SE Radio 578: Ori Mankali on Secrets Management using Distributed Fragments Cryptography

In this episode, Ori Mankali, senior VP of engineering at cloud security startup Akeyless, speaks with SE Radio's Nikhil Krishna about secrets management and the innovative use of distributed fragment cryptography (DFC). In the context of enterprise IT, 'secrets' are crucial for authentication in providing access to internal applications and services. Ori describes the unique challenges of managing these sensitive data, particularly given the complexities of doing so on a large scale in substantial organizations. They discuss the necessity for a secure system for managing secrets, highlighting key features such as access policies, audit capabilities, and visualization tools. Ori introduces the concept of distributed fragment cryptography, which boosts security by ensuring that the entire secret is never known to any single entity. The episode explores encryption and decryption and the importance of key rotation, as they consider the challenges and potential solutions in secrets management.

In this episode, Ori Mankali, senior VP of engineering at cloud security startup Akeyless, speaks with SE Radio’s Nikhil Krishna about secrets management and the innovative use of distributed fragment cryptography (DFC). In the context of enterprise IT, ‘secrets’ are crucial for authentication in providing access to internal applications and services. Ori describes the unique challenges of managing these sensitive data, particularly given the complexities of doing so on a large scale in substantial organizations. They discuss the necessity for a secure system for managing secrets, highlighting key features such as access policies, audit capabilities, and visualization tools. Ori introduces the concept of distributed fragment cryptography, which boosts security by ensuring that the entire secret is never known to any single entity. The episode explores encryption and decryption and the importance of key rotation, as they consider the challenges and potential solutions in secrets management.

Show Notes

Related Links

• Akeyless DFC 101—A Zero-Knowledge Approach | Akeyless

• Part 3: Encryption Technology

Related SE Radio Episodes

• Episode 311: Armon Dadgar on Secrets Management

• Episode 446: Nigel Poulton on Kubernetes Fundamentals

Transcript

Transcript brought to you by IEEE Software magazine and IEEE Computer Society.

This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Nikhil 00:00:18 Hello and welcome to Software Engineering Radio. This is your host, Nikhil, and today I have the pleasure of welcoming Ori Mankali. Ori is a senior vice president of engineering at Akeyless, a leading cloud security startup. Prior to his current position, he served as the VP of research and development at the same company for nearly four years. Ori’s professional strengths include cybersecurity, IT operations, and architecture with a particular proficiency in embedded Linux internet protocol suites, debugging, and multi-threading and Unix. Before joining Akeyless, Ori held significant roles at several major companies. He was a director of software development at DriveNets and a manager of software development at both Amazon Web Services in Germany and Compass Networks. Ori holds a master’s and a bachelor’s degree in computer science from the Bari-Ilan University in Israel. Today we’ll be talking to Ori about secrets management using distributed fragment cryptography. So welcome to the show, Ori. Is there anything that I missed out in the BA bio that you would like to add?

Ori Mankali 00:01:28 No, I think it was pretty accurate. And thank you for hosting me today. Nikhil I’m delighted to be here in this show and answer questions related to secrets management and talk about cryptography and anything that interests you.

Nikhil 00:01:42 Perfect. Okay, cool. So let’s just jump right in. Right. So we said that the title of the show is Secrets Management, and let’s start from there. So could you explain what secrets are and why are we calling them secrets versus passwords versus keys, or whatever other terms that we use for these kind of things?

Ori Mankali 00:02:02 Yeah, I think it’s a good starting point because there is a lot of confusion around terminology and the differences between keys and passwords and secrets. Typically, we call secrets, any kind of sensitive information that is used mostly for authentication by applications. So for example, if you have some piece of code written in whatever language, Java, anything, similar to that and your piece of code needs to authenticate to a remote service. It can be a database or another service, I don’t know, Kubernetes clusters, anything of that nature, then it needs to identify itself. The application needs to identify itself in order to be authenticated and later on be authorized to access remote services. Historically, this sensitive information was stored in an insecure place like a configuration file or even inside the code, even hard coded. So all those types of sensitive information, we bundle other, the name secrets, passwords is a term that we normally use for human access.

Ori Mankali 00:03:10 So very similar to password managers. If you know a lot of browser extensions, mobile applications, et cetera. So all types of human access is considered, again, terminology wise for passwords and keys, we normally call keys. Anything that use cryptographic keys can be symmetric keys or asymmetric keys that are used for different purposes. Normally, symmetric is used for encryption, typically not just, and asymmetric keys are mostly used for signing operations and that’s the distinction between the different names, but eventually they’re all part of the same word of protection.

Nikhil 00:03:51 So yeah, it’s the same world of sensitive information that needs to be, I like the way you’ve differentiated. So secrets can be primarily looked at from the lens of, okay, this is usually something that you want to look at from an application or machine to machine interaction perspective. Whereas passwords are usually when there is a human involved. So moving on to the next word which is, management. So can you talk about secrets management and why it is important?

Ori Mankali 00:04:19 Yeah, I think everything at the end relates to scale. And let me elaborate what I mean by that. Imagine that you have like a single application. That’s the only thing this application is doing, is just connecting to a database. So you have a single application with a single secret and it’s not too hard to manage. You can even wrap it in a way that would be considered somewhat secured in the sense that the secret, the sensitive information will be encrypted, but that’s just one. And now imagine that you have a large organization with, I don’t know, hundreds of thousands of services applications.

Nikhil 00:04:55 A modern microservice architect.

Ori Mankali 00:04:56 Exactly, exactly. Scaling out, like if you’re running on top of Kubernetes, you have tons of that. And now you have different kinds of applications that need permissions to different kinds of secrets. So it’s not just one, it’s millions of secrets. And you need to have some kind of access policy. Like how would you differentiate between one application to another, between one human to another? You need to have some kind of auditing, right? You need to be able to see which application access, which secret or which human access, which secret in order to be able to retrospect and remediate in case of security hazards, et cetera. So this is becoming a big problem. Like it’s not enough just to protect the secret using some kind of an encryption key. You need a system to facilitate the access to secrets, to configure different kinds of authentication methods, different ways to authenticate to the platforms and be able to fetch secrets and configure them.

Ori Mankali 00:05:56 You need a good and solid access policy — or access roles, as we call them, because we implemented role-based access control. You need to be able to integrate with external identity providers. So you will have a single sign-on authentication to the platform audit log that can be edited and searched, and maybe even can be forwarded to existing log systems, because many organizations have their own log systems. May it be Splunk or Syslog, or Elasticsearch, you name it. And in many cases, you also need some kind of visualization for auditors. Like if you have a, a CISO or security officers in the organization, they would like to have a visual view or overview, should I say, about the activities about access, et cetera. So all that requires …

[...]

Original source