Transcript
00:00:06
Welcome back to another episode of the cyber vault. Today I am very excited to be joined by it Alvas. It’s co-founder and CEO of Entro Security. And if you’ve been watching the shift in cloud and AI this year, you know that non-human identities, whether it’s tokens, secrets, or service accounts, and everything our systems use to talk to each other, they’ve really become one of the biggest blind spots in security. So, in today’s episode, we’re going to dig into why machine identity is blowing up,
00:00:34
how organizations are losing control of access they didn’t even know existed, and what teams can do before AI accelerates the problem even further. But before we dive into all of that, it’s a pleasure to have you here with me today. Why don’t you maybe give us a high level introduction to yourself? >> Yeah, for sure. Um, and thanks for having me. I’m I’m Galvas. I’m the co-founder and CEO of Ento Security. Ento is a non-human identity and AI agents um security company. We’re
00:01:02
helping organizations to securely use non-uman identities and AI agents by managing uh and automating their life cycle. I’m I’ve been around in the cyber industry for about 20 years now. I started at the Israeli Defense Force as um at one of the intelligence units over there. I was doing I was doing cyber over there and then prior to intro I managed the internal security of um one of Microsoft’s clouds, Microsoft Defender Cloud um and Office 365 internal security. Uh prior to that I
00:01:31
was a chief information security officer for an healthcare services company. Um, I was personally breached a few times by nonuman dentisties. Um, and yeah, you know, it’s it’s a pleasure pleasure to be here. >> It’s exciting to have you for sure and I think you already just laid the foundations there to show why you’re maybe an expert in kind of what you’ve built and we’re definitely going to be unpacking this all today. But what I want to start with is the big trends
00:01:55
because from the beginning of the conference season, especially when we were kicking off at RSA, the noise was really around non-human identities. And suddenly this has got so much attention this year. I’m interested to hear your thoughts as why is this suddenly so prevalent in the space. >> Yeah, for sure it is. Um it is gaining a lot of traction and and the market is is huge. It’s it’s a problem every probably every every organization uh at least organization with some technology uh is
00:02:24
uh and is suffering from. Uh so definitely it’s um it’s a huge market out there and and a big problem. I think let’s maybe frame non-human identities for a second. Uh non-human identities are essentially programmatic access keys that applications are using in order to connect to resources or authenticate actually to resources those application needs. Uh so if an application needs to use a database in order to authenticate against the database they’re using non identities. if if an application needs
00:02:52
to you know connect to to a storage uh to save some stuff uh that application will need a nonuman identity to authenticate against the storage and so forth. So those those are the role uh roles of of non-human identities that’s what they are being used for uh basically authenticating applications to resources they need and the main problem um at least today is that uh those non-human identities are being created outside of security oversight unlike human identities those non-human identities are being created by
00:03:22
developers devops sres and so forth which are creating them permissioning them often giving them um admin permission and also scattering them around to a point that the organization or the security team don’t really know how many non-human identities have uh where they are and also how they are being utilized. Um and and and that’s a that’s a huge issue. Uh also if you ever seen a non-human identity, it’s a long red domain string which means that even if a security practitioner will find
00:03:51
one, he he doesn’t really know anything about it. It doesn’t know which application is using it to access what resource who’s the human owner, what’s the permissions, how it’s being utilized. And when you combine everything, when you combine that, you don’t know how many of these non-human identities you have, where they are, or how they can be utilized, you literally are unable to protect them. Today, we’re seeing that for every human identity, there’s 144 non-human identities. So,
00:04:19
the scale is is massive, pretty much insane. And also uh from the latest reports like IBM cost of data bridge Verizon report Gartner all of the big ones it’s today the second most frequent attack vector and the number one most costly to an organization so it’s it is a huge problem >> I mean it definitely sounds like it especially when you put the numbers out like that it’s actually quite a terrifying prospect and I imagine uh you know if we don’t start really paying attention to this and and and kind of
00:04:47
coming out with really great solutions like we will dive into in a second um it’s probably only going to get worse. and especially as we start to see more NHI identities kind of created and just before we dive into things because I think there’s often a bit of a misconception and I think it might be really good to actually touch base on this because we hear about NHI for sure but we also hear about machine identities. Would you say there’s a bit of a differentiator here if we’re kind
00:05:12
of talking about both of those because I do think sometimes people put them in the same category but that there is a bit of a differentiator between them right? >> Yes. Yes. Uh the Technology wise there’s uh there’s a differentiator for sure. Um so often machine identity are not being used for authentication where non human identity is being used for authentication. I think that’s that’s where you put the line. Um [clears throat] although I agree that a lot of people are kind of you know combining the two.
00:05:43
Uh that’s probably lack of um lack of proper education and it’s it’s kind of fine. Um, so machine identities often are certificates and they are being used in order to understand that the machine that you’re talking with. So if you have two applications that are communicating with one another, you want to make sure uh you’re communicating with the right application, it’s not the authentication mechanism. It’s more of an attestation uh that I’m sure that I’m actually
00:06:11
commun communicating with whoever I want to communicate with. um usually doesn’t give you the ability to authenticate. Uh so it’s it’s kind of different. >> Yeah. No, I think it’s just good to break it down because especially when you see people go to the conferences and all these buzzwords that get thrown around, I think sometimes it’s it you know, unless you’ve been um either educated or you’ve had opportunity to kind of look into this a bit more or understand this part of the uh of the
00:06:36
market, it can kind of get I suppose lost in translation. Um, so what I want to do then, because you you kind of touched base on this a little bit and something you personally experienced as a CISO yourself, you know, you started to realize that some of the biggest breaches weren’t just coming from people. It was coming from things like tokens and service accounts and so on. I I mean, what kind of when did this start to happen? When did you kind of realize that whoa, there’s a there’s a pretty
00:07:00
big problem here? >> I think it’s um I think it’s kind of an ancient problem. um you know since the time that one application needed to communicate with any resource like database or another application you had that problem uh you had those programmatic key those non-human identities facilitating that authentication uh that connectivity between those applications or applications to the resources so it’s quite an ancient problem and the market tried you know to solve it in in many
00:07:30
different ways uh like vaulting and secret scanners and and other stuff I think it wasn’t um a super critical problem. It was a huge problem but not super critical because prior to the cloud um a lot of organization like we had we had a proper networking segmentation. So even if those keys uh were leaked and they were leaked outside an attacker would need to find his way through the firewall too in order to actually use them. Uh so if your database is behind the firewall and is you know your application and
00:08:06
everything is running uh behind you know networking uh networking firewalls and so forth it’s not as easy to use those programmatic keys if they are ever getting leaked. Today in the cloud you know MongoDB is up there in the cloud and and AWS is up there in the cloud and so forth. So that networking perimeter is not as tight even if we’re adding you know firewalls and so forth it was it’s not as tight as you know onrem data centers used to be and nowadays um or ever since the cloud you know began
00:08:40
people can actually go ahead and use those non-uman identities to access my database so if I’m if they have my credential my programmatic credential they can just use them and access my database and encrypt everything or or you know steal all of the data over there and so forth. So I think that’s kind of the tipping point um cloud entering uh into the into the IT space. >> Yeah. And I think as well because you you obviously you mentioned something there um around kind of vaulting and I
00:09:07
think even with cloud a lot of people now think oh we have a vault so we’re fine but as you’ve just demonstrated that doesn’t really solve the real problem. I mean, how are people still leaving themselves vulnerable here if Okay, great. We’ve put some of these older tools into place, but actually, like you’ve mentioned, there’s Well, actually, there’s there’s still a little bit more to think about. >> Yeah, I wouldn’t say a little bit more, but a lot more. [laughter] Um, like I I
00:09:32
I had vaults and I was briefed three times. Um the main problem again as as I said it earlier the main problem with non human identities is that usually you don’t know how many you have and where they are um and how they are being utilized and you know if they are enabled or disabled and permission sets and so forth like you don’t know anything about them. Um so what is a vault? Let’s also frame a vault. The vault is a is a database, an encrypted database where you should take all of your non-human identities and
00:10:02
store them within that vault and then the application can fetch whatever non-human identity they need uh from that vault and use it in order to authenticate to the resource um they need to authenticate against. So that’s a vault. It’s basically a fancy database and encrypted database. But if we’re going back to the problem that we don’t know how many web and where they are, how can we find all of them and move them to a vault? So what ends up happening is okay we have we have a great place and what is a great solution
00:10:29
by the way so we have a great place to put uh and store all of our uh tokens and on identities and service cards we have we have a place to place all of that but we don’t know where they are so we’re at the end of the day are storing some of them over there at least from our latest statistic that was like eight months ago I think that only about a third um you can look it up at uh security website uh there’s like um an amazing statistics over there but the fact that that only a third of the
00:11:02
non-uman identities are actually stored within a vault >> and then what >> yeah um and also the same problems around you know getting some classification around those non identities okay so I’m storing something within the vault was it rotated like replaced who’s who’s who’s the human owner what’s the permission set which application is using it to access what all of that like that problem is still out there within the vault. Uh but also like most of the tokens, most of the
00:11:29
nonmones are actually not stored over there. >> Yeah. And I think you know it’s it’s a massive problem because you you look at you the the the famous saying and I always talk about this in security. You don’t know what you don’t know. But actually that’s always a problem. You need to then go you know it’s also not an excuse. you kind of like you have to go find out what you don’t know because you know it doesn’t just it can’t put your head in the sand and and hope it
00:11:52
never happens because that’s that’s arguably where you’re probably most vulnerable because that’s what the the threat actors and and and so on are are kind of looking or at least hoping you’re doing. >> Yeah, that’s that’s the crown jewel. Like imagine you’re an attacker and and you know there are a lot of unmanaged unaccounted uh programmatic keys that you can just you know try to find and if you’re finding them then that’s it that’s game over you have full access to
00:12:18
the AWS environment full access to the database to the storage accounts you can do whatever you want without breaking in uh just you know by logging in uh of course that’s the crown jewel that’s what everybody’s looking for you know they just like uh what four days ago there was another every every week there’s uh there’s an attack about non identities but there just for uh days ago uh Shy Khaled uh 2 you know attack if if you heard about that that was truly an insane one um you know multiple
00:12:48
banks and fortune 500s and and other financial services and healthcare and so forth all of them um got affected by by that and and the main um the main action that was done over there is harvesting those non-human identities uh which are again keys to your to your data. >> Exactly. And I think it’s so easy to to kind of overlook how critical it is because you literally just highlighted there that even your big banks, your Fortune 500s are under, you know, attack and risk. And a lot of these guys take
00:13:18
security very very seriously, you know. So never mind if you’re a bit of a SMB who’s kind of trying to grow the business and you think, oh well, they’re not going to target us. Well, arguably, you know, they are still going to target you. It’s it’s the big Fortune 500s that they think they’re probably not going to get into and they can still get into them when they’ve got a lot invested in their security. And >> right, >> it’s it’s definitely really interesting
00:13:40
to think about. I mean, let’s say um you know, a company’s done a really great job and kind of you might have had this with with businesses that you’ve you’ve obviously kind of been working with where they’ve finally been able to map out their machine identities and so on. What what do you think or kind of where are the identities where that kind of normally surprise them the most? Is it like the number of identities that they’ve they’ve not been able to identify or is it kind of anything else
00:14:04
in particular where they’re like what what do you mean we’ve not we’ve kind of missed this? >> Yeah. Um so first of all I know that um like you you’re right Fortune 500s and so forth are investing a lot in in cyber security. Uh but I think that the non-human identity as you mentioned like it’s creating a lot of buzz lately but it is an ancient problem. So unfortunately the market as an all didn’t really invest. We invested a lot in human identity like we have MFA and
00:14:35
SSOs and and CASBYS and and so forth. We have a lot around human identities and IGAS of course and and and a lot of other stuff. We haven’t really invested a lot in the non-human identity landscape unfortunately. You know those usually have more permissions uh that can create more trouble to an organization. So I’m not sure that every Fortune 500 I’m not sure it’s um you know it’s a fair saying saying that um everybody is uh is heavily invested in that um and and that’s also the problem with you know
00:15:07
cyber uh you can invest a lot in one side but not really invest in the other side and then you’re going to bridge you’re going to get breached from the other side. Uh now to answer your question I think what’s um people are so so many things people are surprised by many things that we’re entering an environment and we’re like you know deploying enter within uh within an environment people are getting surprised by many things. So yes, probably the scale, you know, how many uh what’s the
00:15:33
ratio between human identity and non-human identity? I told you earlier it’s averaging around 144, which is insane. It’s insane. It’s unmanageable. Uh so that’s number one. Where they are stored and where they are exposed and so forth. So you know we’re seeing developers sending them over Slack messages um in Confluence, Wikipedias in Jira tickets uh in in in you know sharepoints and one drives and and pretty much everywhere. So the the spraw of them is also very surprising to an
00:16:05
organization. They were like okay why do we have it in our share like why there’s no need uh but you know it’s happening. I think another thing that is super interesting for them is once you’re gaining the the the right visibility, how easy it is to mitigate those risks and those are truly are are risks um very average to an organization. So I’ll give you one example um again another statistic on average that we’re entering an environment we’re saying that about 40% out of all nonhuman identities are
00:16:38
are idle stale not in use. you know, you had an application, you deprecated that, you deleted all of the work, uh, all of the workloads, all of the servers, um, and so forth, but you never deleted the service counts, you never deleted the tokens, the nonuman identities. So, you have a bunch about 40% of unused, unutilized, enabled. someone can use them but no one is non human identities which basically means that you can in in a second in a click of a button disable 40% um and reduce 40% of your um of your
00:17:11
attack surface like that by doing by doing nothing um so yeah you know I I have a lot of surprising stuff >> I can imagine and and and you’ve you’ve pulled out some really kind of incredible stats there obviously um you you’ve got kind of 40% then like you mentioned that’s kind of sat there for no reason. It’s like why why you still here in >> like employee leaving the organization and no one deletes or disable us there you know. >> Exactly. And and I think kind of that’s
00:17:39
another side where you’re kind of looking at it and thinking oh this is this is here for um or creating an unnecessary risk. But the other one that you mentioned that I think is really interesting and and you’ve obviously referenced it a couple of times is the number of identity or or non-human identities against every human. And I suppose if you put that in context, imagine for a business of I don’t know even if you’re a smaller business of how many people, how many kind of employees
00:18:02
you would be tsing that by how b your business would feel if you put it into human identities. Um do you think like you know like AI agents and automation and stuff like that they’re obviously creating more identities than human ever could? You is is this kind of what’s changing the scale of the problem? Is this what’s creating so many non-human identities? So I think is the more you know infrastructure and application that you have and own and use the more non- human identities you will have um that’s like
00:18:32
the the baseline um and and more workloads and so forth more non identities. So even if you’re you know breaking the monoliths into microservices you’re going to have way more non-human identities because now every micros service needs its own set of non identities to authenticate and and communicate with other resources. Uh so I [clears throat] think that’s the baseline but definitely AI um and in particular AI agents are driving that too. So at central security we released our AI agent uh
00:19:03
security product uh early this year. And um at the end of the day you know AI agents also needs to use your data. They also need to connect to your data uh your organizational data. So let’s say you’re using an AI agent um to manage your calendar. that AI agent needs to connect to your calendar, right? Probably using API, but at the end of the day, you will need to authenticate against the calendar and the calendar um and is going to use an unhuman identity to authenticate against the calendar.
00:19:31
And if you’re using another AI agent to help you write code like curser or Jiminy code or code and so forth all of them need, you know, to access your code repository, maybe GitHub and in order to do that, they will need a non-human identity to access that GitHub environment. So non so AI agents are heavily relying on non identities in order to gain data access and and and that’s how we’re kind of seeing it. Um you know AI agents are using non human identities to gain data access and
00:20:00
therefore if you’re going to manage your non-human identities properly then you’re able to at least manage the access of your AI agents uh properly too. Um our solution is doing way more than that. uh but but yes I don’t really know how can you do it technically how can you manage and secure access of AI agents without managing and securing the non-human identities >> and I think it’s definitely a um you know a problem that’s probably going to continue to evolve and we’ll and we’ll
00:20:32
close out on that because obviously we’re we’re getting towards the end of the year now and it’s going to be really interesting to see what kind of happens next year but before we we do that I it’s also I think it’s worthwhile mentioning because you’ve mentioned here that intro So, you know, you’ve you’ve built an incredible kind of platform, incredible product and and and really setting out to solve this problem, but ultimately it’s it’s multiple kind of
00:20:51
problems really. You know, it’s it kind of falls under the umbrella of NHI, but actually there’s loads of things you’re having to look at. You know, how many haven’t you been able to identify and then how do you remediate those problems and so on. I mean, kind of what was the philosophy that guided you to kind of build entro and tackle all of these different problems that we’re seeing? Yeah, that was you know that was the the kind of solution that I needed. Again, I was breached multiple times which kind
00:21:15
of led me to start security and and my pain points was what I you know built or what we’ve built over here in Entro solutions for those pain points. Um you know I didn’t know how many nonities I have and I wanted to know that and there was no solution out there that will help me answer that question. Simple question of you know how many I have. So that’s uh that’s one of our pillars. Our core pillar is you know inventory. Let’s understand how many we have and where. Um and then I really wanted to
00:21:45
understand um everything about them because unlike human identities which are usually my employees and I know their name and and position in the company and probably their address and so forth, I know nothing about my non identity. Those are longer domain strings. So I wanted kind of you know business context or classification and that’s that’s another pillar we have for every uh non human identity that we find uh we’re creating a lineage map of which application is using what non human
00:22:12
identity to access what resource and other vital data around it like who’s the human owner permissions activities rotation types and and so forth. Um and and you know of course once you have inventory and classification in place now we can do security stuff now we can do posture management and misconfiguration and abnormal behaviors. um and and stuff like that. So, you know, uh that’s that’s how we started and then uh we really saw, you know, a huge pull from the market. Um it’s
00:22:43
really exploded and and we have many customers now and and high-end customers and and enterprises and so forth. Of course, we were using and we are using them and their feedback about what is missing, what needs to improve, what we need to to shape and and so forth. So now it’s like a flywheel uh if you will uh that um you know our customer feedback is kind of creating our road map >> and I think you you you really highlighted what so many vendors kind of sometimes don’t do in the space and and
00:23:14
it’s it’s recognizing that firstly it’s coming from that personal experience of this is a gap that I needed. Hey, I’m just going to go solve it since no one else is but then it’s kind of recognizing that every environment is different and actually there’s so many different problems out here. And I think that’s what what kind of really is exciting about what you build at Entro is the fact that you’ve you’ve got quite a holistic platform that’s solving, you
00:23:35
know, NHI is actually a really large umbrella and and and I think it’s easy to forget that there’s multiple different pillars to making sure that it’s it’s kind of well managed. Um and I mean we’ve unpacked loads today. Arguably, this could be an episode that goes on for quite some time because there’s just so much to talk about in uh in in the NHI space. But I think what would be really cool to close out on is the fact that you know we’re like I mentioned we’re getting towards the end
00:23:57
of the year here and as we’re looking ahead if we were to kind of talk to security leaders as as we’re moving into 2026 what’s maybe one mind sh mindset shift I don’t know why that was such a tongue twister um that they can kind of take on board to say right if there’s something that you really need to start prioritizing here this this is this is kind of that first step this is a way that you really need to start approaching in NHI. >> Yeah, you know, maybe I’m going to
00:24:27
I’m not going to answer it around NHI, but overall security uh practices. Um I know that for some companies there’s like um a security registry where they are writing down all of the gaps they have and so forth and and other different different companies and different people and different CISOs um and security practitioners are [sighs and gasps] kind of have different approaches to how to prioritize what they need to do. Um and and I’m I’m going to share mine what I used to do. Um I used to look at those
00:24:58
reports that I mentioned earlier like IBM cost of data bridge. Uh probably that was the main one for me. Uh but Gartner 2 and um and and Verizon is a great one. Um I was looking at those and I was looking at okay frequent brides out there um and the cost of brides and then if the number one is fishing do I have anything for fishing? I do. Fine. Let’s continue. If the second one is NI do I have anything for NI? I don’t. Okay, that’s my next project and and so forth. That’s how I used to prioritize
00:25:30
my budget and my effort. Uh that’s how what I used to communicate to the board when I was asking for budget. Hey, those are the top five web gap in number three and four. That’s what we’re going to do this year. Uh that’s how I used to do that. I know that uh again there’s a lot of different practices going on. Um I really liked mine. I actually think it’s a great piece to fall out on it because ultimately as as you could probably imagine if if there’s noise around that that’s because that’s
00:25:58
where people are targeting you know so um naturally that’s where you want to make sure you’re protecting yourself. So, I I think a great bit to close out on there. It’s sick. But I mean, thank you so much for joining me here, sharing such an insightful look on, you know, I I think kind of non-human identities is has been a, like we’ve said, a real big topic, but it’s actually really nice to see how it’s maybe evolving behind the scenes and clear that it’s still kind of
00:26:22
got that little balance between, hey, you’ve uh, you know, you probably don’t quite know how much of a vulnerability or risk it is right now, so let’s maybe go out and and do that. So, uh, thank you so much for for joining me here. To our listeners, as always, make sure to subscribe, share this episode with your security peers, get connected with us on LinkedIn, but of course, get connected with it and the team on LinkedIn and follow what’s happening over at Entro because like I mentioned, you guys are
00:26:48
doing some pretty exciting things in what’s a really important space. But that is it for today. So, thank you so much for tuning in and I will see you next time for more conversations shaping cyber.