The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

10. Michael Malone, Founder and CEO of SmallStep, Certificates, Identity, X.509, and Authentication

Welcome to the Security Podcast of Silicon Valley. I am here today with a very special guest, Mike Malone, who is the founder of Smallstep. Is it founder or founder CEO? Founder CEO, I suppose.

Founder CEO. All right, you're running the show. There we go. Of Smallstep, a security company right here in the Bay Area.

You actually graduated from Virginia Tech, and after that, you were a computer technician for the United States Naval Academy. Wow, thank you for your service. Then you did some consulting work for Digital Deck. You founded Stealth Wine Co.

or the CTO there, and then you did a stint as an analyst at Accenture, followed by a web developer role at Pounce. Cool. You were a software engineer at Six Apart Limited, a lead architect at SimpleGeo, and I heard some of your coworkers had some very nice things to say about you, especially that database that was developed. So that was really cool.

It's always nice to see praise being shared. You were an engineer at Urban Airship, a CTO at Betable, right before you founded Smallstep. So incredible experience that you bring to the table. Welcome to the show.

It's great to have you, Mike. Great to be here. Thanks for having me, John. So, would you like to speak a little bit about the problem that Smallstep focuses on and how you add value for your customers and what part of the security world you guys really help with?

Sure. Yeah, we are a venture-backed startup out of the Bay Area, primarily, although we're hiring and remote employees are great too. And our focus is on certificate management, specifically certificate management for DevOps or open core. So our core certificate management, certificate authority, and the tool chain for automating certificate issuance and renewal and revocation and whatnot.

It's all open source. It's all in GitHub. I'm comfortable saying at this point with a straight face that if you are looking for certificate management tooling in the DevOps world, we have the best tool chain in that space. So check it out.

And we have some product built on top of that, hosted and sort of run anywhere product that extends some of the open source capabilities and provides functionality that is more enterprise-oriented. Oh, very nice. So that is such a needed solution out there. Identity management and certificates and binding identities to certain processes or to machines or even containers is a tough problem.

I would never recommend anyone try to build that stuff themselves. I suppose you could go right to the open source core, but so why not take advantage of all of the nice bells and whistles? And I assume it's delivered as a service. That's right.

Yeah. And it's all turnkey. You know, you can sign up on the website. There's a free tier.

So if you have a home lab or just want to test it out, you know, go ahead and sign up and it's really the easiest way to try it. Very nice. I know I've bumped into that problem many times over in my career here in the Valley. And every time that I bumped into it, it was like, uh-oh, got to go hire an expert team and let them build the thing.

And it was a long time ago, long before Smallstep came to the scene. So I'm super happy that there's now a drop-in solution, literally turnkey, ready to go, help with all of that stuff. So when you talk about identities, maybe there's a nifty comparison between your technology. I guess your technology is just like X509 certificate management.

And the other technology that rings a bell would be that Spiffy and Spire identity. So how would you compare and contrast how maybe their problem space is different from what Smallstep helps with, or there's some overlap there? There's certainly overlap, and I'm pretty close with the Spiffy folks. I participated in at least some of the early efforts around standardization there.

So yeah, there's overlap. I'd say that Spiffy is maybe a little bit more opinionated, Spiffy and Spire, and a little bit more focused on a particular sort of containerization microservices use case, which we address as well. But I think that our tool chain has a little bit broader reach. We support the ACME protocol, which is the protocol that Let's Encrypt uses.

We can issue certificates using OpenID Connect. We're a little bit less opinionated around the identity model, whereas Spiffy is, you know, we're getting pretty deep in the weeds here. But I'd say that there is certainly a better together story. I see them less competitive, and certainly it's an open protocol, and you can actually use our tool chain to issue.

They have compatible certificates. So not really competitive. I think anything that is sort of helping people in this space is a good thing. So happy to see them succeed as well.

Yeah, definitely. Yeah, they were recently acquired by HP not too long ago, right? So all of that, all of that work is now going to be supported by that large company. And I was happy to see that they're going to keep it open source too.

You know, one of the, one of the problems with certificates, well, actually one of the problems is that is solved by certificates is this, you know, root of trust is like, what, what is it that you trust? And if you have an in-house CA, you have your offline root of trust, and then there's intermediate CAs that then can issue certificates down at the bottom. I guess we're getting, we're pretty much in the weeds now here in the technical shop talk, but just managing all of that can be very difficult, but it is really nice once you have it all set up that you have a single entity that you can trust that's offline, that you don't have to worry about is going to be breached or hacked.

And then it really enables. Yeah, I think that bottom turtle in the identity space can be really challenging. And yeah, just to reiterate, it's hard, but if you really wrap your head around it and figure it out, it makes a lot of other stuff easier. And I think a lot of people end up resolving that, that sort of bootstrapping and you can trust management problem sort of haphazardly and ad hoc repeatedly.

And instead of having sort of one well thought out foundation, end up having, you know, six or eight poorly implemented solutions that are sort of tacked together. And, you know, I think that's bad for security and it's also just, it's harder, frankly. It's more expensive to maintain. Yeah.

And, you know, I do think as we get into shop talk, you know, and I'm happy to go deep on that. The other issue here is there's a huge knowledge gap. You know, public key infrastructure is not something that I think even like very educated, very experienced software engineers or DevOps people tend to have. It's not something to tend to know well.

It's a gap. And I think in some, in some cases, it's sort of an embarrassing gap, something that people are like a little bit wary to, oh, I'll be the first to admit that I am absolutely no certificate expert. X509 certificate. There are so many like frameworks and little, little pieces to those certificates.

You really have to understand history to understand like how we got there and what those certificates are today. And it's, you're right. It's a little bit. Yeah.

I mean, one of the funny sort of like little background bits of knowledge there is, you know, speaking of history is X509, X500 came out of ITUT, which is like a, a telecom standardization body. And if you've ever wondered why there are, you know, countries and, and localities and digital certificates that are meant for the web where that stuff is sort of irrelevant, the answer is that they weren't meant for the web. X500 and ITUT was building a telephone directory, a global telephone directory. And that's what the standardization was originally developed for.

And now we use it for the web, but that's not, so now there's a lot of history and a lot of baggage. I don't know. It's an, it, it's become an incredibly important standard for the web. This is how, you know, HTTPS works and mutual TLS authentication if you want like a step above that.

Now all of that's based on a huge chunk of history here, I guess. Right. So. Yeah.

I mean, TLS is the most widely deployed cryptographic protocol in the world. You know, there are a lot of things to not like about TLS, especially sort of earlier versions. Chances are you're already using it and you're already depending on the security of TLS. So, you know, if it doesn't work, you're already in trouble.

Using more of it isn't going to increase your, your threat surface area, let's say. So. No, and I'll go ahead. Go ahead.

Yeah. I mean, I was just going to sort of expand on that and say that's sort of how we got into this space. And I can speak more about the early history of the company, but, but we, we were originally actually working on authorization problems. It's a big story there, so I don't want to go too deep, but had a solution in that space and showed it to potential customers.

And the feedback we got was basically cool authorization product, but we don't have authentication yet. And then, oh, okay. So you had to back up a little bit, answer the question of who are you before you can answer the question, what can you do? Yeah, precisely, which led to, all right, what's the, what's the right default answer for authenticating components in a large distributed system?

And, you know, researching that space, the answer we came up with was the right default is TLS because it is ubiquitous because databases speak TLS and queues and every standard library. Assembly mitigation, so it's well supported, which then led to, okay, if TLS is so great, why isn't everybody already using it? The back question being certificate management is a giant thing and is really tricky to do in a distributed system, and there's no good tooling there. So here we are.

Yep, it's just a tough problem. It needs a lot of love, and I'm glad that you were able to come along with a solid team and give it the love that it needs and make it easier for everybody, right? I know that there's a lot of trends, I'd say, out there in the security space that are completely dependent on having a root of trust. One of them that comes to mind is that zero trust business, right?

So if you say that you're going to be zero trust or you have a zero trust service, usually what that means to me when I hear that is like, okay, that just means you don't have to trust like some central authority that's nebulously out there in the cloud that's disconnected from your infrastructure. Instead, there's a way to use that system to reroute the trust internally. And I usually think of a CA as being that root of trust internally. So whenever I hear like zero trust, that's usually what comes to mind.

Someone being clever with how they're going to be using certificates or deploy certificates in their system. I'd agree with you on that. I think zero trust is, you know, one of those marketing terms that is so overused at this point that it's almost lost all meaning, but, and it's also a bit of a misnomer since, yeah, you can't actually have zero trust. It's more about managing trust.

And I'd say that, yeah, what most people are doing when they're implementing a zero trust strategy is moving away from, they don't want to trust the network. They're moving away from network controls, firewalls, IP tables, things like that, to cryptographic controls, end-to-end cryptography. And, you know, if you're using cryptography, you've got to manage keys. And one of the best ways to do that in a large distributed system is to use certificates.

That is absolutely correct. That is actually what we do here at Peacemaker, and we did not, very explicitly did not want to solve that root of trust problem. So we just integrated with the X509 certificate, you know, standard, left it at that. But for a small step, maybe if we go back even further, like way back, maybe to your childhood, to maybe an experience that really made you or was fundamental in the way that you were shaped and now see the world that led you to cross this bridge and start a security company.

Maybe a story that you'd like to share or a small piece of childhood. I think, I don't know if there's one defining moment in my early childhood, but I can say that there were themes. For one thing, I was a nerd, so going way, way back. And I grew up in Annapolis, Maryland, in a house where my parents were both academics.

They both had PhDs. My mom taught at the Naval Academy, taught political science. My dad, before I was born, and was an academic for a while. When I was growing up, he was a forensic engineer.

So he was a real engineer, civil, mechanical, and did accident reconstruction. I thought it was the coolest job ever, you know, buildings falling down and cars crashing, and he'd fly out, figure out what happened. But it's a lot of what shaped me was, you know, my parents, particularly, I'd say my dad and his worldview. He was into, you know, when he was teaching, he was teaching systems theory in engineering, which was like looking at how engineering principles can be applied to social problems and logistical problems, like, you know, routing ambulances and stuff like that.

And he was very into technology and stuff. So I think, you know, it pushed me in that direction and encouraged me to pursue my passions, which I think is like, you know, a big part of what led me to start a company is like, you know, the ability to control my destiny and what I'm working on and really do what I want to be doing in the world, which I think is a really important thing. But yeah, so that was my background. And I'm honestly not really, I wouldn't call myself a security person.

I'd say my happy place is distributed systems engineering. I like building large software systems and building teams that build large software systems. And I have had the opportunity in my career. I've been lucky to do that a number of times.

You went over sort of my long history of startups and acquisitions that I've been through and whatnot, but I've been in this sort of like what we're now calling the cloud native world, sort of my entire career at Pounce. Using S3 and EC2 when that was AWS, like that's all they had, you know. So I had the opportunity to build several greenfield distributed systems and to make probably all of the mistakes that you make most of the mistakes you can make doing that and re-solve the same problems over and over again. And one of the really hard unsolved problems that I saw myself resolving over and over again was this identity management, authentication, authorization challenges in that space.

And I think there are other things that, you know, given infinite resources and infinite time, I would like to pursue that are sort of adjacent to these challenges. But this seemed like the most pressing, most immediate thing to solve first. That's really special. Thank you for sharing a bit about your background and your childhood that drove you to see those problems.

And then the pain, I guess, associated with solving it over and over and over again and wanting to take a step back and look at the bigger picture and share the love with everybody, all of your experience and all of the blood, sweat, and tears that went into solving it over and over again. So if you see one truth in the world that most people miss, what do you think that might be? Hmm. Yeah, that's a hard question to answer.

I don't know that there's sort of one truth that I see that, like, I don't know that I have some, like, pearl of wisdom that's going to, like, enlighten people. But I guess the way I operate is just more pursuing those passions and trying to work on things that I believe in. Yeah. And that passion is important to be able to see, you know, a snippet of maybe a direction that you could take, not just what you're working on, but the entire world.

Yeah, and in sort of building on that, I think, like, it's important to enjoy the journey, you know, and not be sort of looking to the past or to the future, but be working on something that excites you every day. So that's how I operate. I think I'm lucky to be doing work that I find interesting and engaging. And I do sort of try to do what I think is the right thing and then hope that other people see it that way too and get really excited when they do.

And when they don't, I guess the nice thing about operating that way is I don't have to feel that bad about it because at least I did what I thought was right. No, I get that. But one of the things that you mentioned that you really enjoy building are the teams, the teams of people themselves. What would you say is your leadership style?

Oh, man, you should probably ask people who work for me, not me. But I think a little key and haphazard, but I'm honest. I don't know. Like if I were to ask the people who work for you, what do you think they would say?

They would probably laugh. I am not a process person. I am not organized, but I like to get to know people and I like to understand what makes them tick and what they want to be doing. So, you know, one of my favorite interview questions is, like, what do you want to be when you grow up?

Right. Oh, I love it. Yeah, I like the, you know, where do you want to be in 10 years questions. Like, and I've gotten like the weirdest but most awesome answers to that.

And one of the nice things being in a small startup is you can be at real outside the box in accommodating what people really want to be doing with their lives. So, you know, one of the guys who works for me now, actually, who I hired back at Bettable and worked for me there, wants to be, or at least told me when I was hiring him, that he wanted to be a stand-up comedian. I was like, well, that's awesome. So I don't know, I'd say that's my management style is, I suppose it sort of aligns with what I was saying about before, is like, I like to, I like to find people who are sort of similarly passionate and understand, you know, what they're passionate about.

And hopefully there's some overlap between what they're passionate about and what a business needs. No, I hear you there. I remember the first time I was asked to interview someone, it was for a security role. And I was like, oh boy, like this is such a heavy responsibility.

And in the beginning in my career, I always thought it was about the technical stuff, the technical grits, you know, this technology, can you solve this algorithm? Here's a little problem. Then it was almost like intellectual flirting at that point. And then at some point along in my career, I realized that, you know, people are smart and they can learn whatever it is that they need to learn to be successful at any sort of job that their heart is passionate about.

And I switched my interviewing style to be more passionate. True. So I look for that fire, you know, if you have that fire, I don't even know what to call it. I guess the French would call it the je ne sais quoi, because it's the one thing that you can't teach someone or I don't know exactly how to learn it.

I don't know how to learn a passion. It's either there and there's fire or, you know, or it's just you're missing the mark, right? So, yeah. And I feel like there's sort of two criteria I hire for.

It's are you smart and are you passionate about something that I need you to be passionate about? And the first, you know, in interviewing somebody, figuring out whether someone's smart takes five minutes. It's the second part that I think is hard. And luckily is mutual because if the person that you're trying to hire is not passionate about something that you need them to be passionate about, they shouldn't be working on the problem anyways.

So I find that, you know, that's often much more of a conversation than an interview. Yep. And oftentimes, like, if the passion thing is met, it's a, it's passion is a two-way street, right? So as you're saying, I entirely expect that when I'm interviewing, I'm also being interviewed.

Like, oh, is this the type of company? Is this the type of person? Is this the type of culture that would fuel my passion from their perspectives? I didn't realize that we were going to see eye to eye on so many, so many topics.

Was there experience that led you to see that? Did you, was there a journey that brought you to that point? Hmm. I don't think it's rocket science.

I think if anybody really sat down and thought about it and was intellectually honest about it, they'd probably come to the same conclusion. Like, I don't, I don't know. I don't think I'm like smarter than everybody else or something. To me, it's just obvious that that's what's important.

I guess I will say I've done a lot of hiring. So I've been responsible for recruiting and hiring engineers and have done a lot of, a lot of that stuff. And so I suppose over time, you know, if you do enough of something, you get better at it. And my approach certainly, like, you know, was more standard when I was working for other people and, and had to sort of fit inside of existing policies and processes.

But, but no, I don't, again, like, more evolutionary than revolutionary, I suppose. No, that's nice. That's, you have a very strong sense of humility about the whole thing, which is, it's refreshing. It's very good.

It's good. And humility is one of those important qualities. And especially in cybersecurity, sometimes we have like, you know, we have so many experts all over the place and you bump into them. And I always find that funny too, because on the converse side, I just see so many opportunities, you know, to improve things, to make things better in the cybersecurity space.

And so it's, it's kind of like you scratch your head sometimes and wonder, okay, where are all these experts doing exactly? So if you think back over the past five years, because you've been at Smallstep leading the charge for about five years, was there a single best day that you'd like to point out or share with us that you just felt on top of the world? Great. Well, I think, again, another really good, but really hard question to answer, sort of picking out this like singular moment over the course of years.

Well, I'll start by saying that my experience with running a company is that every moment has good parts and bad parts. And you need to, you know, take the bad with the good, but hopefully focus on the good and not let the bad drag you down too much. It's very much a roller coaster ride, I think, running a company. And there are a lot of interesting, unique challenges.

You know, in a lot of ways, I look back and wish I was working for somebody else. At times, it's a lot easier because you have clear measurements, you know, somebody tells you to do something and you do it well or you do it poorly and you know, you know, you did your job. And if there was some strategic error and you were told to do the wrong thing, that's not your fault. You did your job.

And that's a lot easier than being the one who makes the decision and then the one who executes and then sort of constantly questioning whether, you know, you're not executed well on the wrong thing and it's still, you still screwed up. Right. So I'd say, like, going back, the obvious answer to like a moment that was really memorably good, raising money and sort of that first moment of having somebody like this real external validation of the idea and of myself and it being real.

But then sort of returning to that, that sort of, you know, good and bad at the same time is sort of gut wrenching because you realize that now this is real and you have to execute and you have to do all of these things that you told these people you were going to do. And if you don't, you're going to be held accountable. And so, right. And there's a dollar figure next to the accountability.

So this mixture of like euphoria. Yeah, and what have I gotten myself into? I'm very analytical, I think. Like, I'm not driven by emotion so much.

And even when I am emotional, I like get very meta analytical about it, I suppose. But I can say that that was, you know, running a company, raising money, and in, you know, venture-backed companies is a very emotional experience. I bet. And you raised from some top VCs.

I see Excel in there, like Boldstar Ventures, Upside Partners, Haystack. So that, I mean, all of those are huge names here in the Valley. So we've got some great investors and, you know, again, really fortunate to have all the people involved that we have. So yeah, Bain Capital, Upside, Boldstar, Excel, some of my favorite people.

If you're in the market for money, they're all great. If I have something to offer you. What about a worst day? You kind of answered it because you have to take every day with the good and the bad, you know.

Yeah, I don't know if I have a worst day. And if I do, I probably force myself to forget it. I can't think of a way day that I would say was the worst day. Now, have there been bad moments?

Sure. I mean, people, we've had people leave the company and that's always hard. Always amicably, but you know, it sucks. It's like losing, you know, family members or something, you know, when you're so tight.

We've had, you know, releases that we've been really excited about that, you know, the world didn't sort of see eye to eye with us on. So in those moments are not, not the best, but you know, it's all about the journey for me. So I try to learn from those experiences and not dwell on the negative. I think learning is my emphasis.

Mistakes are opportunities to learn something new and I try not to make the same mistake twice. So if I have a bad day, I see it more as like a lesson and a thing to avoid in the future. Hey, you pick up the pieces and you figure out a learnings from it and make something good out of it and see the silver lining and you move forward. I think you have to if you're doing what we do.

I agree a hundred percent because not only do you have to do the lessons and like see the silver lining and pick up the pieces, but you have to lead a team that also help them pick up the pieces, see the silver lining and move forward. So if you don't believe it, people can smell it. That's right. So you better believe it.

Whatever it is that, right. No, and you must have, you raised seed capital, what, five years ago. And so you must have been very successful in being able to land customers, pull in income, support the business because usually seed doesn't last for five years, at least seed capital doesn't. So props to you for building a sustainable company.

That's really something usually VCs will try to push folks into a space where you spend, you spend, you spend, you grow, you grow, you grow, and you have to go back for more funding like 18 months, 24 months later. Clearly your history shows that you haven't. So doing something different, doing something outside the box. Yeah, we're doing, we're doing all right.

We've, you know, we have raised additional funding along the way from insiders and we brought Bain Capital on board, which we're super excited about a little over a year ago. So, you know, we've had additional chunks of capital here and there, but yeah, I mean, you're absolutely right. Venture is selling you money and they want you to buy more of it. So the best way to get you to buy more of it is to get you to spend what you have.

So I try to do what's right for the company and have been lucky to have investors who want that as well. Again, I think it's like, if you can have a good relationship with the people that are funding you and have candor with them, then that goes a long way. But you're, you're absolutely right. I think we haven't really followed the grow at all costs, run it off the cliff sort of philosophy that I think a lot of other startups do.

No, that's just, it's very refreshing. Nice to see every once in a while. So props to you for, for following your passion and doing what's right for the company at the end of the day, not necessarily the standard cookbook for Silicon Valley startups. And then when you fast forward into the future, I don't know how, how far into the future you would like to fast forward, but when you look out there and you see success for Smallstep, what does, what does that world look like?

How does Smallstep fit into that future? Well, I mean, I guess I'd start by saying, I think we've already achieved a lot of success. You know, we've created software and solutions that people are using to do real things and I think sort of created value to use a venture term. Looking forward, I want to do more of that.

You know, I want to be in a place where I have more resources and more time and, and can grow and You know, execute, find some, maybe go back to some of the stuff that we were doing around authorization and some of these larger distributed systems challenges and build on this sort of identity as a foundation. And even in the identity space, there's a lot in what I would sort of call production identity that we would like to be doing that we aren't yet. So more of the same. More of the same.

No, that sounds great. Like you've been successful. Let's, you want to see the successes continue. I love the little plug for authorization, the authz space.

That's a, that's a very interesting space. I bumped into multiple times myself. Have you heard of Opa, the Open Policy Agent? Sure have.

Yep. Yep. Yeah, pretty familiar with the Opa folks. Even with everything that they're doing and Styra has their little GUI that they, they built on top of it and they're all kind of open source as well.

Like their core technology is all open source, but you, you still feel like there's opportunity in the authz space. It's a big space. It's a big space. That's definitely a big space.

I couldn't agree more. I guess Opa is very laser focused on just policy-based answers to that question. That's right. Yeah.

I, I, I think there's a lot of opportunity there. I, I don't think it's solved yet. All right. Well, we'll have to have you back on once you get into the authz thing or, or, or even before then, even before then.

Thank you so much, Mike, for joining me, for sharing all of the stories and a bit about small stuff and your entrepreneurial journey and a bit of childhood memories that sort of shaped who you are today. And I'm so happy that you're working on this problem. It's a tough problem. I know this is a tough problem and express nothing but gratitude for smart people like you working through it for a long time, making it easier for the rest of us to stand on the shoulders of giants and build a better future for everyone.

So huge thanks for coming on the show too. Thank you for having me. It's been really fun and I'd, I'd be happy to come back anytime. So.

All right. I'll hold you to it. All right. Thanks, Mike.

‹ 11. Robert Rounsavall, Co-Founder of Trapezoid Inc., Firmware to Frontlines

9. Dylan Ayrey, Founder and CEO of Truffle Security, How Open-Source Makes the World More Secure ›