I stepped down as Snowflake’s first VP of security (aka CISO) in 2023 after nine demanding, but exhilarating, years and began my retirement shortly after.
I had my retirement all mapped out – long family vacations, finally tackling my towering reading list, and mixing in some occasional security advisory work and early-stage startup investments.
I thought I was content. Until I wasn’t.
As Forrest Gump famously said: “Life is like a box of chocolates. You never know what you’re gonna get.” Heeding this wisdom, I should not have been so surprised that after six months into my retirement, I would decide to get back to working full time – this time at a young startup named Aembit.
You may be wondering: Why would someone return from a career exit following one of the largest IPOs in enterprise software history?
During my downtime, I couldn’t avoid the many security headlines related to major data exposures resulting from stolen credentials. The coverage, I noticed, largely focused on the lack of multi-factor authentication (MFA) for interactive logins, such as a person authenticating to an application. However, my decades in the security industry led me to believe that the media and many of the technical pundits had largely missed the underlying credential iceberg that are service accounts (aka non-human identities, or NHIs) – credentials used by automated processes.
Sure, enforcing MFA – with FIDO2 – is a key technical pillar in protecting user authentication. But how can one do that when authentication occurs between two pieces of software using NHIs?
The short answer is that no solution existed, well, at least no commercially viable solution. Until Aembit.
Before I describe how Aembit helps with safeguarding your valuable assets (e.g., CI/CD pipelines or a business cloud application) from automated workloads that utilize antiquated and insecure static credentials, let’s explore at a 40,000-foot view at how organizations got to the point of relying on less-secure methods for authenticating between software workloads.
The Past: A Critical Oversight We Ignored for Too Long
I started my career in security in the late 1990s by performing pen-test activities for customers looking to uncover vulnerabilities in their enterprise networks.
Part of our “attack” campaigns involved searching for files that contained cleartext credentials (e.g., login names paired with passwords or passphrases). We especially valued service account credentials because they typically gave us access to critical technical assets – such as firewalls, critical servers, or databases holding sensitive information – often without triggering detection.
Why? Non-human identities (NHIs) aren’t tied to any individual and are frequently shared among system administrators across multiple workloads for redundancy. This shared nature makes it easy for an intruder with such credentials to blend in and persist in the environment, making them stubbornly difficult to detect and remove.
Today: The Same Secure Access Problem, Now at Cloud Scale and Infused With AI Smarts
Fast forward to today and to my chagrin, we continue to face the same problems in safeguarding these shared credentials – except now, instead of only contending with one’s on-prem environment, the risks of exposing such credentials have exponentially increased because of the growth of the cloud, SaaS, and LLMs. And while there are some technical advancements in security vaults and native cloud token services such as AWS Security Token Services (STS), they are not built to handle the transitory nature of hybrid environments.
I readily admit that the first step in solving a problem is acknowledging its existence. After 30 years, it seems the industry has finally decided to address this issue by coining the term ‘non-human identities’ (NHIs). Now, dozens of NHI startups have emerged from stealth mode, announcing their solutions. Most of these companies are focused on the governance aspect of NHIs, offering tools to inventory your non-human identities, visualize their usage in your environment, and alert you to suspicious activities.
These are valuable capabilities, for sure, but they surface another issue that security professionals regularly face: Today most new tools focus on showing problems, not fixing them. With a rapidly expanding surface area and increasing complexity, security teams simply cannot afford yet another laundry-list they need to check off. They need something that proactively fixes the NHI access challenge. And they need it now.
A Better Way: Proactive, Dynamic Security for NHIs
Let’s consider a parallel problem: the user IAM space has seen significant advancements, from passwordless solutions that leverage modern computers’ and smart devices’ trusted platform modules (TPMs) – specialized chips designed to be tamper-resistant and ideal for storing secrets – to cloud identity providers (IDPs) that enforce Zero Trust by using TPMs and implementing multi-factor authentication (MFA) with FIDO2. While these are strong solutions for user identities, a similar leap forward is needed for non-human identities.
Plainly speaking, why can’t we apply similar technical features to NHIs in a hybrid environment? The short answer is, it’s very difficult – especially in hybrid environments. For instance, how do you ensure that only authorized on-premises workloads can access critical cloud assets, rather than an intruder who has stolen credentials and is impersonating them? Or how do you confirm that the authorized workload meets your organization’s security hygiene standards before accessing valuable resources?
Aembit addresses those challenges by employing configurable workload verification policies that include security hygiene attestation (e.g., is the workload protected with CrowdStrike or is it part of one’s cloud security platform such as Wiz?). Additionally, Aembit enables just-in-time access, ensuring that workloads are verified and authorized only when needed, without relying on static credentials. This helps prevent unauthorized access and ensures that only workloads meeting security requirements can access critical resources.
I’ll wrap up by saying this: I didn’t come out of retirement to fall short on solving this problem. At Aembit, we’re deeply committed to building a security culture that runs through every part of the organization. We actively listen to our customers, striving to deliver solutions that are not only scalable but also simple and effective. Earning your business – and more importantly, your trust – is a responsibility we take very seriously.