The cutting edge of cryptographic comms for distributed systems

We asked Smallsteppers for their best advice to stay protected from phishing attempts.

Market data that shows 78% of the Fortune 100 companies actively engage with Smallstep's open source software. This key discovery reaffirms Smallstep's vision to provide frictionless secure connections for individuals, devices, and software services, making best practices accessible to every organization.

We surveyed 155 security professionals — across small, medium, and large sized companies — on their plans around certificate usage in 2024. The results reveal that certificates for device identity is where the future is headed.

This article answers important questions for someone who has been hearing about EAP TLS, certificate-based WiFi, RADIUS, and who may have been tasked with building out a proof of concept (POC) and wants to know how to proceed.

Organisations that still cling to their legacy Public Key Infrastructure (PKI) like Microsoft Active Directory Certificate Services, struggle with inefficiency and security loopholes. If you're still unsure, read this.

As social engineering and phishing attacks become more prevalent, it's clear that a shift away from legacy forms of authentication is necessary. Learn about alternative phishing-resistant authentication methods you can adopt to better protect your organization.

With phishing attacks on the rise, passwords are no longer a reliable method for granting infrastructure access or authenticating users. It is time to adopt authentication methods that don't rely on shared secrets.

Get into all your hosts quickly and reduce the toil of manually finding and renewing SSH keys with Smallstep SSH Professional. Combine that with Indent’s time-bound, on-demand access and you have better security in minutes.

Here are some of the (many, many) reasons our customers trust and use Smallstep for SSH.

Apple MDA, GitHub OIDC, systemd-creds, Passkeys, and Identity-Aware Proxies: Here's a look at some infrastructure security advancements that caught our attention in 2022.

A good PKI is essential for most organizations’ security models. However, building one from scratch is much easier said than done. Don't build your own PKI. Take it from me; I tried to, and this is my (horror) story.

Public web certificate authorities like Let's Encrypt were not designed to support internal use cases. What you need is a private certificate authority.

Learn the differences between our Devops and Advanced Authorities offerings

We have secured our seed and Series A funding - this is a huge thank you to our investors and our community who believe in us and continue to help us make Production Identity a reality.

As I round the bend on two years at Smallstep, I have to ask myself: Why is this going so well?

Internal PKI continues to be essential but struggles with modern practices. But don't worry, there is hope.

What became clear in our product-led research is that we made a few mishaps. And there was one in particular that we wanted to fix ASAP. A series of go-to-market learnings and mishaps from smallstep.

It took a lot of late nights and weekends to get here. I’m incredibly thankful for the work of our fantastic team, early access customers, and to their families for behind the scenes support. Today, we’re excited to announce the output of that work: the general availability of Smallstep SSH Professional Edition.

Video recording of the 10-minute lightning talk from Mike Malone on using SSH Certificates. This was recorded at BSidesSF 2020.

Automating internet security with the Let’s Encrypt certificate authority has led to the massive acceleration of safe web browsing. As we roll out ACME protocol support and give away some free hoodies, we want to thank Let’s Encrypt and the IETF for making it all possible.

This issue is a discussion about the trust anchor and dependencies of systems. While a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices.

Great Minds Really Do Think Alike! I found an inarguable topic in the most unlikely of places, deep in the conversations between cyber-security experts.

In this post, we will explore how successful public internet practices provide a set of instructions for how the industry should be thinking about securing internal systems. The second edition of the Modern Security for Leaders series.

smallstep’s vision is centered on modernizing security practices using the best available technology to solve security challenges. Now you’re probably saying (as I was at this point), there are hundreds of companies out there spending billions of dollars on modernizing practices. How much market is really left for a scrappy startup? Turns out a lot!

This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for the public internet, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this will elicit a range of reactions from apathy to animosity. Regardless, read on.

A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on production identity