Kevin Sapp Discusses The Need For Workload Identity Protection

The cybersecurity industry has been solving the challenge of user-to-service access for several decades—from the invention of the first password in 1961, right through to the complex identity and access management (IAM) solutions we’re seeing on the market today. However, these tools are only solving part of the identity problem. Workload identities are outpacing human ones by a staggering 45:1, and enterprises are beginning to consider a new age of identity security.

“Systems can talk to each other across a network, but you really don’t have any security layer there,” says Kevin Sapp, Co-Founder and CTO of workload identity protection provider Aembit. “People were saying to us, ‘I have all these apps and applications that are talking to each other, but I have no control over any of that.’”

Aembit is a workload identity and access management (IAM) platform that enables organizations to manage and secure machine-to-machine access. Described by co-founders as “Okta but for workloads”, the platform’s goal is to eliminate secrets in the same way that cloud identity providers are eliminating passwords.

In an exclusive interview with Expert Insights at the 2024 RSA Conference in San Fransisco, Sapp discusses the need for workload identity management and security, how the concept for Aembit came about, and where the company is headed next—following their recognition as runner-up in this year’s Innovation Sandbox contest.

Note: This interview has been edited for clarity.

Could you please introduce yourself and tell us a bit about your security background, and your current role at Aembit?

I’m Kevin Sapp, co-founder and CTO here at Aembit. Aembit is a little over two years old. Prior to Aembit, I was at NetSkope, along with my co-founder, David Goldschlag, and he and I founded a company called New Edge Labs, which was in the zero trust network access space. That was acquired by Netskope and became their ZTNA product. Before that, I was in user identity space at Okta, focused on mobile. I joined Okta via acquisition—the first company I founded was acquired by Okta. So, for around 10 years, I was in the identity and access management space.

Prior to that, I spent another 10 years plus in cyber at different places. I was at McAfee, which was part of Intel Security, where I ran an engineering team around mobile. During my time at McAfee, that’s when I got started in IT security.

So, I’ve spent many years in cyber, and around 10 years in access management specifically, although most of that was focused on users-to-services. And now what we often say at Aembit is, we wanted to do something different, not focus on user access anymore. Do something else, but it’s still kind of the same; stick to your knitting.

It’s great that you can take all the experience you gained in the user access space and apply it to what you’re doing now!

Well, security is kind of like that. It’s like there’s really nothing new—the problems keep repeating, but the context changes. It was all about data centers, then it was mobile, then it was cloud, and so on. Once those shifts happen, it upsets the apple cart, and then you have to innovate on top of that. But the basic problem is all just the same.

Earlier this week, Aembit competed in the conference’s Innovation Sandbox contest as a Top 10 finalist with your Workload Identity and Access Management Platform. Why did you decide to focus on workloads, and how did the concept for the platform come about?

This started maybe five years ago. Here we were, building enterprise cyber products. We were selling to enterprises, and—particularly when we were doing ZTNA—they were saying to us, ‘Okay, you help us can connect our users to services. Can you connect my services to each other?’

A lot of those companies were just starting to adopt cloud systems, so they had lots of kit on-prem in their data centres, but they were also using clouds. To try to solve that, they’d typically put a high bandwidth VPN between their on-prem system and the cloud system. They were thinking about it as a networking problem. But then they quickly realized that those systems can talk to each other across a network, but you really don’t have any security layer there. There’s nothing like the processes that we have for people where, for example, Kevin can log into Salesforce because somebody said so, and we have all these controls that mean he has to prove who he is before he can log into Salesforce. People were saying to us, ‘I have all these apps and applications that are talking to each other, but I have no control over any of that.’

That was the genesis of the idea. We kept getting asked the question, and we said, ‘Well, how would you like to solve that?’ And nobody knew! We didn’t know either at that moment. So, we started to think about that, and we slowly came to the rationale that it’s an identity problem—just like you have for users. That’s what kicked off Aembit.

When we first were forming the idea and pitching it and getting feedback from various people, it was still kind of a mess; no one was saying ‘workload IAM’ or even ‘machine’ at the time. But it’s quickly evolved. Even since the beginning of this year, I’ve noticed a change in the way that prospects talk. They’re using words like ‘machine’ and ‘workload’ and ‘IAM’, and ‘I hate my secrets management!’ So, I think customers and enterprises really started to try to get their hands dirty with it.

And since then, it’s been about building. I wouldn’t say everybody has it figured out and everybody knows they want to solve it, it’s really still the early adopter enterprises. They know they’re struggling with this, and they want to get a handle on it. So, we’re still in the very early, nascent stages.

You alluded to the fact that there are already some solutions on the market that are designed to secure workload identities, such as secrets managers and cloud identity and access management. Why aren’t these solutions enough on their own to secure workload identities, and what are you doing differently?

As an entrepreneur, the first thing you should do when you think you have an idea, is look at what already exists to address the problem.

Today, Aembit is in this funky place where people ask who our competitors are, and we tell them we don’t havea direct competitor—I’m certain that there’ll be one this time next year—but we know what the alternatives are.

One alternative is the cloud provider IAM systems. For example, if you’re running kit in AWS and consuming services from AWS, if you’re exclusively in that environment, then AWS IAM is a perfectly good solution. But from those previous conversations, what we were seeing a lot of was that most enterprises aren’t like that; they don’t run all their kit in one place. They still have stuff in their own data centers, they have multi-cloud strategies, or they acquire companies and whoever they acquired will run their stuff in Azure or Google, or anywhere else. So, the first alternative to us is the sophisticated IAM system that really only works in one place. We looked at those we said, ‘Yeah, those are really cool, but they don’t address the problem for enterprises.’

The next alternative is secrets management. Secrets management tools say, ‘You have secrets. You’re going to use them, so you should put them in our database, because it’s a secure place to put them.’ But Aembit is starting from the premise that there should not be a thing a such thing as secrets. That’s actually our fundamental premise, and that’s where we diverge from secrets managers right away. When someone is building an application, they don’t say, ‘I really want to have this string that’s super sensitive and, if it leaks, all hell breaks loose, and I really want to deal with that.’ No one’s ever said that.

Secret vaults are trying to give users a more secure place to put their secrets. But what people really want to do is connect one app to another app or service. That’s how apps are built. And today apps are highly composed—you don’t just build a piece of software and you’re done; it connects to many things. So, when you’re trying to do that, the secret thing becomes beside the point.

So, what we concluded is that this is really an access management problem. You want someone to specify that software A should be able to talk to service B and be done with it. The cloud provider IAM systems do that to a certain degree, but they’re constrained to that one environment.

Finally, where is the company going next?

We’re early in our go-to-market. We’ve closed some amazing customers—sometimes I can’t even believe we’ve closed those customers because we’re only 25 people in total, counting contractors and everything. I think that’s pretty amazing.

So, it’s more of that. We’re pretty well funded, we have great investors. But it’s really building out the go-to-market and widening the product. The core of the product and what we do probably won’t change for a while, but what we see in enterprises is that they have many use cases. So, our job over the last year has been to satisfy more of their use cases and help them with more scenarios.

For example, we’re getting pushed into CI/CD pipelines. That is a huge problem; you might have secrets all over it, stuff checked into GitHub, and it’s a huge mess. So, we’re trying to solve that.

We’re super excited about those scenarios, and we’re going to press forward on that.

Thank you to Kevin Sapp for taking part in this interview. You can find out more about Aembit’s workload identity and access management solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.

For more interviews with industry experts, visit our podcast page here.