Skip to content
Simplify Secrets Management and Cut Costs: Akeyless vs. Vault. Watch Now

Executive Conversations

Itzik Alvas, Co-Founder & CEO at Entro Security, and Oded Hareven, Akeyless CEO & Co-Founder

Introduction

Oded Hareven: Welcome to another episode of our fireside chat. Machine identity and non-human identity. And today we have a special guest, Itzik Alvas, the CEO and co-founder of Entro Security. Itzik Alvas, how are you?

Itzik Alvas: I’m good. Thanks for having me.

Oded Hareven: Of course, very happy to have you, and thank you for agreeing as well. Tell us more about yourself. You know, tell the audience about, you know, we are — we have some mutual background also in the Israeli army, isn’t it?

Itzik Alvas: Yeah. All right. So, I’m Itzik Alvas, started my cyber security, or digital work back in the IDF, the Israeli Defense Force. I served in the same unit as you. Actually started on a different unit. I started at 8200 and moved about, after… 18 months or so. Moved to Mamram, you served at Mamram as well. So that’s a common ground we have together.

So after the Army moved to the public market, was mainly a manager in the cyber security world and then, in infrastructure as well, DevOps and SREs and so forth. So prior to Entro Security, I was in charge for the internal security of Microsoft, one of Microsoft’s clouds, Microsoft Defender. And then prior to that, I was a CISO of a healthcare services company. And yeah, now at Entro Security, securing, you know, non-human identities.

Machine Identity vs. Non-Human Identity

Oded Hareven: All right. Cool. So let’s go straight to the point where, you know, people use this terminology about machine identity and non-human identity. We hear that a lot in the market, right? Obviously, you know, Akeyless to claim to be a leader for machine identity platform. And obviously, you’ll see some non-human identities terminologies within our website as well. And you’re claiming for the non-human identity, as well. So how do you differentiate that? Where do you find Entro Security in that space?

Itzik Alvas: So Entro Security manages and protects non-human identities. And the main differences, as I see it, is that machine identities are of a subset of non-human identities. I’ll give you some example, okay?

So I see machine identities as workloads identities, and and basically identity that is related to a workload. A compute resource, whereas non-human identity can be a machine identity, but can be other non-human identities, like personal access tokens. So a developer that is using a token in order to push code into GitHub. That’s a non-human identity that is not related to workload. So that’s a non-machine identity.

But a non-human identity. Another kind can be SAS to SAS integrations that are using [inaudible]. It’s not related to a specific compute resource. Therefore it’s a non-human identity, but not a machine identity. So again machine identity is as I see it is a subset of non-human identity.

Oded Hareven: So you’re referring more to the automation aspect or the compute aspect of machines themselves. Let’s call it this way. IoT device – would that be called machine or non-human. Is that even — is that even important? Where do I put it?

Itzik Alvas: I think that will be a machine identity.

Oded Hareven: All right. Yeah. And then on the other hand, a CICD process that acts as a one-time process to do whatever it needs to do. You would not call that machine rather than a non-human, am I right?

Itzik Alvas: I would call that a non-human. It’s not related directly to a workload, to a compute resource.

Oded Hareven: So in that sense, obviously the Akeyless aspect of that is to basically to welcome any other different definitions that are there in the market. As you know, Gartner analysts have chosen the machine identity space, machine identity terminology, when you ask, by the way, a Gartner analyst, you know, for non-human, they’re saying who is non-human, like cows are non-human. And they don’t have any identity. That was like the biggest argument, I think, in Gartner history.

But yeah, they went towards workload identity right now, although they do use non-human identities in the reports as well. But yeah, again, I think that the easiest example is a personal access token of a developer that is using his token to push code into GitHub.

Oded Hareven: So API key to GitHub for that sense, you would call that non-human being used by the developer. Being used by a human.

Itzik Alvas: Yeah it’s a non-human identity.

Oded Hareven: Gotcha. As long as it’s a secret at the end I’m fine with it. That’s not — It’s not… it’ doesn’t really matter in terms of the accuracy of exactly putting the line.

Origins of Entro Security

Oded Hareven: So for that, for that and… So, with Entro, specifically, right?

Itzik Alvas: Right.

Oded Hareven: Let’s start with what brought you to, you know, start the company. What were the pains, I guess, that you’ve seen in this story around it?

Itzik Alvas: So when I was a CISO for the different services company, when we moved to Azure, when we migrated to the cloud about a week afterwards, we were breached by a non-human identity. So that was the first time. And then like three years went by and I managed internet security for one of Microsoft’s clouds. And over there, I was breached twice by non-human identities, as well.

So after my third time, I started to search for solutions, and my main problem was identifying how many non-human identities and secrets I have, where they are, how they are being used, what my developers are doing with them? And so forth. I couldn’t find any solution out there. Joined forces with a friend of mine from the same unit – with Adam. He’s now the co-founder and CTO, and we started Entro.

Oded Hareven: So, basically from a personal pain, to now starting a vector category, within cybersecurity.

Itzik Alvas: All right.

Entrepreneurship Journey

Oded Hareven: Well, obviously that has been a journey, right, of entrepreneurship.

Itzik Alvas: For sure. Yeah. All right.

Oded Hareven: How would you summarize that?

Itzik Alvas: Wow, summarizing it? A journey…

Oded Hareven: A journey. All right.

Itzik Alvas: It’s one way to say it. That’s quite… Quite a lot. I learned a lot about. So I’m a practitioner. I’ve always been on the digital side, you know, from DevOps to cybersecurity. Never on the Go-To Market side. Sales and marketing, probably something you experience as well. So I learned a lot about how to manage business and how to sell product and enter the market.

Oded Hareven: Yeah, of course. Now that’s a special journey, as we said, that has a lot of different stations in it, let’s call it this way. But I think, you know, in one of our future episodes with regards to Entrepreneurship, etc. you know, we can have something of a panel and talk about it even further that would be of interesting.

Itzik Alvas: Yeah.

Oded Hareven: It’s a nice angle to, to talk about.

Uniqueness of Entro’s Solution

Oded Hareven: So we just spoke about the machine identity versus non-human identity, right? And the journey around it, what made you go into that space. I was wondering if you would be able to obviously elaborate even further with regards to the uniqueness of this solution that you designed specifically for the non-human identities, and what differentiates you from the other, players in that buzz.

Itzik Alvas: Right. I don’t see it as a buzz. That’s an ancient problem that many people try to solve in the past, and I think we finally have a good solution for. And it’s funny because now when we’re seeing lots of competition in the field, like, the main question that we’re getting is what’s the differences? How do you differ from other competition in the field? And when we started it not too long ago, like three years ago, we were the only ones doing that. So everything was unique. But now it’s like, okay, how do you differ?

Oded Hareven: Yeah.

Itzik Alvas: I think the market is a bit confusing. I think everybody’s marketing something around non-human identities. But not everybody is actually delivering non-human identities. So you see a lot of companies – I’m not going to get into specific names, but customers, should try to understand the main pain point.

So what we solve is a problem around developers that are creating those non-human identities, permissioning them, using them, storing them, and basically scattering them around, sending them over Slack messages or Teams messages, confluence pages, config. files or whatever. And usually security teams don’t really know how many non-human identities they have, where they are, how they’re being used, what are the risks around them, and so forth.

That’s more of a discovery for the identities that are being created. Discovery and security and lifecycle management around them. But for development created non-human identities, right. If your application needs to authenticate and use a database, they will need one type of non-human identity. There are other types where you’re connecting two SaaS services together. When you’re connecting your Calendly to your calendar, there is a non-human identity facilitating that authentication.

That’s another kind of another problem. What’s my SaaS two SaaS interconnectivity? And there are other kinds, but I think customers should understand what their main pain point probably if they have developers, they will need something like what Entro is offering – protection over development created non-human identities. And then if they don’t have a lot of developers, probably they have a lot of SaaS services, and then they will need other kinds.

Our main differentiator within the non-human identity, our vertical that we play, we started that market. So we have the most mature product out there built by practitioners. But other than that, we usually when we’re competing against competition, we usually discover 80% more non-human identities than the competition. So the discovery, the innovator is a huge differentiator.

Another one is the non-human identity detection and response. So that’s a pillar around abnormal behaviors. Let’s say the third one is using a token from China to access the customer environment. But, the customer is not doing any business with China. We’re going to find that anomaly and block that authentication.

Another use case can be if someone is mis-downloading secrets from a secret store, that’s an abnormal behavior, right? Why would someone download all of the secrets from the secret store? That’s another abnormal behavior that we will help to prevent. So non-human identity detection and response, that’s another use differentiator of ours.

Three Pillars of Machine Identity Management

Oded Hareven: All right, so what I would frame for our viewers, and I would love to hear, you know, real perspective about it, is the way that Akyless is looking at it with NHi/machine identity management have three different pillars in it.

The first pillar is around the discovery, observability, the insights, exactly the kind of things and the use cases that you mentioned, right? To discover if there’s abnormal access, see if there is a permissive, credentials, the identities that have been created during the processes. That’s number one pillar.

The second pillar is around the management, right? You have described some some of it. But obviously the take of Akeyless around the creation of a secret, the versioning, the rotation of it, the just-in-time credentials, right? Everything around the actual storage as well as the issuance of certificates, creation of our encryption keys, API keys and all that.

The third pillar, is around securing the access, which is after those secrets have been created and managed. The third pillar is responsible of actually delivering and securing the access to those secrets. And that can be the injection itself to that secret — of that secret, to Kubernetes cluster, or actually the injection of that without the involvement of the application to the infrastructure layer.

There’s also the matter of secret list, which is how a certain workload would authenticate. Right? How do you manage authentication without secrets, like leveraging the new ways of authentication with spiffy inspiring of, you know, IDC and so on and so forth.

This is how Akeyless is looking at the whole space of NHi/machine identity management. It seems like within your use cases, you’re referring more to the observability, which obviously, you know, that was not our core, competing with traditional vaults or traditional secret managers for us. The management aspects and securing the access, that’s the foundation.

And it sounds like the NHi of that world is very much focused on the observability and looking of sometimes even remediation. But at the end, how do you look at the relationship of interest, security and the NHi players to the secret managers? Right? How do you see that?

Entro’s Six Pillars

Itzik Alvas: Entro Security managed the entire lifecycle of non-human identity. That’s our main goal, to manage, secure and automate the lifecycle of it. And we see it as six different pillars that relates to your three.

The first one is discovery, finding out how many non-human identities we have, how many of them our developers created, where they are. That’s the first one. And we are discovering that in three main locations. The fourth one is creation location. So someone created a new token at my MongoDB. You would like it to be inventory. The second one of secrets stores. Someone in the secret store. We’re going to find that as well. And the last one, the third one is expose. Expose secrets.

Someone again sent it over Slack within a confluence page, committed it to code or not within their traditional vault or other secrets stores, that will be the third one. And once you will have a full inventory and can discover them at their creation location, storage location, and exposure locations, then you can move to classification because those non-human identities are longer to my strings. And that means that even if a security professional will find one, you have no context about it.

Oded Hareven: So you recommend to your customers to basically place them within a secret store. How does that look like?

Itzik Alvas: For sure. For sure, every non-human identity in secret should be securely stored within the secret store.

Oded Hareven: Unfortunately, that’s usually not the case.

Itzik Alvas: Well, of course, otherwise we’re out of business, right?

Oded Hareven: The whole thing. Right.

Itzik Alvas: But then, even if they are stored within the secret store, you would like to understand how they are being utilized, right? Which applications are using it? To access what kind of resource? The permissions of it, who’s the human owner? Lots of classification. And that’s what Entro provides – a lineage map.

It’s like placing an AirTag for your secrets on non-human identities, right? Understand who created them? When? For what? Why and so forth. And then once you have the inventory in the classification stage, you can do security pillars like posture management to answer questions like how many of my secrets are not stored within a secret store? How many of them have not been rotated in time? How many of them have excessive privileges, and so forth?

Then we are moving to the non-human identity detection of response. The abnormal behavior, the real time monitoring of it, like what we said earlier around IP address that doesn’t make sense. New workloads that are trying to leverage an NHi, and then we are doing the management piece of removing idle token, decrease or rightsize permissions or taking them and so forth. So while we see it as six different pillars, they are all relating to what you said earlier.

Oded Hareven: It sounds like we’re describing the solution or the answer to the same — let’s call it to this challenge of managing those NHIs slash machine identity management slash secrets, right, from two aspects. There are operational aspects. There are production aspects, infrastructure aspect, the issuance, the just-in-time creation, the storage, the role based access management around it.

On one hand, on the other hand, the discovery of those, the management of what do we do when we find it, who are the ones that we can actually cancel and delete. Right?

Itzik Alvas: Right.

Oded Hareven: Akyless would focus, obviously, more on the temporary credentials and creating those as much as, you know, to prevent from other tools to even find it. But at the end of the day, we all understand that the majority of the market still uses fixed credentials. That’s the very strong problem – Static credential.

Itzik Alvas: Fixed credentials, for sure. I think the main difference between a secret store and non-human identity is while a secret store will keep your secrets secured within their store.

Oded Hareven: Yeah.

Itzik Alvas: Realizing how many non-human identities you have, how many of them you need to sink to the vault? How many of them are not sink to the vault? What their posture, monitoring them for any security hazard that will be on the non-human identity lifecycle management side. That’s that’s a huge differentiator. And that’s why we’re working so well together.

Oded Hareven: Between what Entro is doing and ordinary…

Itzik Alvas: Yeah. Ordinary secret stores.

Military Background and Entrepreneurship

Oded Hareven: So speaking about background, right? And then you spoke about the Army and we spoke about, you know, dealing with security and security breaches as well as you’ve mentioned, but, you know, going back to our common background – for me, obviously, you know, that ten years back in the Army and dealing with DevOps, DevSecOps, even before we even called it that way.

Itzik Alvas: Right.

Oded Hareven: And a lot around security identity in particular. But infrastructure, right? Security infrastructure, a lot of things there that have you know, today, I can see how they are very much into thoughts, professional thoughts, technical thoughts. But even within business making that I can see on a daily basis. What’s your angle on this? What’s your point of view of, you know, as an entrepreneur of a startup the army is, you know, serving in, intelligence units as part of the IDF you’re managing systems in a huge scale, and you’re basically 18, so you’re fresh of high school.

Itzik Alvas: Yeah.

Oded Hareven: And now you’re managing huge scale of super important systems that actually affect life.

Itzik Alvas: I was a manager back then. Like, after, I think two years I became a manager or a commander because it’s the army.

Oded Hareven: Yeah.

Itzik Alvas: So I think that gave me like the first experience in managing, managing teams. I had a… A unique way to manage over there. Because when you’re in the Army, you’re basically working with your friends. So it’s not as I manage right now, but it definitely gave me a lot of experience to start my own business, to manage large teams, building stuff or doing stuff that initially I didn’t really thought is possible to do.

But when you’re experiencing it enough times and definitely what the army is giving you, accomplishing stuff that you didn’t really believe you can be done in such a timeframe, and especially in those critical environments very late hours at night and many of them.

Oded Hareven: For sure.

Itzik Alvas: So I think it gave me a lot. And it’s correlating to exactly what we’re doing. And I think that’s why you’re seeing a lot of entrepreneurs coming out of Israel that served in digital intelligence units, in the Israeli Defense Force.

Oded Hareven: I tend to correlate that to having within the Israeli army or the even Israeli culture of solving, complex and immediate problems with a low amount of resources and to be able to just, you know, just deal with it. Not around with strategizing it rather than just dealing with it.

Market Evolution and Growth

Oded Hareven: So from that perspective, let’s talk more about, you know, we jumped straight to the how do you find things uniqueness within your, you know, within Entro solution etc. But I wonder with regards to, you know, the existence of the market, when Akeyless went out to the world back that was four years or five years back. Many spoke about secrets management back then. With time, obviously we’ve seen a greater demand from market. Lots of other customers that have been talking about secrets management all the time. Machine Identity’s came also is as a terminology and last year non-human identity grew. How do you see that and the reasons of how things are evolving lately.

Itzik Alvas: So let’s go back in history, right? Non-human identity is essentially programmatic access keys, secrets. Developers create them, use them in order to basically authenticate their system to other resources they need. Like if the application is authenticated, gets a database, they need a programmatic credential to do it.

And back in the day, those secrets, those non-human identities have been either committed into code or within environment variable or within the config file stored over there. And then someone realized, hey, that’s, too exposed for me, let’s create a secret store. And they created the secret store and basically came to the world and said, hey, you can store all of your secrets and all of your non-human identities over here. That’s a secret solution. Do that. Store them over there. The application will fetch it from that location and use it to authenticate to whatever resource they need.

And then, that was great for an on prem scenario. But when companies started to shift to the cloud, they started to use a lot of different secret stores, and I think the main problem shifted towards how many non-human identities I have and where they are located.

On our website, you can find the unique research that we’ve done on our customer base. And we’re saying that for every human identity within the organization, there are 92 non-human identities. 92! So this is the recent number for now, because the the current numbers that have been around in the industry is that there is one human identity for each one of those, there is 45 machine or non-human identities.

Oded Hareven: Right. That number is right for I think that was produced four years ago, maybe five years ago.

Itzik Alvas: All right. Now it’s 92. And that’s a part of why now, why the market is being created right now. There are so many non-human identities and if you’re following and I assume you are, following the latest report of IBM, because of cloud breach and Verizon, like they are the top cyber security and breaches reports out there. Secret attacks and non-human identities attacks are the second most frequent attack vector out there in both of them. And the number one most costly attack to an organization.

Oded Hareven: Yeah, 83% of organizations actually tell about those having identity related. And more and more we see that coming from API keys, certificates, credentials. So not rotating those, not creating them on dynamic ratio.

Itzik Alvas: And with 92 times more non-human identities than human like, it’s obvious why it’s a huge problem right now. And, again, when companies are migrating or have migrated to the cloud now the only perimeter is the identity, right?

Oded Hareven: No more firewalls to keep you safe, if your developers, you know, expose the secret.

Itzik Alvas: Back in the day, even if you expose the secret, you will still need as an attacker to find some sort of a network breach in order to use the token. Now, you don’t need it.

Oded Hareven: Yeah, well, the full of the perimeter and all around zero trust that have been here for years back. That was a major trend. What we’ve seen with regards to the change, you know, back in 2014, Kubernetes was, you know, yeah, people were talking about it, but not a lot are actually doing with that. Right. The break of the monolith of the way that software is being created, this is something that has been significant in the way that machines are being created.

Itzik Alvas: Or non-human identities

Oded Hareven: For sure. The number of those, and you’re telling now 1 to 92, let’s say four years back, 1 to 45, you know, 20 years back, that was maybe less than 1 to 1. You would have been able to count the number of servers and to count the number of services in it, while there has been like hundreds of thousands of employees on a certain organization. And today counting is almost impossible when you have 10,000 employees, we would report on half a million of those machine or non-human identities and secrets, even more than that. And you’re saying here now that’s even one to almost 100.

Itzik Alvas: And I think you touched a valuable point, like the microservices breaking up the monolith. If you had the monolith, you needed a set of keys for that monolith. Now you need a set of keys for each one of those microservices. And those keys are not identities. Programmatic access keys.

Oded Hareven: Yeah.

Itzik Alvas: Secrets. So yeah, definitely a big part of it.

Future of Secret-less Authentication

Itzik Alvas: And this is basically how everything evolved, and when you look at the future, I’ve had several discussions with CTOs and security professionals about the trend of secret lists.

Oded Hareven: Right.

Itzik Alvas: And there’s a claim that says, let’s stop using secrets. And without we would be able to stop finding those, discovering those, managing those. And eventually, when you’re not using secrets, there is no need to secure the access to it.

Oded Hareven: Where with Akeyless – and I always explain for them – you know, several things. One, secrets in many ways are here to stay, whether you want it or not. The platform themselves, the technologies themselves require those either fixed or rotated or to be created. But when you look at the future of secret lists, leveraging the authentication, the newer, more advanced certification, methods, the cloud authentications, the spiffy inspire, the Oidc OAuth tokens, all of those, you can leverage, obviously, and leverage Akeyless order to do so.

But even so, it will not completely eliminate your secrets because of the way that technologies right now are being written. It’s not going to eliminate that completely. So how do you see that? as the impact of secret lists into, you know, how do you look at the market and the use cases that you leverage?

Itzik Alvas: Yeah, I would love to meet those CTOs. I’m taking bets like, yeah, no way secrets are going away. But yes, there are other methods in order to, to authenticate workloads or applications to the resources they need. But at the end of the day, a workload to resource, a workload to workload and application to application, those are programmatic authentications, and that means non-human identities. And someone should protect those non-human identities the same.

So companies are investing so much into human identity protection. You have [inaudible] and you have so many tools out there to protect human identities, and with 92 times more non-human identities than humans, someone should at least have an inventory and secure those non-human identities.

So even if secrets are gone, which will probably never happen because that means to rewrite the code and so many other stuff. Even if they are gone, at the end of the day, there will still be a non-human identity that the developers will need to create permission use, the application will need to leverage, and someone needs to secure that and manage the lifecycle. So it doesn’t matter. At the end of the day, you will still need to manage and secure that, and you will still need a tool to help you do that or a platform to help you do that because of the sheer size of those non-human identities.

Oded Hareven: Yeah. Well, with every, well, today it’s secret management and plus projects that we’re doing, having Akeyless do now, provide a solution for certificate lifecycle management and encryption keys management and securing the access both for machine to machine and humans. So it’s much more than a secrets management. But within those projects that we’re having with our customers, the immediate need would be to secure the fixed credentials.

We encourage our customers to go through and define within Akeyless, the policies that allows them to rotate across any platform that they have, to rotate those fixed credentials on a, on a policy, manner. And then to go to the third generation, which is the just-in-time credentials, creation, the ability to say this is a temporary identity, a temporary human identity or machine identity. And that would be the secret, and the secret will be, basically deleted. The identity is being deleted upon usage and then recreated whenever, required.

And the fourth generation or the fourth way, the fourth generation of solving for secrets certificates secret management, non-human identity, whatever you want to call it. The fourth generation is about defining it with secretless, with Federation, with defining a cloud identity, to speak to other resource using OIDC and to get the translation basically proxy via Akeyless.

When you look at all of those altogether and you’re saying, you know, secrets are not going anywhere, I totally agree, right. The definition, you know, there’s a present time, there’s a future time, there’s a vector that goes there. And at the end of the day, identities will be around it that they need to be managed any way that you look at it, whether the secret exists on a certain amount of time or just for a short amount of time with tokens that that exist.

Closing Thoughts

Oded Hareven: So Itzik Alvas, before we wrap up, what’s your take? What are the things maybe that you want to tell our listeners around any topic that we talked about today.

Itzik Alvas: I think that, as we mentioned earlier, the market is relating up gaining a lot of traction, and I think that, you know, when we started in ’23, it was the educational year. ’24… It was more of education and building the category. And now, you know, everybody is talking about it for good reason. We’re seeing breaches every other week.

So I think for anyone that is watching it, if you don’t know how many non-human identities you have, where they are, how they are being utilized, if you don’t feel that you’re controlling them, please go ahead. Do an assessment. Understand how many you have, how many of them are not volted or locked in a secure location? How many of them are not properly managed?

And start doing that because you’re going to fall behind because as you see the traction now, other companies are securing theirs, and you don’t want to be the last because that means that you will probably be breached. So yeah. So start taking care of your non-human identity landscape. Super important going into 2025.

Oded Hareven: I think there’s a terminology that actually I like with our, you know, analysts are describing it, which is the fabric, right? The fabric of solutions that you need to define in order to make sure that you’re answering those. Again, the solutions that we help you to find the solutions that would help you to manage the full lifecycle management as well as securing the access to those different secrets, credentials, certificates, keys, the machine identities, the non-human identities.

Regardless of the different terminology that we’re talking about today, at the end of the day, they’re all here to stay, and they need to be protected because breaches are coming, exactly as you’re saying. And solutions finding is something that need to be happening on a daily basis within our market because it moves and there are a lot of bad actors that are taking advantage of those kind of things.

Itzik Alvas: Couldn’t agree more.

Oded Hareven: Thank you so much, Itzik Alvas, for being with us, I enjoyed it.

Itzik Alvas: Thank you. Yeah. All right.

  • EncryptionKeyManagement_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_EasiestAdmin_Enterprise_EaseOfAdmin
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Enterprise_Nps

© 2025 AKEYLESS. All rights reserved