Smallstep’s Groundbreaking Device Security: Lessons in Standards, Scale, and Startup Wins

[00:00:00] Hey, it's Andrew here. Just quickly before we start the episode, I want to tell you about one of my favorite newsletters. It's called Strategy of Security. If you want to understand the companies, ideas, and trends shaping cybersecurity and its submarkets, you should take a look. Cole Gromos runs the newsletter and he has spent the last 20 years in cybersecurity, including stints at PwC and Momentum Cyber, the investment bank dedicated to cybersecurity. Recent articles I'd like include,

[00:00:30] how could platformization work in cybersecurity where he talks about there being lots of single vendor platforms, but not a multi-estate platform. And also one called Demystifying Cybersecurity's Public Companies, where he explores the pure play ones and also hybrid companies which are in cyber. He lists all of them and then breaks down the numbers in all sorts of different ways. Now this is not a paid promotion. I just simply enjoy what Cole is publishing. Check it out at Strategy of Security.

[00:01:00] Now on with this episode.

[00:01:12] Welcome to the Cybersecurity Go-To-Market Podcast for a special showcase episode where we're talking to the leaders of the companies selected for the 2025 RSA Conference Innovation Sandbox. These are just the 10 companies out of hundreds that the judges have selected as the most innovative startups in cyber today.

[00:01:35] I am your host, Andrew Monaghan. Today we're talking with Mike Malone, CEO and founder at Small Step. Mike, welcome to the podcast. Thanks, Andrew. Happy to be here. Thanks for inviting me. Now I would imagine in the ups and downs of startup life, this is probably one of the ups for you, right? It is. Yeah, you could say that. Kicks off a hectic period though. We are very busy. Champagne problems. Champagne problems can still be problems.

[00:02:02] Yeah, exactly. Well, let's start with you. Where in the world did you have your first sandbox, Mike? My first sandbox, I grew up in Annapolis, Maryland. So my first sandbox was there. My dad was an engineer. So it was over-engineered. It was a massive structure in my backyard that was like eight feet by eight feet. And I think it took two dump trucks to fill. It's a pretty good sandbox. And when did you move out to the Bay Area?

[00:02:31] I don't want to date myself. Right out of college, let's say. Okay. So 2015 then, let's call it that. Yeah, right. Yeah. Last year, last year. Last year, last year. All right. Well, let's talk about Small Step. Now I noticed on your profile, Small Step's a startup, but you've been working on it for a while, it seems. So I'm kind of interested to know where you're at, what the problem is you're solving, and who cares most about this problem.

[00:02:55] Yeah, totally. So the problem, who we are, what we do, we are a device identity platform. So we tie access to trusted company-owned hardware. And by doing that, we're securing sensitive resources like SaaS apps, SSH, Git, cloud APIs, Wi-Fi, things like that. We have been at it for a while. And there's some core technology we've been developing for a long time under the hood there.

[00:03:25] So it is a case of how to develop, mature over time. Or have you pivoted a little bit with the positioning of the technology? Yeah, a little bit of both. So the technology has been developed, and we are applying it to an area that we've been seeing particular commercial interest. And why is it important to attach the identity to an actual device? What does that give a security team?

[00:03:50] Well, we run into this occasionally. It's important for a lot of reasons. And sometimes people sort of will argue that point. And my reaction to that is, well, do you have EDR? Do you have antivirus? Do you have posture? Do you have device management? Well, if you have all of those things, then clearly you care what devices are accessing your systems, your resources.

[00:04:12] Otherwise, why would you bother? Because if an engineer working remotely from home can pivot at their desk and push code to a Git repo from their Plex media center, that completely undermines all of that security investment. So I would say it's important. It has always been important.

[00:04:32] And it's more what's changed. And what's changed is that is, you know, not to sound like every other cybersecurity company on the planet, but zero trust, remote work. You know, the paradigm has changed. And with that, our approach to how we ensure that only trustworthy devices are able to access systems has had to change as well.

[00:05:00] Are companies attaching identities to devices already or just doing it better? Or is this the first time you're actually able to pull this off at scale? And that's why it's exciting. As with a lot of things in cybersecurity, it's a little bit of both. It depends on maturity. So I would say that companies typically don't really bother about device identity until they've, say, got user identity sorted out, which is, by the way, a much better addressed problem space.

[00:05:29] You know, we all have Okta and Entry ID, and our customers typically have that before they talk to us. But any company that is doing anything, you know, has any semblance of a security program cares to some extent that only their devices are able to access systems. And the approach to that is a mess, frankly. It's hodgepodge.

[00:05:56] So our core tech is certificate-based, and that's really the only feasible approach. So all approaches you see out there are going to be certificate-based. But, you know, what we find are small teams that are resource-constrained, that are doing their best to sort of shoestring and bubblegum things together, and then leaving a lot of gaps and, you know, gaps that they know about,

[00:06:21] and also having to make hard choices around what platforms they're able to support and not support, what browsers they can support, stuff like that, because of limitations, technical and resource limitations around this problem. Now, keeping in mind, Mike, that your audience on this podcast is a go-to-market audience and not necessarily a pure tech audience. Sure. What's the big innovation that Small Steps bring that the judges might have latched onto?

[00:06:46] Yeah, so our core technology is a new standard that we created with Google called Acme Device Attestation, and it replaces a legacy protocol called SCEP, S-C-E-P. SCEP is bad. It's old. It's a product of its time, but... In what way is it bad? So there are many reasons. Like, you know, it predates TLS, so it rolls its own crypto, for example.

[00:07:14] But fundamentally, it's bad because it's a password protocol. And we all know why passwords are bad. It's, you know, I could get into the nitty-gritty, but it won't. It's weak security. So fundamentally, your device identity story, insofar as you have one, reduces down to, hey, I have passwords that are being chucked around, shunted around the network, which is not a good story.

[00:07:35] So Acme Device Attestation fixes this by authenticating devices using a private key that is generated at manufacturer time in the TPM or secure enclave. And so to sort of up-level that, it's hardware bound. It is in silicon on the device. And you can't get it out without destructively disassembling that device in a lab. And even then, it's hard.

[00:08:00] So it gives what security professionals would call non-exfiltratable credentials. So you cannot remove them. You cannot separate the credential from the device. So you are truly getting the strongest possible guarantee that a particular trusted device is accessing a system. And then you're able to centrally, I guess, for a company, view all that and give and deny access privileges based on that. Is that correct? Eric? That's right.

[00:08:29] A lot of what we do is on sort of both sides of the credential management. So before you can issue credentials, you have to inventory all your devices. And it turns out that can be difficult and manage that inventory over time. So we have supply chain integration. So we work with Apple, Intel, Lenovo. So when one of our customers buys a new laptop, we automatically get the inventory metadata. So that when that laptop is unboxed, you could drop ship the laptop to a remote employee, let's say.

[00:08:56] And when they unbox it, it will automatically identify and enroll itself. And then, you know, once the device has credentials, we also automate configuration and enforcement. So we have enforcement points like hosted radius for Wi-Fi, ZTNA relays. We also integrate with enforcement points that our customers already have. Zscaler, Cloudflare Warp, Cisco Ice, Aruba ClearPass, et cetera, et cetera.

[00:09:19] And we handle privileged access use cases that are tricky, you know, things like SSH and Git. And so there's a lot, a lot that we do aside from simply managing the credentials. When I hear someone say we created a new standard, I mean, my immediate thought is that's a lot of work, I would imagine. Yeah. You know, what were your learnings for other founders? Would you do it again like that? Or you say, yeah, that's the way to do it. It's just a lot of hard work. Yeah.

[00:09:49] Well, and I don't want to take full credit for that. To be frank, a guy at Google, Brandon Weeks, did a lot of the standards work with us. And yeah, standards are a lot of work. I've done a lot of standards work in my career. I worked on OAuth and OpenID and SIGStore and Spiffy and Oembed and probably a number of others that I'm forgetting. It can definitely be a lot of work. I don't know.

[00:10:16] I guess my recommendation, if you're doing standards work, is keep it tight and rough consensus and running code. If you've ever heard that idiom. Rough consensus and running code? Right. Tell me more about that. In other words, don't bother trying to get everybody perfectly aligned before you start shipping things. Rough consensus and then ship something that runs and works.

[00:10:42] And, you know, that's going to do a lot more for you than standards can be very bureaucratic. Right. Right. All sorts of weird people have to have their say or feel like they have to have their say, right? Yeah. In this case, you know, Apple adopted the standard. And once that happens, nothing else really matters. Take us back to the time at Small Step when you got your first real order. You've been developing and getting the consensus.

[00:11:11] And suddenly some company that wasn't that friendly said, you know what? We're going to use some real hard cash for this stuff. But what was that moment? And what was it like? I'm exciting. But I will say, you know, it's funny because I feel like in startups, things happen incrementally. and sometimes I find it hard to know when to celebrate, you know? So I'd say, you know, you get the verbal commit and then you're like, okay, but like is it – then you have to go through legal

[00:11:39] and then you finalize the legal negotiations and then you sign and then like when do you celebrate? And then, you know, you haven't been paid yet. You know, it's net 90 terms. So I'd say like one of the things I think that I work on is just trying to remember to celebrate the wins because sometimes by the time it's all done, it feels like old news. But, you know, those wins I think come with a mixture of excitement and obligation, right? Because typically what that means is you just made a promise to somebody

[00:12:09] and asked for a lot of money and now you got to deliver. So it's part of the game. I think you have to love that in order to do this sort of work, but it's definitely a rollercoaster emotionally. Yeah, I mean, it is a start of hopefully a long relationship not the end of a process to buy something, right? If you're doing it right, if you're doing it right, that's for sure, yeah. Yeah, it's – yeah, I would imagine, you know, early stage you're building out the product. You know where some edges are.

[00:12:39] You know where you're strong and weak and you're thinking, okay, now we have to actually start delivering on this stuff and probably at scale as well. It's a whole different ballgame. Yeah, yeah. Our customers are big. They're mostly big companies. You know, since your audience is go-to-market, our go-to-market is interesting because it's – this technology is really proliferating from large enterprises down, which is very unusual.

[00:13:05] Now, by that, do you mean through OEMs or you're selling direct to the big Fortune whatever, 500s and they're – We're selling direct to the big Fortune 500s. Okay. Yeah. Which presents its own challenge, right? It's – only so many of them will be willing and able to work with an early stage company and especially with the impact that you can have as well. And, you know, just working with their legal – even if they really want to buy it can take a year. Yeah. So, slight change of pace. Clearly, you're very technical.

[00:13:34] This is your DNA as an engineer in general but also in cyber. I also saw, though, that you like your literature as well. I read somewhere that you liked On the Road and Fear and Loathing in Las Vegas and books like that. If Small Step was a character in one of your favorite books, which character would it be? You know, that's – I hate questions like this.

[00:13:59] I don't get stressed out about – you can ask me the most technical, like, you know, on-the-spot question in the world. But if you ask me two truths and a lie, I'd claim up. I'd say, you know, I like both of those books for a particular reason. And I think that reason is really one of our core values at Small Step. So, you could pick, say, you know, Hunter Thompson or, you know, Ken Kesey, whatever. And that's authenticity.

[00:14:26] I think, you know, like them or hate them, those people were true to themselves and at least tried to be honest even when it maybe wasn't the best idea for them, let's say.

[00:14:41] You know, like Hunter Thompson in his gonzo journalism movement, the whole idea he would say was to – he used to say a lot of journalism lies with the truth and he tells the truth with lies. So, I like that. That's, I think, what I like about them is the authenticity. Like, you really feel like you're truly understanding another person.

[00:15:09] I would imagine as you get success and you grow, you know, if that's one of your values inside the company, it's going to be interesting how you hang on to that because you're going to have to bring in more and more people who are perhaps less attached to your mission as you are, right? Yeah, I think that every company faces that as they scale. We have a pretty good foundation. It's part of the hiring process, right, and just part of the energy.

[00:15:35] Yeah, I don't know that I have like a super insightful response to that aside from – absolutely, yeah. It's an interesting process as you're scaling. One more thing to think about, right? Are you the right people on board? Well, Mike, listen, I enjoyed having you on. I wish you a lot of success and luck for next Monday. We're recording this in the Tuesday before the conference and hope the whole day and week goes well for you. Thanks so much. Really honored to be selected as a finalist. And thanks again for having me on your show.

[00:16:16] It would mean a lot to me and to the continued growth of the show if you'd help get the word at. So how do you do that easily? There are two ways. Firstly, just simply send a link to a friend. Send a link to the show, to this episode. You can email it, text it, Slack it, whatever works for you and is easy for you. The second way is to leave a super quick rating. And sometimes that can seem complicated, so I've made it as easy for you as I can.

[00:16:43] You simply have to go to ratethispodcast.com slash cyber. That's ratethispodcast.com slash cyber. And it explains exactly how to do it. Either of these ways will take you less than 30 seconds to do, and it will mean the world to me. So thank you.