Smallstep increases focus on zero-trust and automated certificates, secures $26M

Smallstep Labs today announced that it’s secured $26 million in a funding round. 

Headquartered in San Francisco, Smallstep was established in 2016 by Mike Malone, an advocate for open-source and open-standards technologies. The company focuses on automated certificate administration, which is a vital basis for devops teams to achieve zero trust. By converting security best practices into an open-source toolset, it’s designed to allow developers or operators to safeguard their infrastructure. 

The core of zero trust is the lack of inherent trust for any identity, which is used as a managerial strategy to construct more robust applications and compartmentalized risk. Smallstep aims to enable organizations to take control of their production identity, allowing them to secure their infrastructure by identifying everything and everyone, issuing credentials, encrypting data and communications, and enforcing a robust security policy.

The importance of automated certificates

Maintaining visibility on all digital certificates in a large company setting can be challenging. Outages can readily arise if some certificates aren’t correctly accounted for, which could result in significant financial losses. Customer-affected outages can have a negative influence on a company’s reputation and consumer confidence. With the volume of connected devices for most companies numbering in the thousands, and often tens of thousands, it’s become nearly impossible to efficiently manage them manually.

To adequately secure and manage their certificate infrastructure, organizations need consistent processes, which is where Smallstep comes into play. Attacks on organizations like SolarWinds have exposed the serious risk posed by any piece of software installed without adequate certificate automation. 

“Traditional network perimeter-based security is deteriorating due to the rapid rise of microservices and containers. Certificates serve as a source of truth for machine and production identification, but they are tough to use at scale in modern architecture,” said Enrique Salem, partner at Bain Capital Ventures. According to Salem, Smallstep makes the power of certificates accessible to developers, assisting them in securing the services and containers that make up their application fabric.

Funding round

The funding includes a seed round of $7 million and a series A of $19 million. The seed round is led by Boldstart Ventures with participation from Accel Partners, Bain Capital Ventures and Upside Partnership, LLC. The series A round of funding is led by StepStone Group with participation from existing investors.

The new capital will be used to broaden Smallstep’s focus on developing zero-trust products by investing in its open-source community and research and development to bring new capabilities and skills to infrastructure security. 

Malone said in a press release that distributed systems have always been a critical focus for Smallstep, and the funding will enable it to bring practical zero trust to every environment and organization. 

“We are fortunate to have found the right group of investors to provide insight and unique perspectives to our team. I look forward to leveraging their experience as we address the vast need in the DevOps market,” said Malone.

Hunter Somerville, general partner at StepStone Group, said Smallstep is a dedicated team that creates critical infrastructure security products and technologies. “It was a simple decision for us to invest in this team and their products,” Somerville said.

Competition and customers

While companies like Teleport and Hashicorp offer automated certificate management, Smallstep claims it uses existing technology (x.509 certificates and SSH certificates) with its respective open standards to create an easy-to-use certificate solution.

With this, it claims you don’t have to be a Private Key Infrastructure (PKI) expert to deploy production identity practices at your organization.