Ridgeline Founder Stories: Mike Malone of certificate management startup Smallstep aims to modernize machine-to-machine security
Just as we need websites to authenticate the people logging into them, we need strong mechanisms to authenticate the flow of information between machines.
Mike Malone wanted to help secure machine-to-machine interactions by creating an open source toolkit for DevOps teams to automate certificate management. His company, Smallstep, aims to securely connect people and services on any platform in use cases ranging from identifying machines in the field to connecting IoT devices to the cloud.
In April of this year, Smallstep announced they raised $26 million in seed and Series A funding, and TechCrunch covered their big step toward authenticating machine-to-machine communications. Ridgeline participated in the round and we recently asked Mike, the company’s founder and CEO, to answer some questions about his journey and his predictions for the future of security and Smallstep.
How did you become interested in security?
MM: I never really considered myself a "security person" before Smallstep. I'm a software engineer. I've been into computers since I was a kid—I was on EFnet and running an OpenNap Napster server on a rusty old SGI Challenge S when I was in high school. Professionally, my career has tracked a bunch of process and technology transformations: agile, microservices, devops, cloud native, containers, etc. I see myself as a "distributed systems" guy. I like building large software systems, and building teams that build large software systems.
In the past I've held titles like "lead architect", building things like distributed databases. Immediately prior to Smallstep, I was CTO at a company called Betable, building a platform for online gambling. We used to joke that we were regulated like a bank that sold liquor. It was there that I really experienced the pain of marrying the modern technologies and processes that I'm used to with an enterprise-grade security and compliance program. There were gaps. That was the impetus for Smallstep.
What inspired you to co-found a company?
MM: I've had help and inspiration from lots of people over the years. But, my earliest and most essential inspiration was my dad. He was a civil and mechanical engineer. When I was a kid, he worked as a forensic engineer doing accident reconstruction. When a building fell down or a plane crashed, he would figure out what happened. He was a co-founder of FTI Consulting, which went public when I was in high school. He really encouraged my entrepreneurial spirit and saw the massive opportunity in computing and the internet. Without him, I'm sure I wouldn't be where I am today.
Tell us about your team: Who’s on it, and how did you meet?
MM: The best part of Smallstep—the thing I'm most proud of—is the team. The first two people to take a leap of faith and join me were Max Furman and Mariano Cano, two amazingly talented software engineers that I worked with at Betable. The team is growing fast now. We're open core, and we find a lot of talented people through our open source community. That said, we look far and wide for awesome people—we're fully remote and hire internationally. If you're smart, passionate, and think you could help make Smallstep better, we'd love to talk!
Where do you see automation and security headed in the near future?
MM: The stakes are only getting higher. We need deeper defenses, but we also need better visibility and control. These requirements pull in opposite directions.
Thematically, insider threats, phishing, mobile security, and remote working risks are all high priorities. Identity and secure communications are fundamental to protecting against all of these threats. We need stronger mechanisms for identifying the individual people, devices, and software components that make up our systems. Given the scale and pace of modern software development, automation is a requirement. But, automation is also a risk. Automated systems won't have all of the signals available to an expert human operator to assess whether an update is trustworthy, for example. Computers are really good at some things but have their own unique failure modes, which will introduce new security threats.
There are several specific technologies that we're really excited about. We're obviously biased, but the proliferation of TLS everywhere for encrypting and authenticating all network communication is core to what we're working on at Smallstep. In the software supply chain space, Sigstore is a powerful new core infrastructure for signing and verification of software packages. Finally, we see a ton of value in the new IETF standard for Device Attestation, which uses a hardware-backed key to solve the "bottom turtle" problem of identifying a virtual or physical device automatically when it starts up. This standard allows for zero-touch deployment of managed devices. It also provides an unphishable credential for accessing internal resources.
“We need stronger mechanisms for identifying the individual people, devices, and software components that make up our systems. Given the scale and pace of modern software development, automation is a requirement. But, automation is also a risk.”
What does success look like to Smallstep in the short term and long term?
MM: My focus has always been on building an amazing team and solving real problems that are important to the world. Public key infrastructure is pretty nerdy stuff, but it's important. We see ourselves as sort of revolutionaries—or rebels, maybe, depending on your perspective—trying to democratize the space. Everyone deserves good certificate management—it's a problem that's as ubiquitous as the database because it's how you securely connect to your database. So, short term, we'll continue to be instigators there. Success is measured in adoption of our core technologies.
We got into certificate management because it's a gap that needs to be filled before higher order concerns like authorization can be addressed. I can't share details, but we have a long term vision that builds on the foundation we're laying right now. Success would mean some real fundamental improvements in the way that software systems are built, secured, and operated.
Learn more about Smallstep at smallstep.com. Stay up-to-date with the latest news on Ridgeline’s portfolio by subscribing to our monthly newsletter!