Machines Running Amok: We've Created More Than We Can Secure | Oded Hareven

Justin Beals: 

Hello everyone, and welcome to SecureTalk. I'm your host, Justin Beals. I started my computer science career at British Telecom as a security analyst. One of my responsibilities included ensuring both the functionality of backup systems and the availability of systems inside data centers for our global frame relay network. It was really pretty cool to be able to go into the cold room and work on the hardware. 

Or even provision and rack hardware for shipping. And of course, this led to a lot of science around capacity planning and provisioning and designing the right infrastructures. You bought hardware to deploy applications later in my career. The first time I was able to go to AWS and sign up for an EC2 server, it was a milestone moment in my computer science career, realizing that I would probably never have to go into a data center ever again.

And now we can fast forward to today's cloud native culture. And in the time it's taking you to listen to this introduction, perhaps millions or billions of virtual machines, containers, and serverless functions have been spun up, executed their tasks, and disappeared forever. Your organization might have started the day with 100 compute instances and ended with 10,000, then scaled back down to 50 by midnight.

Each of these ephemeral servers needs credentials, certificates, and access rights to communicate with their databases, APIs, and other services. And it's becoming kind of a staggering reality that for every human employee in your IT organization, there are now 50 to 100 machine identities operating in your environment. These aren't just servers anymore. They're containers that live for minutes functions that execute for seconds and automated processes that spawn and terminate based upon demand. Not even starting to discuss agentic AI and how it can crawl across an infrastructure. They're an invisible workforce of the digital economy and they vastly outnumber us. But here's the real challenge. We are managing this exponential explosion of machine identities with some of the same static security paradigms

We used when we could count the servers on our fingers. We're assigning permanent passwords to temporary identities. We're creating static access rights for dynamic infrastructure. It's like trying to manage a Formula One pick crew with the organizational chart of a 1950s factory. And the consequences are being realized. 91 % of organizations have experienced identity-related security breaches.

And 85 % of those breaches are attributed not to compromised human accounts, but to machine identities, service accounts, API keys, and certificates that attackers discovered sitting static in code repositories, configuration files, and forgotten databases. For example, the old approach of password rotation, once considered a security best practice, has become woefully inadequate. 

When you rotate a password once a month, that credential still sits there for 30 days. seemingly a short period of time, but it is vulnerable to discovery and exploitation. And in an age where infrastructure changes by the minute, a monthly rotation feels like a geological time. What we need is a fundamental shift from static to ephemeral security, credentials that exist only as long as they're needed, identities that are created just in time and destroyed upon completion. We need what you call an SSO for machines, seamless, temporary, cryptographically protected access that matches the fluid nature of modern computing. And of course, this isn't only a technical challenge, it's an infrastructure revolution that requires new approaches to cryptography, including innovations like distributed fragment cryptography and zero-knowledge architectures. We're not just protecting data anymore, we're protecting the very fabric of how machines talk to machines in an interconnected digital ecosystem.

Today we're diving deep into these challenges. We'll explore how military-grade cybersecurity innovations are making their way into commercial applications, and why the convergence of AI and quantum computing is forcing us to rethink encryption itself. And most importantly, how organizations can begin preparing for a future where their security posture must be as dynamic and ephemeral as their infrastructure. Our guest today is Oded Hareven.

Oded is the co-founder and CEO of Akeyless, a cutting-edge company specializing in secrets and machine identity management. Based in the New York City metropolitan area, Odette has established himself as a leader in the cybersecurity space, with expertise spanning identity management, security, and pre-sales. Since founding Akeyless in 2018, Oded has led the company to develop the world's first unified secrets and machine identity platform.

Under his leadership, Akeyless has gained the trust of Fortune 100 companies and global industry leaders, providing cloud native SaaS solutions that protect credentials, secrets, and machine identities across diverse environments. Oded's foundation in cybersecurity was built during a seven-year tenure with the Israel Defense Forces J6 and Cyber Defense Directorate. There, he started as a programming course instructor before taking on roles as system and software architect specializing in identity access management and InfoSec, ultimately serving as an R &D team lead in cybersecurity. He holds a bachelor's degree in management and economics from the Open University of Israel and is fluent in both English and Hebrew. Please join me in welcoming Oded to SecureTalk today.

—---

Justin Beals: Hi, Oded.  Thanks for joining us today on SecureTalk.

Oded Hareven: Hey Justin, good to see you and thanks for having me.

Justin Beals: Yeah, it's my pleasure. So let's just start out with a little background. We like to learn, of course, about our guests and their expertise. You're working in the technology space as a CEO and founder of Akeyless. How did you get interested in computer science? Any early computer stories or security incidents that led you to an interest in this work?

Oded Hareven: 

So, I believe it was around high school, know, that was interested with programming. I liked, you know, algorithms and thinking about how to solve a certain challenge using an algorithm. Surprisingly enough, it was Pascal, which is like whatever language that is not being, I don't know if ever being used. But yeah, that was kind of outdated my way back 25 years ago or 30 years ago to get into that world. And then within the Israeli Defense Forces, actually, this is where they found me and I found them. it was clear that my way in the Israeli Defense Forces would be around cybersecurity. But beforehand, it was around being an engineer, a developer.

I also got the chance to educate others and to be able to teach others. And then I was focusing on for eight, nine years around enterprise security, everything around, you know, the network that we know, the management of users, the application management, DevOps before we call it DevOps, but then DevOps security before we call it DevSecOps and others. 

So, I've been doing it together with my teams there, I did it in access management, same stock systems, endpoint security, back in the days where we thought about endpoint security vendors that would be able to integrate all kinds of capabilities when antivirus was not the same system as access control, funny days, right? So all of that altogether, I had a great opportunity in which I'm very thankful within the army back then to touch,all of those different and they have a great experience there. And this is where I started.

Justin Beals: 

I think I wrote about 10 to 15 lines of Pascal in early days. I remember it was a very drawing language. You were like, start at this point and end at that point and draw a line, which is probably why all of us computer gamers were very interested in it.

Oded Hareven: Oh, the lines actually, the lines language was a bit different than Pascal. Pascal in a way was actually algorithms very similarly, not that low as C, but very similarly to that. That language that you mentioned that was within 10 years before in elementary school. Maybe I'll start next time the story on that language. It was placing a line and then telling it like go 90 degrees left and 90 degrees right. Yeah, that's.

This story should have, that's 37 years ago. Yeah.

Justin Beals: 

The math of that was fun. I have an old like Drawing with Computers mathematics book that was really interesting. It's like a Spirograph on the screen. You know, we interview a lot of folks that have participated or learned about security from, you know, their nation and joining national security forces of a lot of different types of countries. I think it's a different, certainly like an in-depth introduction to the computer science side.

I've worked with so many people in telecom that came out of the US military and telecommunications was such a critical part of effective readiness.

Oded Hareven: Yeah, you know, in general, the unfortunate status in which nations need to find themselves, know, as cyber is another dimension of attack and defense and offense, right? So, unfortunately and fortunately, because it provides also a lot of room for, you know, making a living. And this whole current situation is basically educating a new generation of

people that can later on understand what is applicable also for the private sector. With time, by the way, I think that what used to be specific military technologies, with time, in a way, you see how the private sector and the military are using more and more of the same, especially in terms of IT.

If cloud used to be a very, you bad word, not just, you know, in the States, it has been sold with GoCloud, but in many other States, not necessarily. And there are other, you know, other solutions, but with time, you see more and more of the same technology is being absorbed with a faster pace. It used to take much longer for the IT of large enterprise to absorb, especially in military actions from what I'm familiar with. I'm still surprised about the speed that this is moving. Again, as a result of having cybersecurity as a true another dimension that is very much active these days.

Justin Beals: I think what's really a strong change is this public-private relationship, right? I think most nations that want a vibrant economy that consider part of the overall security of their population are wanting to share technologies down that might have been invented at the military level for cyber, so that they can see those implemented. It's part of the ethos of open source, right? I think computer science in the networking age has been moving towards these more open shared infrastructures for better security.

Oded Hareven: Yeah, of course. Knowledge in general is being more more shared today in comparison to the early days of the Silicon Valley. You had to be a certain hacker in the previous term of being a hacker, of the true term of being a hacker, which taking some boxes and connect them to understand how on earth they need to communicate. And some people have solved it. But back then, You know, it's part of, you know, also democratizing and sharing around software, open source, as you mentioned, definitely is part of that trend. But we're going to see even more, you know, I guess, you know, as we all understand about AI, I can ask all kinds of questions today and to get a whole program that has been created. So we're going to see that kind of knowledge being shared even more.

Justin Beals: Yeah. So let's talk a little bit about Akeyless and your work there. What's the organization doing? What types of problems are you seeing that you want to solve?

Oded Hareven: Sure. So Akeylus is a cybersecurity startup that is focusing on the challenge of managing machine identities and secrets management. Machines, as you know, like virtual machines, like containers, Kubernetes, CI, CD processes, any type of automated processes being called in our language, a machine. And they communicate with each other, just like human beings, right? They do it much faster. They do it with a greater scale, with a greater volume. They do it in a different protocol. Back in the days, like 20 years back, when you were entering a certain data center, I remember myself literally counting the servers. I could have really see those in my eyes with two or three or four generations of virtualizations today up to today's function as a service.

The level of virtualization made it that the number of those components of those machine identities actually passes the number, outreaches the number of humans, but not just in a, it's actually in a ridiculous ratio today. So for every human, every one employee today in the IT environment, the IT and the DevOps environment, we're seeing 50 up to 100 machine identities, comparing to one employee. 

So imagine what does it mean in terms of management for the IT organization, right, and security teams. Now having a large number is not a problem as is rather than the notion of them using authentication objects such as passwords like you use when you authenticate to your bank account. Machines do that as well when they authenticate to each other, right? Every time that you authenticate your bank account, behind that website, are hundreds of applications that communicate with each other in order to actually create that website and that information within the bank, right? 

All of those are leveraging API keys, certificates, passwords, database credentials, encryption keys when they communicate, and those objects require security, and those objects need to behave differently as much as Akeyless is bringing to the table, which is helping our customers to move into just-in-time, zero-standing privileges principles, basically making it much harder for attackers to gain access and to hack those machines.

Justin Beals Yeah. I mean, I can think of a lot of the architectures I've designed in the last seven, eight years, dynamically adjusted the number of machines that were operating based upon the web traffic, right? Like we don't even, to your point, when I had a key card to a data center a long time ago, I could count the equipment in the rack. But today we, it could be so ephemeral as to be on and then off again, that we barely recognize it as humans. Yeah.

Oded Hareven: Yeah, ephemeral is the name of the game where our statistics show and the industry knows that from various places that unfortunately the majority of permissions and access credentials today within the computerized environment is based on static credentials. With humans in a way, by the way, we kind of sold it. With humans you can use your face as your authentication, although it's not ephemeral, right? It's fixed.

But they are, you know, they are, you have a primary identification, a unique identification of yourself. There's also fingerprints and one-time passwords, and so on. With servers and automated processes, CI, CD processes, Kubernetes clusters, containers, etc., they are still leveraging static secrets in majority of cases, which is very bad because they are prone for attack, for a breach, and they are found within code, within configuration files, etc. So you've mentioned ephemeral, which is exactly the name of the game is how to help our customers to move just not just by protecting those static credentials, collecting them, finding out where they are, collecting them, and then also to help our customers to shift that into ephemeral allocation of identities according to the use of resources, right? It's a higher hygiene.

And also it helps with audit and compliance as you can imagine, because credentials and identities are being created only when they are being needed and they are deleted upon usage, which is a complete game changer in terms of how IT security in the identity aspect of it is being managed today.

Justin Beals: Yeah. Does this bleed into the concept of zero knowledge? I know it's one of the pillars of your solution in the marketplace.

Oded Hareven: Yeah, so zero knowledge, are two, the term zero and something have been, was actually very famous talking about zero trust. So we didn't want to use just zero trust for just not claiming it, but zero trust actually specifically speaks about just in time access, just for the time that you did it and then stop that access, which is equivalent in the identity world. It's equivalent to zero standing privileges in the ephemeral identities creation exactly as I've mentioned. 

Those are the principles. So there are some of our customers that whenever they are picture in mind and on white board, there are zero trust initiative. And machine identity management and the federal management of those identities is definitely a crucial part. If they're bold enough to go beyond networking, zero trust in many cases started in the industry in the networking area.

And unfortunately, in many cases stayed there. But actually there's a great aspect of zero trust within identity management. Back to your question, zero knowledge is actually within our patented technology named DFC. We've invented the way to basically run cryptography in a non-trusted environment. We leverage that capability in order to protect the credentials, the certificates, the keys that we manage. 

In a nutshell, basically imagine that we create fragments of encryption keys on different places. And one of the fragments is kept in your side, in the customer side. And using cryptographic functions, we're making sure that the objects that you give us are being encrypted on your end and then being stored.

And encryption is taking place using fragments of keys that you don't have all of them. And we don't have all of them, and no one have all of them. So there is no party that would be able to decrypt your secrets. And that includes, by the way, also the government. This is why it's being called zero knowledge. We have zero knowledge of your secrets, keys and certificates.

Justin Beals:

I see, because that's certainly, I guess, a security exposure. On the internet, we'll encrypt communication, but the certificates for encryption, the method of communication, some of the authentication patterns are all out in the open. Those are knowledgeable spaces, right?

Oded Hareven: Yeah, well, it's accepted and known today that you don't satisfy only with just one layer of encryption. SSL that is based on certificates, sometimes two directions, also client certificate, etc. Those are all good. Being adopted in some cases very well, because in a way it was more of a thick in the box, right? Like place a certificate, okay, we have an SSL established, HTTPS became a standard, etcetera.

All of those have been implemented. The certificate part is now today under debating term or at the headlines, given that the certificates need to be expired much faster than it used to be because of those reasons, by the way. And that's going to make a major mess and a lot of mess and a lot of worrying with regards to, by the way, shutdowns, sudden shutdowns of services because people unfortunately do not remember to renew those.

This is why we've added also automatic provisioning of certificates to make sure that the entire PKI needs within a certain organization is being kept completely automatic and autonomously. So we definitely answer that type, that part as well. But going back to your question, then yes, the authentication part is the crucial part, not just because it can be intercepted, rather than also because it can be hijacked not within the session itself, but actually within DataEit Trust.

So credentials, certificates, keys are on disk and within lateral movement within attacks, hackers are finding those and they're selling those between them and they're using it in order to hack your entire cloud account and so on. Now, 91 % of organizations have reported an identity-related breach.

85 % of them have actually attributed that bridge to machine identity, not to a human, rather than an admin for a machine, a service account, an API key, SSH key of a local administrator. And this is the number one worry that we should be worried about.

Justin Beals:  Yeah, I mean, it's a pretty broad exposure because I can't think of a compliance framework, for example, that really delves into the problem of, I mean, it's doing roles and permissions, it's recommending that type of thing, but it's not necessarily looking at machine from an ability to operate inside a trusted environment.

Oded Hareven: You are totally right in terms of compliance and in terms of regulation and all of that. Unfortunately, those kind of documents and protocols that are supposed to protect us are kind of behind where they're mostly focused, still on the human aspect. Some of regulations and compliance are taking stand for years, and asking to rotate passwords of service accounts. 

So rotation is definitely something that have been around thanks to the privileged access management industry within the identity world. But again, as a result of focusing on humans, administrators, service accounts were added to it as an additional. If we're already doing it, do it for service accounts. But the thing is that what might have been effective by rotating a credential can no longer be effective, and I'll explain exactly why. This is why we call rotation the second generation. The first generation is working, is basically establishing static credentials, right? We all understand why this is wrong. So the answer of the industry in the last years, like 15 years, was actually rotated mostly for privileged users again, but also for some service accounts.

Now the problem with rotation is that it leaves the attack surface still very much prone for attack. And the reason is that the identity is still there. There is still account on your database that sits there, you know, not being used or waiting for some calls. Okay?. That password once in moon time is being rotated. Let's say that this is a high discipline organization. So maybe rotated once in six months, maybe once in a month. Within that month, within that month, attackers are there and they can leverage that and they can brute force that particular password and as such.  So this is why it is proven to be not very effective. And by the way, not very easy to do because the application itself in many cases still expect the same password.

So when you rotate, also need to rotate it within the application, etcetera, etcetera. At the end of the day, today, whenever everything is ephemeral, the cloud is all around ephemeral, it makes sense also to create shorter lives of credentials and certificates and to provide it just for the sake of that particular function run. And it makes it much more healthy.

Justin Beals: Yeah, I love this moon time. I got to write a security control that like all access must be rotated on moon time. So one of the things that is really powerful, I do think is this extra layer of encryption, this distributed fragment cryptography idea. So you're building on top of a layer.

Um, but you know, it does seem to me that one of the things that looms over this, the marketplace broadly is the acceleration on the quantum side. mean, even the last three weeks, we've seen improvement in quantum error correction. came thinking we're closer and closer and closer to this. How do you feel about the progress? I know the United States especially has been developing some quantum resistant algorithms for cryptography. Where do you feel we're at Oded? Yeah.

Oded Hareven: Sure. Then, you know, as yourself, we're monitoring that and we're looking at the progress. I think that's more than everything. Like it's there. And if we thought that it's going to take much, you know, much more time than we kind of understand that it is about to take much less than what we thought originally. But to be honest, what frightened me the most is the combination between AI and quantum.

That's that this is where it gets even more scary or I'll call it scary, but also I'll call it a way that we need to really look into as an industry in terms of how we look at encryption, by the way, then thank God we did not invent a new encryption rather than inventing a new way to manage the encryption keys. So as much as the industry would go faster to a different algorithm or to much larger size of keys on that, on that end, Achilles is covered. So we're just adding more algorithms and we're adding, you know, the size of keys and for that we're fine. But in terms of, know, if you're asking me as my point of view of that technology, the combination of AI and, and the quantum computing, that would be a game changer in terms of, you know, the compute power in the world, the gaps that we see with, between the,you know, How much energy do we need to run? Do we need to invest in terms of running AI and supporting what's happening? That's the most interesting part.

Justin Beals:I read somewhere, you know, just talking about the AI side of things that a large language model, you know, that we might see out of, ChatGPT or,  the Open AI group, costs about a hundred million dollars to just build the model and computing resources alone. I think that's what floored me from, you know, what it takes to build or, or, you know, essentially compile one of these models for utilization.

Oded Hareven: Yeah, well, I don't know if you're following those kind of, you know, those news, but the impact of AI computing and the fact that everyone, like a lot, or I won't say everyone, but definitely a lot. it gets to, if it gets to your aunt and mother and little, you know, a little daughter, it means that it is becoming, you know, everyone. And it's very easy to communicate with, and what you can see is that it already affects obviously the level of energy that is being required in order to actually deliver that kind of compute power. So this is something that, and by the way, from what I'm hearing, I was sitting on a certain forum and one of the questions was around, are we going to see a peak in the amount of energy today of that is required to deliver that AI up to the fact that we would not be able to deliver. And the surprising answer of one of the experts there that was within the industry of creating one of the large AI firm companies is that already they need to throttle and to basically control the level of queries as we all experience, because they're not able to provide for the amount of queries that are being requested today. So we're already there in terms of the compute power.

Justin Beals: Yeah, you know, it's funny because I think these things come a little full circle. It was a day where you and I had to assign memory and really work hard to keep the resources of our computer nominal so the program would run. We are a little full circle. We're just coming up against a global computer. 

Oded Hareven: Yes, yes. And now, and now the computer does not wait for you to have, you know, buy within the store, a memory, et cetera. Now, you know, we've done it differently today. Everything is allocated dynamically and we can actually calculate, you know, how much is missing. Again, the speed is unbelievable of the change that we're seeing right now.

Justin Beals: So if we think about quantum computing and I mean, let's say I realized that these are gross generalizations and it depends on the type of problem you're solving and what the computer is good for at solving a quantum computer. But let's say we're talking a 5X improvement in processing power, just based upon the number of states a bit can take on, know, compared to classical computing being a one or a zero. 

I think that level of acceleration in developing AI models for good or bad, is that where you see a big concern in that it just becomes such a ubiquitous tool that anyone can write any AI model or direct it in a way they want very efficiently.

Oded Hareven: Well, I think that you have a lot of different examples today already to start seeing how this affects us. And the kind of, you know, the compute power that you're mentioning would just accelerate that even further, right? You're already starting to see how it affects the engineering life, right? Engineers that are being requested to work with AI, co-pilots, whatever help it is. Is it the main pilot right now? There are some companies that are either lucky enough or just bold enough to have the majority of their new code is actually to be created using AI. 

So that's within the engineering world. I'm starting to hear more and more around support frontline as well as business development that used to, you know, representative of organizations that with time are getting helped by AI, but with time, they're also being provided with a replacement so that they are also tools in the market today that are becoming more and more like better and better in terms of actually replacing us, which is kind of frightening when you think of it, but it's within, you know, it's happening. So the trend that you're mentioning with compute power is just going to accelerate that beyond what we think.

Justin Beals: Yeah. Those of us that have worked in the computer science field for a while have been through the process where something we learned deeply is now gone. You know, and I think those outside of the computing industry haven't experienced that as much. So you and I are used to saying, Hey, the way to survive the AI revolution is to learn how to use AI tools in your own work today. Like you need to be on the front of it. But a lot of folks are like, no, I like the way my job works.

I don't want it to change, but the problem is that technology will likely change it.

Oded Hareven: Yeah, and you know, I'm trying to be cautious and not to over push it because some people they need to take more time. of course within the high tech industry, I don't think there is one that can allow themselves not to start using it. In other traditional industries, they might take more time, but sooner than later. So everyone needs to use it. I can tell you that In some places, I'm actually surprised for the good that even people outside of the high tech industry, I hear all kinds of examples. Even, you know, I have a family of therapists and I get, you know, to hear that they're starting to think about the implication of that, how people are coming into therapy and they're talking about, I asked my AI, you know, and that was the answer. What do you think about it? Right.

It's unbelievable that it takes part of the discussion today, but it is like that. Because when two siblings are also arguing, suddenly AI helps them too. And it's in a way, it kind of reminds you how Google was. Let's ask Google, right? But now the answers are so profoundly, much better and extensive and faster and wider so that the use of it is becoming so in-depth.

Justin Beals: Yeah, I think the wider is what I found interesting with the tool set. I was talking with a friend the other day about security compliance. And we were saying how usually when you hire a consultant, like they're an expert in their particular framework, like I'm a HIPAA expert or I'm a SOC 2 expert. And that's been a challenge, you know, in organizations that are like, we needed to go do this next thing. Let me go find an expert in that thing. Whereas I think what is powerful about the AI is it can store more in its head than we can in our own. So if you want to generalize across, you know, a compliance outcome or different frameworks, it may be a better consultant because that was a better breadth of knowledge, not necessarily the precision that a single individual would have. Right. Yeah.

Oded Hareven: Yeah. Yeah. Well, Justin, just within our call, you're killing so many jobs and positions that I don't want to... I wish not to continue in... You're killing my audience.

Justin Beals: Well, it's an interesting challenge. One of my examples, I try to be hopeful. I'm a hopeful person, but I know we we do build these things. We're we're trying to build great tech that people can use to be more secure or get better outcomes. But I always think about one of my favorite things to do at Oded is race sailboats and the elite sailboat navigators on ocean racing boats, they deal with AI all day. They deal with multiple models and they have to synthesize the best model and the best response for the best decision in the moment. And so there is a human in the middle utilizing aggregating information from multiple AI tools at once. Yeah.

Oded Hareven: Okay, and what and you know, and when they do that, what's what's the outcome? What what do see there?

Justin Beals:  Right. Well, one is they have to chart a course. So they knew they needed to take the broad synthesis and decide how their particular reality fits into it. know, us as security engineers, we could be getting advice or recommendations from an AI tool, but at the end of the day, you have to chart a course for reality to take place. That's the thing that AI cannot do. Right. You can't translate it. Yeah.

Oded Hareven: Yeah, we need to find more and more those places where I won't be able to do and to figure this out also for our children.

Justin Beals: Yeah, I think it's going to be a useful tool, but we're going to have some growing pains. And I have the other example I have of this when we talk about AI and its challenges were some very dear friends of mine started a cartoon called Home Star Runner back in like 2000. And prior to 2000, be the technology, the internet, the distribution channels, the software to write your own cartoon.

No one could have done that, right? It took a whole industry to get something out the door. And so what was revolutionary is they get their hands on these tools and they build a business doing their own cartoons. They're now 25 years into it. They're still writing games for Home Star Runner and, you know, collecting, it's been a great business and provided wealth for their families, but Disney wouldn't have given them the chance, right? So you have to see these things as unlocking certain potential in our future humanity and not just blocking us off from that. It'll change. Life will change. Absolutely. Yeah. Yeah.

Oded Hareven:Yeah. Yeah. Well, it makes you, it makes you wonder. I guess I think that you mentioned it, like everyone needs to start using it. And that's the first step for them to, you know, experience that I've had several aha moments there only the last few months. Like, you know, I've been using it before, but only the last few months I got obviously with the improvement of the models. you get some aha moments with, some professional, you know, prompts that I was running to analyze some queries that I had. And the longer the question that you have also, you know, it complicates things and it takes more time. But then the answer was phenomenal. And that was the comparison that I had to do. And in the personal life also, when I had to find a certain provider for my daughter,

And something, a task that could have done, it could have taken easy, like, you know, three hours, you know, how is it like that we're looking for a certain provider in the U.S. It's crazy. And to find out insurance and a certain treatment, whether that's fine or no, it included. And that took it, you know, three minutes and I got, you know, everything that I needed because it got inside to each one of those websites and searched everything for me. that sounds very basic, but that was a major a-ha moment a few months ago for me, personally, to experience how this is a major progress for us.

Justin Beals:We're getting, getting close to wrapping up. And so I want to talk about the future a little bit beyond the scary bits, that are going on. Yeah. Let's talk a little bit about the business side and, and cybersecurity tools in general. How are you finding the market for Akeyless? And what, what do you kind of, I'm always interested in founders ideas about setting the bar for their particular marketplace. Like if you could set the bar for what every, every buyer of Akeyless should expect.

from a platform like Akeyless, what should they expect out of that platform?

Oded Hareven: Sure. So I think that in a way we kind of claimed that from day one, having the understanding  that managing machine identities requires certain different aspects to be managed within one same platform. It's not just about managing the API key. It's also being able to manage the certificate. It's not just about managing those two, but also managing encryption keys. And now only the things that I've just mentioned usually require three different systems, key management systems, certificate management, secrets management. But we see even more than those, there are some scenarios in which you want to use that privileged administrator service account. You want to use it also with a human interaction, with a remote access.

And there are also use cases around managing the different objects, but also in different places. So you need to be ability also to orchestrate, to be able to manage the cloud vaults or the cloud secret managers, etc. So what we basically saw from day one is that it will be insufficient to focus just on API keys. Like the industry stopped it and saying, we're going to manage only the secrets that we call them database credentials and API keys, rather than the understanding that you need to have to provide a wide solution that would be able to solve for all of those different use cases and to be able to orchestrate and govern the existing secret storage that you have. So it's not just about walking in into Greenfield to basically start managing the machine identities and their connection on a Greenfield, but also you have to be able to treat the legacy on that, right? To look back, or whatever is being used within the cloud environments, as well. And that's set very well also with our approach of helping our customers from the static approach to the just-in-time, and up to advanced authentication methods today. 

So we actually call it a secret list today. We are basically saying, helping them to go from static secrets to secret lists via those different types of methods and methodologies and to help our customers to go to different types of authentication like OAuth and OIDC and Spiffy Inspire for them to leverage that type of technologies and those tokens in order to reduce the number of secrets to the minimum as much as possible. Those are the expectations, roughly speaking, from a platform that would be able to also govern existing as well as to provide for any type of use case for in terms of the machine identities and their secrets. Now, what we see obviously is that, and we're very happy to learn by the way, that the challenges with AI, which we just discussed, that it is well positioned to provide a solution for that given that we were focusing on machines. We were focusing on SDKs and providing access via plugins and all that programmatic approach, programmatic access to manage the credentials and the access request temporary access by a certain automated machine. So we've already done that. And we're basically now the question around scale.

We are leveraging the three large cloud providers, and we're running already today tens of billions of transactions on a monthly basis. And we're very lucky and happy to be where we are at in terms of where the industry is about to hockey-stick.

Justin Beals: Yeah, that's excellent. You know, one thing that stands out to me is the orchestration side, you know, because I certainly have implemented a lot of applications where we did siloed the different identity access management areas, you know, from, you know, backend support of the system to how a user authenticates to the API authentication, maybe running a slightly different route. We would try and harmonize the database a little bit, or the encryption in the network using things like recipes for deployment. But it's different than saying, we're starting to centralize and orchestrate an understanding of identity, whether it is a machine, a human, or anything in between.

Oded Hareven: Yeah, well, eventually think of it. You can call it the SSO for machines, right? Like, Okta and Ping may have done it for humans, where you're getting a portal. You know, today in the large organizations, you're getting a portal and you can click and get to the system without, you know, providing any further authentication. In the more advanced environments, you won't even need to have a portal, rather than basically having different applications to trust a XAML token or OIDC token and things as such. But that's again for humans, for machines that have never been solved completely or implemented completely. And this is exactly what we have our customers to standardize the SSO in the aspect of not just authentication, but also authorization. The ephemeral SSO for machines

And that's maybe a tagline for Akeyless in the future.

Justin Beals: Wonderful. That's great, Oded Oded, we really appreciate you joining SecureTalk today and sharing your expertise and some of the things you're working on at Akeyless.

Oded Hareven: Sure, thank you for having me. It has been a pleasure and let me know whenever you want to have it again.

Justin Beals:Wonderful.