modern Security for Leaders series. As I become an expert in this industry, so will you. So I invite you to come along for the ride by subscribing to my updates, and who knows, you just might learn something on the journey.
[1] Want more? Go deep here: Everything you should know about certificates and PKI but are too afraid to ask
What you have just consumed is the first in an ongoing series of Modern Security for Leaders posts. In each edition, I will break down a complex security concept into a simple to understand format and highlight where it brings true business value.