Of old friends and new beginnings - Introducing Entro

Working in the defense forces can be both eye-opening and scary at the same time. Eye-opening because you realize that countries (and organizations) depend solely on technology to make advancements or to protect themselves. And scary because there are real consequences when you get something wrong.

It was 2011 when I joined the IDF (Israel Defense Forces), where I spent a good 3 years working with cutting-edge technologies and a world-class cybersecurity team. I came to see the importance of putting security first – whether writing safe code, constructing threat models, or analyzing and responding to various risks.

My journey since the IDF

Since leaving the IDF, I’ve taken on numerous roles at organizations like IBM, Javelin (acquired by Symantec) Symantec, and Broadcom. All the while I was particularly tuned into understanding the security challenges these large organizations face and was keen to design security solutions that are practical and effective. I’ve done work across the security spectrum including real-time threat detection, anomaly detection, forensic analysis, NLP and AI-based threat modeling, security documentation, EDR (Endpoint detection and response), and secrets management.

The challenge of secrets management

Of all the challenges I’ve worked on, secrets management strikes a chord with me as being the most critical in the security process. I realized that your entire security process is only as strong as your secrets management strategy. Whether it’s an insider or external attack, secrets always played a role in every incident.

What are secrets?

Secrets include the access tokens, API keys, connection-strings, and tokens that are used to restrict access to various parts of a technology system. Think of them as keys that open locks to various rooms in your infrastructure. Anyone that wants access to your organization’s crown jewels needs your keys, or secrets. The game of security comes down to this – how well you can secure and control access to your secrets, and how quickly you respond to exposed secrets.

Anti-patterns with secrets management

I noticed several anti-patterns in the way organizations managed their secrets. For starters, organizations assumed that if they use a vault to store and share access to their secrets, they are secure. This couldn’t be further from the truth. Vaults are a little more than a database that just stores secrets and gives you access to users in an organization. Organizations usually use around 5 vaults, and in no time, they end up with more secrets than anticipated – secrets sprawl. Vaults do not monitor the usage of secrets once access is given. That’s somewhat done by a secrets scanner – another anti-pattern.

You see, secrets scanners can spot secrets that have been exposed and alert you on the incident – that’s it. They do not give you any context on what that secret protects, what its priority level is, who has access to it, and what your first response should be.

You can guess what organizations end up with in the name of secrets management – a bunch of disparate tools thrown together that all do one small piece of the job, and all the while leaving huge gaps in your security posture.

An old friend, a new beginning

Turns 2011 was an important year for me not just because of joining the IDF, but because I’d also made a friend who shared the same concerns as I do about secrets management and security. That friend is Itzik Alvas. For over a decade we met again and again as friends do and  in  2021 decided to do something about the secrets problem plaguing organizations large and small. Thus, was born Entro – the first and only holistic secrets management solution that finally gives you full visibility and control over how your secrets are created, used, shared, retired, exposed, and more.

We onboarded our first customer a few months later in May 2022, hired our first employee in November 2022, and are taking the veil off Entro today – 17 May, 2023. The past two years of building and taking Entro to market has only confirmed the pressing need for a permanent solution to secrets management.

Entro’s key features

There is a lot that I can tell you about Entro, but I’ll just summarize a few of the key features I’m proud of.

An accurate secrets audit

Entro gives you a precise audit of the total number of active secrets in your organization. For the first time, you’ll actually be able to put an exact number to the secrets you manage, and even see which secrets below to which team or cloud resource, for example.

Full context on secrets

Entro gives you the full context for every secret including its owner, creator, rotation time, privileges, which cloud services it can access, and more. Entro builds a dynamic threat model map to show you exactly the level of risk associated with any secret. Armed with this insight, you can see the whole picture from start to finish.

Agentless implementation – The R&D team’s dream

Entro is an agentless solution, and doesn’t require any change to your code or agents. Instead, the solution is built on an API-based connection and logs to ingest data from your system, no matter where it is located. Your R&D team will love this as it doesn’t interfere with their work, and requires no additional effort on their part to implement or manage.

The principle of least privilege – Actually implemented

If you work in security, you’ve heard of the principle of least privilege. Entro has built in features to help you implement this. We actively monitor if a secret has more privileges than it needs. For example, if a secret has read and write permissions to a storage account, but the user of the secret only performs read operations and not write, Entro spots this, and recommends you decrease the privilege level of this secret.

Bring your own Vault

I could go on and on, because there’s so much we’ve packed into this solution, but I’ll end with highlighting how flexible Entro is. Entro allows you to bring your own vault. Whether you use Hashicorp Vault, or AWS Secrets Manager, or any other vault tool, Entro integrates with them seamlessly.

As we begin our journey with Entro today, Itzik Alvas (CEO) and I, Adam Cheriki (CTO) are proud of how far we’ve come. The team has worked tirelessly to bring you a one-of-a-kind secrets management solution. If this excites you, I invite you to get in touch with us to book a free trial. We promise, your secrets management will never be the same again.