Smallstep takes big step toward authenticating machine-to-machine communications

Smallstep founder and CEO Mike Malone calls big, distributed systems his happy place, but these systems involve a lot of machine-to-machine communications, an area identity vendors haven’t been able to solve. The central issue is that when there are no humans involved, how do you authenticate the hand-off between machines to ensure it’s going to the right place?

“Fundamentally, identity in distributed systems is an unsolved problem. So all these different components that need to talk to one another, they need to identify one another just like a person logging into a website,” Malone explained.

“All of those connections need to be mutually authenticated, which means you need to identify and issue credentials and manage credentials for everything — and that’s the problem that we’re trying to solve,” he said.

The solution Malone came up with involves using certificates, the same concept that websites use, to hand off credentials between systems. Smallstep is delivering an open source solution to create and manage these certificates at scale, and a commercial version where they manage the underlying infrastructure for the customer.

The company launched in 2016 and launched their first open source product a couple of years ago. He said it was a tough problem to solve and they took their time building it and nurturing the open source community.

“The open source piece is the core technology. So, if you want to issue certificates, and especially if you want to follow modern best practices, our open source solution is really built to cater to those short-lived certificates that are automatically provisioned, automatically rotated,” he said.

He says the open source part is crucial because he believes everyone should have access to this core technology from a philosophical perspective. The commercial part comes into play when companies want or need someone else to manage the underlying infrastructure for them.

The company currently has 17 employees and expects to double that number in the coming year. As he adds employees, he wants to build a diverse organization, but admits as a person who is entrenched in Silicon Valley, it’s hard not to simply tap into his network. He looks to some best practices to break that cycle though.

“We don’t ask people to work for free, and we don’t have silly coding challenges. We’re not looking for unreasonable experience. I think our hiring philosophy is: Are you smart and are you passionate and are your passions overlapping with our needs? And if that is all true, then you’re thumbs up,” he said.

Tapping into the open source community also definitely helps, as does being mostly remote, something he says he didn’t really embrace prior to COVID, but the pandemic changed his perspective and allows him to hire from anywhere.

The company has received two tranches of funding so far, a $7 million seed led by Accel with help from Boldstart and a $19 million Series A led StepStone Group. Eliot Durbin, who is general partner at Boldstart says that Smallstep is filling in a big gap in cloud native technology.

“There’s a big gap in tooling to secure enterprise infrastructure, and it’s only getting worse with cloud native adoption accelerating. Smallstep’s PKI tools shift this left, empowering developers and operators with an ‘identity dial tone’ that makes it much easier to implement zero trust policies and observe all their certificates in one dashboard,” Durbin told me.