In this episode, Jamie sits down with Nate McKervey, CEO of Subkeys, and Burch, Prince of Puns at Subkeys, to unpack how virtual API keys are unlocking a new era of public sector modernization. Virtual API keys aren’t just a better way to manage access, they’re the foundation for a safer, smarter, and more adaptable public sector. If you’re thinking about the next chapter of government tech, this is where it begins.
Government tech isn’t broken. It’s just missing the keys. And Nate and Burch think it’s time to change the locks.
In this episode, Jamie sits down with Nate McKervey, CEO of Subkeys, and Burch, Prince of Puns at Subkeys, to unpack how virtual API keys are unlocking a new era of public sector modernization.
With analog APIs acting more like snail mail, Subkeys is flipping the model, turning them into smart locks that offer precision access, airtight security, and scalable efficiency. It’s not just about making government tech faster. It’s about making it smarter.
They dive into:
Virtual API keys aren’t just a better way to manage access, they’re the foundation for a safer, smarter, and more adaptable public sector. If you’re thinking about the next chapter of government tech, this is where it begins.
About Nate
Nate McKervey is the CEO of Subkeys, an innovative platform for API key virtualization. Before founding Subkeys, he spent over a decade at Splunk, where he was the company’s first TS/SCI-cleared hire in professional services, supporting public sector clients. At Splunk, he later led technical marketing and spearheaded Web3 product development. Prior to that, Nate worked at L3Harris, focusing on mission-critical networks. His unique data analysis projects have earned him features on national television, as well as in Sports Illustrated and Wired magazine. Fun fact, Nate competed in the Rubik’s Cube World Championship.
About Burch
Burch is the Prince of Puns at Subkeys.io, leading the Go-To-Market organization. Before joining Subkeys, he spent 9+ years at Splunk, doing everything from developer advocacy to sales engineering—basically, if there was a way to talk about Splunk, he found it. In fact, he once set a company record by presenting 11 sessions at a single .conf, which some call impressive and others call “a cry for help.” While no longer performing improv on stage, he brings his love of quick thinking and comedy to his work. Combine that with his passion for technology, toss in Subkeys.io, and out you get Burch making API authentication… fun?
Guest Quotes
“ We crafted a Splunk search so we could look at the logs and see if somebody was trying to exploit that vulnerability. If you virtualize keys, you can do the same thing. So you can look for that targeted, that well-crafted API call. You can search for that and alert on it in real time. So not only do you block it, but you also can identify the region of where the carefully crafted attack came from. So it's not only a block, but it allows you to turn the defense into a little bit of an offense.” - Nate McKervey
“The part that really blows my mind is the concept of virtual keys provides data that just didn't exist. And it's so critical, but it was just, just didn't exist…The data is huge because we can't even imagine what then becomes possible when you take that data and you feed it into AI. And now we can say, oh, this is abnormal behavior for this key. Or we take that data and coalesce it with security items. Or we take that data and we now have cost control, eliminating license. We're paying for this one service. No one's actually making any calls. So things like that, the possibilities of ways that we can improve our lives become incredible once you have visibility.” - Burch
Time Stamps
00:00 - Episode Start
04:37 Subkeys’ mission
05:55 What is an API?
10:17 Importance of API keys and virtual keys
38:42 Modernizing constituent services with APIs
50:36 Breaking down the Kubernetes breach
01:02:38 Future of AI and API management
01:13:25 The Roundup
01:27:37 A look at what Subkeys can do
Sponsor
Ever To Conquer is brought to you by RedLeif, a digital agency focused on accelerating the modernization and security of public sector data. Visit RedLeif.io to learn more.
Links
Mentioned in this episode
Learn more about Subkeys
Join the Subkeys community Discord
Get in touch with Nate and Burch at contact@subkeys.io
Connect with Nate
Connect with Burch
Connect with Jamie
Follow the Show
[00:00:00] Nate McKervey: Agencies need to work with each other in public sector and without APIs. It's like snail mail. Another way to look at, it's like the different government offices are like kids who don't always share their toys and APIs are like the rule book that helps them play nicely. It lets the tax office talk to social services so they can share info securely and get stuff done way faster.
[00:00:19] Jamie Grant: You are one of the only innovations I've come across that secure as much as it modernizes.
[00:00:26] Burch: There's not a lot of potential to proactively secure your API transactions and conversations. There's a lot of reactive stuff like GitHub, Hey, we found a key in your code, blah, blah, blah. This is proactive.
[00:00:53] Jamie Grant: All right, y'all. Welcome back to another episode of the Ever to Conquer pod, where we take kind of an unfiltered look at public sector technology on the mission to accelerate and modernize public sector data. I am incredibly excited about this particular episode for a lot of reasons. It's gonna touch on the art of the possible that we like to uncover.
Um, looking at kind of the frontier and seeing where things are going. From a leadership perspective, but also from a technical perspective. And our guests today, I think, are gonna bring, uh, a lot of fun content. They have a long history of innovation. They're also doing some groundbreaking work, uh, that I am super excited about.
I think anybody I'll know if, uh, if former Florida House speaker Chris Frow listens to this episode because we're gonna spend a lot of time today on APIs. And this is a topic that is near and dear to my heart because for a decade in the legislature trying to work on technology policy to, to take Florida kind of from a stone age to a future state, an API economy is so critical, uh, to how that works.
So just understanding APIs and, and what they do. We'll touch on that a little bit today, uh, because I think some of our guests are probably, like, I've heard the term. I know it's out there. Why does it matter? Um, but we're also gonna get into a pretty technical future state of what kind of, I like to think of next gen APIs look like.
So without any further ado, um, Nate Burch, great to have you here. Nate, I wanna start with you for a second. Maybe just introduce yourself to our audience, little bit about your background, and then we will, we'll kind of move into, uh, to today's content.
[00:02:34] Nate McKervey: Yeah. I'm Nate McKervey. I, uh, was studying physics but fell in love with data while working at Harris Corporation for a lot of years.
And then, uh, ended up moving over to Splunk, a big data company for a decade before realizing this API problem that exists. And, uh, starting a company with a, a bunch of fellow, uh, longtime splunkers.
[00:02:54] Jamie Grant: Awesome, Burch. Uh, I, I can't ask you to introduce yourself without failing to say that you are the Prince of puns that appreciate good puns.
[00:03:04] Burch: Yeah, that, that is my official
[00:03:06] Jamie Grant: job title. I love that. Uh, I've had some, I never had Prince of Puns, but I did have junk drawer and Swiss Army knife on business cards at one point. Uh, it just depended on the day. Firefighter, talk to us. What are you doing at Subkeys Burch? Give us a little bit about your background.
[00:03:20] Burch: Yeah, I, uh, computer science guy, but realized that I wanted to do a little more social element, so ended up going for the MBA, um, worked at a bunch of enterprises and I really just locked in on the fact that like, as humans, like we don't need to be making mistakes, doing things that we can just have computers do, and we can move up in the value that we add.
And that's actually how I ended up at Splunk is because. Of the ability to really just see the data without trying to mess with it. Uh, and that type of observability made it really exciting for me when I came over to Subkeys and learning about all of the new visibility and control that just never existed before.
Um, that was a very exciting opportunity. So
[00:04:14] Jamie Grant: I love the theme there. Nate, if you were to describe Sub Key's mission in a sentence or less to kind of set the stage, and then I want to get into APIs and, and, and kind of walk our, our audience through it, but how would you describe the sub key's mission for somebody that has never heard of you and doesn't maybe not even heard of Splunk, right.
There's some folks listening to this that are interested in the policy side, and obviously industry knows Splunk really, really well and the ride y'all went on, but, but how would you describe that mission?
[00:04:39] Nate McKervey: Yeah, I mean, APIs are powering so many things behind the scenes that it's, we're not even totally aware of all the things that powering, but the mission is really to bring visibility and control to all third party API consumption.
And I imagine a future where APIs are just way safer and easier to consume. And eventually we'll get to the point where it people will be frowning upon using real API keys because of the dangers of exposing a real API key versus a virtual key.
[00:05:08] Jamie Grant: So let's break this down. Uh, Beverly Grant is a saint. I give this disclaimer all the time.
My 80-year-old mother is the greatest mom ever. But, uh, my brother, who's a trial lawyer would always say before he tried a homicide case, he gave his closing argument to our mom. And if she didn't understand it to get to the verdict, I. Then he, he went back to the drawing board, wait, are we gonna have
[00:05:28] Burch: a special guest and have her come in?
[00:05:30] Jamie Grant: I was about to say she's like the greatest soundboard 'cause she's so curious and, and asks all the questions, but, but, uh, I like to say the thing in the tech space, she asked me, uh, when I took the CIO job and, and then when we launched RedLeif, she's like, I don't even understand what you do. Like my friends asked me, what is Jamie doing?
And I'm like, tech Nate, what is an API? Yeah, like if you were to simplify an API, before we even get to a key, an application program interface, how would you explain that to my mom if we were sitting at dinner? Yeah.
[00:05:57] Nate McKervey: So like I said, you, you may not know an API is, but you're probably using one. Every time you do something like search for flight, you're hitting APIs.
I think I heard a statistic. The average app on your phone uses 38 different APIs. Last night I went to dinner with my wife. It was our anniversary, our 13th anniversary. And if. If there were a good analogy, it, it's actually the waiter is like an API. So imagine you're at a restaurant, you want some food, you don't go to the kitchen and make the food yourself.
You go, you tell the waiter what you want. The waiter understands your request, goes to the kitchen, that's the system, and then brings back your food. That the data or the service. You don't need to know how the kitchen works. You just know what to ask for. There's a menu that you look at of what you can ask for, and the waiter handles it.
And so that's what a API is. It's like the waiter, it's a way for different programs or applications to talk to each other.
[00:06:50] Burch: I'll add Nate to that example. Um, that's a really good example too, because everyone knows how to interact with a server and so the server sort of handles the quirks or complexities.
Time out, out. We just had our
[00:07:03] Jamie Grant: first pun. We just had our first pun and I had to call it out. Burch, you can start over, but talk to us about servers and
[00:07:10] Burch: servers, please. Yes. Uh, well, now that I've got you all served, no. So, um. Like, if you think about it, uh, d different kitchens have, different cultures have different ways that they run in, you know, with doors, whatever.
Um, but the server obscures that for us. So just like that, the actual, well, it's confusing to have servers two different roles here in technology. The, the stuff going on behind the scenes that we would call a server is that all complexity is ignored by the fact that we create this interface that can be known and, and recognized and used by people in a more common way.
[00:07:51] Jamie Grant: I, I love it. And I think like on, on the pond and on the analogy a little bit, like we have to have somebody to go make sense of that complexity or they have to, or we have to understand the full complexity, right? Like there, there's only two choices. Like I have to have a server that can go do that, or I have to understand how that.
That server actually works. It's, um, I love that example. I tried so hard in the legislature and just beat my head against a wall to try and explain it. The two that I used, one was the little, uh, transport thing at the bank, right? Like you pull up at the ATM. Mm-hmm. And I want to access my information at the bank I use, but I presumably shouldn't have access to all the information.
And so the permissions and, and the service that happens there, by me submitting, you know, my debit card or my, my account information to get that information back, the other one that, and that didn't, that kind of made some sense to people. Like, I should be able to access my records at the bank, but I shouldn't be able to ra access your accounts at the bank.
And, and so the segmentation, um, the dinner party is the other one I love. And, and Nate, I think it kind of goes where you were going, but like, I think this is important to, to click on here for a second. Um, what APIs opened up. I think that gets lost, right? Um, when the API economy kind of took off, gosh, 15 or so years ago now, and really started the inertia, um, prior to that, if we thought about like two software companies, um, wanting to interact, it was like, if I owned my house and I wanted to have a, a dinner party and I wanted to invite you over to my, my house for the dinner party, pre API, I basically had to let you into my whole house, right?
Once I gave you the key to open the door, uh, I had to let you into the whole house. And APIs started to say, well, like, wait a minute. I might not want you to have access to certain parts of my house, and so I can permissively allow you in. Whether that's a good analogy or not, it sets us up for keys. So Nate, you talked about, and Burch you talked about kind of the, the, the server cons, uh, construct of, of both the, the service and the translation and the simplification.
Talk to us now about what an a, how an API works in the way of a key, um, because in the house example, or even in the data center example to to access the server, what does the key do with an API that is relevant to the work y'all are doing?
[00:10:19] Nate McKervey: Yeah, I like the house example. 'cause like, once you're in the house, there's a ton of things you can go do.
You can go use the tv, you can go use the tools in the garage, there's a bunch of stuff you can do. Or
[00:10:28] Burch: the
[00:10:28] Nate McKervey: toilet, you had to have three Ts. Yeah. And those are all like functions of an API and API is, like you said, they're, they unlock, they're built to do one thing really well. So you may have an a p for a certain type of service, so going to the toilet, the toilet is really good for flushing things.
Um, but anyway, you, you might not want someone to just walk in and be able to use everything in your house or go into your, your vault, even if you have like a, a safe. Um, and so the way APIs are accessed are with these keys and. You get a key and you can enter. But a lot of times these keys are overprivileged or over permissioned and you had no visibility into.
When somebody uses the key, it's kind of like if you have a handy person or a guest and you give them a copy of a key to your house, they can get in and you don't know if they make another copy of the key or when they use it. So what virtual keys do is they virtualize those keys, kinda like a virtual credit card and you can set spend limits and stuff.
But keeping with the virtual key or physical key analogy, you can basically upgrade your house to have a smart lock. And with that smart lock, you give codes to people and they, you can set restrictions like what times they can enter. You get visibility, you can see a log of what, when they attempted to enter, when they did enter.
And you can dynamically change these policies and rotate them out. And that simply doesn't exist across the board for APIs. Every API is different. It's a snowflake. It gives you different capabilities and virtual keys. But lets you have like, basically you upgrade your keys to be smart keys, like smart loss,
[00:11:58] Jamie Grant: and so Burch Yeah, go ahead.
Weigh in. But I also want you to explain what a key looks like in terms that people would understand, like the physical key to that, right? Like, it's almost like giving your system's social security number away or your system's password away. Um, but Burch come, come with where you were going first.
[00:12:15] Burch: Oh yeah.
Um, I just wanted to add onto that. I didn't know if you mentioned like, because you now have all of that control, you also have all that visibility, right? And, and just like with that smart lock, you can see when, oh, someone entered the house. Um, but yeah, so talking about, uh, what, what keys look like. Um, they're arbitrary text strings.
Yeah. They're, they're like, it's a little bit shocking, like for all of the technology that we have that, you know, there's different types of authentication, um, and different types of like keys. But for the most part. They're just flat text in as much that it's very easy to lose or very easy to copy and paste it to someone.
Or misplace.
[00:13:03] Nate McKervey: Yeah, like think of a physical key. If you just get the right notches and a physical key, that's all you need to unlock a door. Yeah, well that's exactly what an API key is, but it's just text. And if you get the right text, you can unlock that door. And the problem is you don't know if it's being copied.
You don't get the, the visibility. Um, and imagine that you've finally figured out uhoh, a key physical key did, did leak, and it's out there and people can now get in my house. What are you gonna do? Well, you're gonna go change all the door locks. How hard is that? That's not fun to go change all your door locks and reissue all the keys.
If you have a virtual keys, that problem is so much simpler. You don't have to go change all the door locks. You simply rotate the virtual key.
[00:13:45] Burch: You never call locksmith again. So,
[00:13:48] Jamie Grant: so I, I love where y'all make it pragmatic for some of our, for some of our folks, like, uh, I, I, I can't help but laugh. Anybody who's ever, uh, been, been through kind of a crazy breakup and you have physical keys means calling the locksmith and changing all the doors.
Uh, if you had a smart lock, uh, you could just revoke access to that one thing without, and, and this I think is really important. It's both sides. It's, I can prohibit the one person that I don't want ever entering the premises again, from being able to enter the premise without impacting all of my friends who had a different key that I still wanted to enter the premise.
Yeah, and I think that's right. If, if we think about where the status quo is today in an API economy, APIs are everywhere. And once we've issued that text, we don't. Typically have a way to refresh that text without having to go on this big old, it's, it's like an unplugged mission. It's like suspending your credit card to figure out what you miss.
Except in this case, like really sensitive transactions are happening. If I revoke or update an API key. Nate, if you were to sum up for, for folks on this, what does the quick high level process of a, an agreement between the two parties, the kitchen and you and your wife, look like with that static text?
So if the kitchen says, we'd like to serve you, um, give us just real quick, high level what it looks like for an API integration to happen.
[00:15:23] Nate McKervey: I actually wanna dive into this with a couple analogies like, yeah. Today, if you, if you realize an API key is leaked, you have to do something about it. Mm-hmm. You, you have to decide how fast you want to act.
If that key is used for a lot of critical services. You have to decide, do I want to accept the risk of the vulnerability that's out there, or do I wanna like disable that key right away and break maybe critical services? Yes. Somebody has to make that call. And that's, that's really scary. Um, the virtual credit card, if you, if you used a virtual credit card for different purchases, like your electric bill gets one and your phone bill gets another, and you see somebody purchases shoes with your phone bill, all you have to do is, is rotate that one phone bill.
You don't have to mess with your electric and everything else. That's what virtual keys does, does that for you too. So you issue virtual keys for every user system, device, and if there's a compromise, you only, you don't have to replace all the door locks in your house. You simply rotate that one code and you disrupt only the people that had that one code.
And that's the same with virtual keys. It's so much less disruptive. You can make that decision quicker on how am I gonna secure us versus not break critical services.
[00:16:36] Burch: I wanna add to that, that, you know, when you're talking about the risk, effort balance that goes in when a key is exposed or needs to be changed, through a lot of conversations that we've had with practitioners, it's become clear that, um, a disturbing amount of time the key is not rotated when it should be, but the effort is just too much.
Yeah.
[00:17:01] Nate McKervey: A large example, just quick example of that, a large US exchange, when we talked to them about this, they said we had to audit code for six months before we could rotate a key because it could have had such disastrous consequences.
[00:17:13] Jamie Grant: And I think that's this, like, it's super easy. It's, it's why I love so much what y'all are introducing.
There's the security side and then there's the modernization side. Virtualized virtual, API keys sit like squarely in the middle. I've talked a lot about how as a CIO I kind of view my CISO as a defensive coordinator there to keep points off the board and not let the Russians and the Chinese and, you know, defend against the ccp, the Kremlin and the nation states, uh, and, and ATPs similarly at, uh, APIs are this insane catalyst to prevent me from having to build ground up all functionalities, allows the integration economy to happen significantly, brings down costs, lets me service my constituents way better.
And the API kind of sits as the central piece to make that happen. And right now I think we have too many people that have to decide between, like unplug it for security purposes and by doing that unplug modernization transformation initiatives or that have to accept the security vulnerabilities in the name of letting the offensive coordinator score points and, and put points on the board.
Where I think there's this beautiful nexus to say like, you shouldn't have to settle for either. There's a way to manage your API environment. There's a way to virtualize keys. There's a way to support your CISO while also letting your chief technology officer or chief data officer run wild with secure modernization faster than, than kind of ever been there.
[00:18:42] Burch: You know, I, I want to add on, when we were talking a moment ago about the, um, the keys and people not actually changing them. You know, if anyone is not technical and listening to this, awesome that you made it this far. But number two, um, you should be concerned. I mean, you should be going to your technical partners and saying, you know, we, we really should rethink this.
To me it's a no brainer. Like, why, you know, there's like key vaults and stuff. And, but still everyone is sharing the same key. I'm gonna take us on a curve ball that just hit me. Curve
[00:19:15] Jamie Grant: ball. Curve ball that, uh, I was feeling a little
[00:19:19] Nate McKervey: batty. Maybe one last thing about this. There's this great connection between the CSO and the CIO now with these virtual keys.
They both have, it's kind of like IT office and defense, like you said, the CSO needs to protect, but the CIO, they gotta keep the business or the organization running. Um, and there's, it's rare when there's a, a solution that both improves the user experience and in security, like single sign-on was one of those.
Yep. And I think virtual keys are the same because security gets way better visibility into the risks and can, can, um, mitigate and resolve them much quicker. But then the IT side of the house, the operations gets more visibility to where their errors are or where they're spending money on APIs than they shouldn't be.
And yeah,
[00:20:01] Burch: there's not a lot of, uh, potential to proactively secure your API transactions and conversations. There's a lot of reactive stuff, like GitHub, Hey, we found a key in your code, blah, blah, blah. This is proactive.
[00:20:17] Jamie Grant: A hundred percent. I love where you're going with that. And now I'm gonna take us on a curve ball.
[00:20:21] Burch: Okay. Brace
[00:20:24] Jamie Grant: it just kind of hit me. Um, obviously, nice pun there. Curve ball, birds contagious. I told you we love a good fun. Uh, so, so it just kinda hit me, um, having spent a lot of time trying to kinda write the, the diplomatic version of the Doge playbook back in 20 14, 15, 16, like, Hey, we want a data catalog.
We wanna know what we have, where we keep it, who owns it, what happens, and. Then getting suckered into being the CIO for a few years and realizing all the reasons that certain people wanna obstruct that and don't want to do, like, one of the biggest barriers, if not the biggest barrier or opponent to public sector technology is do nothing.
Like, it's not actually your competitor that has a different solution. It's, it's actually just like, how do I compel people to do something? And I think, you know, one of the things that, that like fascinates me about the work y'all are doing is that it gets over the hurdle of integration is risky. Um, because that's in the public sector.
If you're losing the war of the one sentence you're losing. And now you look at what's happening at Doge. And I think that something that just hit me, um, you know, not a secret, they're going into federal agencies saying, cut it spend by 70%. Um, I have been very vocal and I'm willing to make a big bet that that will be a net increase in software spend.
Who's gonna pay the price for that are, uh, do y'all know what an SI is?
[00:21:54] Burch: Services integrator, integrator. We call them
[00:21:56] Jamie Grant: software inhibitors on this show because what they actually want to war against is automation. Their entire model in most situations. The the egregious ones. And, and why I thought about Doge is like they've, they've been calling out left and right, GSA blacklisted effectively, uh, 10 firms that are the most egregious and they're continuing to pull the thread back on this.
But the software companies all the time get told by these big sis, Hey, we're only interested in working with you if we can do services around it. And if it doesn't need services, then you don't really help our core business. And so we don't want to include you in the bid. So if we come full circle, like I actually think the work you're doing is Dojo's best friend.
Um, because if we're able to show the world, Hey, I don't have to custom build. Like you can go down the, the boondoggle projects in Florida. Um, former budget Chief Joanne Les off who's a, a Savage and just awesome. When I got appointed, she presented to the house committee and said, uh, basically identified a half a billion dollars that had been wasted on the exact same time and materials boondoggles that were, you know, kind of the, the corporate oligarchy wins and says, well, we need to build you a custom system from the ground up.
APIs are a ma like I, I took a lot of bullets in trying to say like, we don't need to build a custom system. We just need to have an API catalog that we securely manage to say we can leverage this existing function over here rather than building from the ground up a custom application. I don't know what my question is.
Can commentary though? I can, I can
[00:23:30] Burch: put a button on that.
[00:23:31] Jamie Grant: Yes. Burch bail me out because I think you're doing some, something even so much bigger than that intersection of CIO and CISO and actually supporting a fundamental transformation of how the public sector funds technology projects. And gets away from these boondoggles.
[00:23:44] Burch: Yeah, I, I'm hopeful. Well, that, that was quite, quite the lead up there. Um, I, I think what's really interesting is when you talk about like all these custom projects, it's, it's all these like, okay, we wanna build it just for these services. We wanna, you know, it's very bespoke. What is so beautiful and elegant about our solution to me is that it's, it's simple and it works across all APIs.
So it's not like, oh, that, that won't work for us. It's all just at the HGTP layer and we're, that, that universal aspect to me is like, is like a revolution. We are now giving the people the visibility and control without limiting them to, we're gonna build you a bespoke solution.
[00:24:33] Jamie Grant: Nate, did you have something you wanted to add?
'cause I, I wanna elevate it up a hair from the solution to the function. I wanna focus on the function here for a second. Right. But Nate, you looked like
[00:24:43] Nate McKervey: Yeah. I mean, agencies need to work with each other in public sector, like, uh, and without APIs it's like snail mail. It's like paperwork and documents.
You're mailing. Imagine if the doc, the, the waiter to go from your table to the, uh, to mail your order.
[00:25:01] Jamie Grant: Imagine if they had to go to the farm. Yeah. Imagine, imagine if they had to go to the farm and, and, and actually like pick the produce and slaughter the cow.
[00:25:10] Nate McKervey: Yeah. Uh, and APIs just greatly simplify. It makes go way faster.
So like, it's kind another way to look at, it's like the gov different government offices, uh, are like kids who don't always share their toys. And APIs are like the rule book that helps them play nicely. It lets the tax office talk to social services so they can share data, share info securely and get stuff done way faster.
And a specific example of that, a friend of mine works at Department of Well from the API at the Department of Veteran Affairs. Um, and they, they. Built an API to share data and they're doing really cool stuff. Like they, they allow their, um, uh, it allows for secure data exchange between veterans and third party organizations.
So an example of this is the iPhone app, uh, the health app. Um, patients can like receive their, uh, can, can share and receive their information like allergies, conditions, immunization, lab results, medications, all through this. And what's happened now is, actually, this was years ago. The data is probably much, much more, but yeah.
Um, shortly after the API launched, uh, it removed a ton of heavy paperwork and digital submissions went, started, took over like 5% of the veteran sent claims like shortly after its implementation. And that's just one example. Like if you start using these APIs, you can get massive efficiencies.
[00:26:30] Jamie Grant: I, I love where you're going.
You're, that is really tempting 'cause you're taking me back to, uh. My early days in software, uh, our platform was really a stack of APIs, but the Blue Button initiative at VA was one of the first prominent examples, um, of what the API could do and also showed the importance, uh, of why you need the rest of the community.
So, so my veteran's affairs, my, my veteran who got their healthcare through the VA could download from blue button by way of APIs, their record at the va. As soon as they went outside the va, they had limitations, right? Because now I have more multiple source files. I say that to say, especially in the public sector, where you have these government agencies that do serve constituents and are trying to figure out how to improve the constituent experience.
Their choice is either to like, literally go find a field, buy a field, plant the vegetables, like that's their version of serving dinner. Yeah, an API says, Hey, in order to serve an an API economy would suggest in order to serve Nate and his wife at dinner, I need to make a call to my source of, you know, beef.
I need to get my vegetables. I like, I have the ability to have these multiple APIs, so, so that I can serve you immediately.
[00:27:50] Nate McKervey: Yeah. You just made me realize like, uh, APIs are like Uber Eats.
[00:27:55] Jamie Grant: Yes. Like they, we live, this is why I've been so excited for this conversation, like we live in an API economy and, and I think when we think about whether or not somebody is open sourced or closed sourced, like the API is such a beautiful example that says like, don't show me what your philosophy is.
Show me your behavior and I will tell you your philosophy. So the most closed stack ecosystem that says, Hey, we'll finally publish some APIs, it's really 'cause they got market pressure. They don't believe in like actually open sourcing everything on our phones, Nate, everything we use. That we say, boy, that was a modern experience, is almost exclusively, fundamentally built on an open API.
And I don't mean true open source, but an open source philosophy. It is. It's why even in the GPT world right now, like open's gonna win. It's just a matter of time. I don't know if you think I'm crazy, but I am. I am a zealot on open architecture and API economy because for you to get a delightful experience at that dinner table last night, that restaurant has the metaphor of a bunch of different APIs that are, how you make a reservation different function, how they seat you, different function, how they source their food, different function, how they order their food, different function, but they have a, a operational framework that allows those metaphorical API calls to happen in a way that you don't need to understand all that stuff.
You just, boy, say, boy, yummy. Right?
[00:29:25] Nate McKervey: Going back to your analogy, like let's say you've got a farm and you walk up to the farm and you're hungry. You have to figure out what am I, what am I going to eat, how I'm gonna eat it, how am I gonna put it all together? And you have to go pick all that stuff. Yeah.
Whereas you go to a restaurant, they give you a menu, and that menu is the, the docs, it's the open API spec. It's like the spec file of like what you can do. And you don't have to go figure it all out. You just call that item on the menu.
[00:29:51] Jamie Grant: Yeah. And I think, so if we transition, 'cause I, I don't wanna get to the scary part first, but we're gonna, we're gonna do some current event stuff.
Uh, that's, that's timely with this recording. I look at it as a, a former, my, my friends would joke, I was like a, a, a quasi or dooo agency head. 'cause I wasn't technically an agency head. I sit inside an agency. It was a, it was a zoo. Uh, that job is set up for failure and, and fortunately the legislature's trying to fix it.
But, uh, they do that every four or five years. So one of the things I would've been interested, and Nate, this might be an interesting thing to kind of how we met. I. Uh, we, we met when I was, uh, in the chair as the CIO. Um, you reached out cold to me and just said, hi, my name is Nate, and these are some of the things we do, and I'd love to show you some cool stuff we're doing.
Um, talk a little bit real quick about what you were doing and where we tried to kind of go like, Hey, this is really cool. Also, you're, you're like in the 21st century and I'm dealing with 14th century monks in the government, uh, ecosystem as far as kind of what we're ready to deploy. Um, but I'd love for you to touch on Nate, how our relationship started because we do have people in this community that are trying to access government and they kind of feel like they can only go, they're told like, you have to hire the right lobbyist.
You have to have the right relationship. You have all this stuff that, that sometimes is unfortunately all too real. But quickly tell the audience how we met. Um, 'cause I think that's kind of an interesting little segue into kind of where your transition to Subkeys went.
[00:31:20] Nate McKervey: Yeah. Uh, just to go a little bit further back, like when I, when I, uh, went to work for, for Splunk in the beginning, I was their first T-S-S-C-I professional services person.
So I did a lot of work in the government and I had this inaccurate You translate,
[00:31:33] Jamie Grant: sorry. T-S-S-E-I for our folks who don't know,
[00:31:36] Nate McKervey: it's a, oh, that's an acronym. Top Secrets. Top Secret Security clearance. Yeah. So basically there were some jobs that I was the only qu like a person allowed to do some of the jobs.
So I got to like, go a lot of different areas in the government. And I, from the outside looking in, I was like, oh, that's scary. People are gonna be, uh, I don't know, tough for mean, or like hard to talk to. And then when I actually went in and was working with people, I'm like, no, everybody's just humans.
It's just humans. And um, I think that's one reason why I was like, just reach out to people if you want to talk to them, especially if you wanna learn like how their, how their world works today. Like what are the problems you have? Today, people usually want to want to talk about 'em. And I think that's, uh, how our relationship started was like, Hey, what's going on, uh, in the state?
And I think you were the first person in that role to ever say, there are all sorts of audits that that's, that would be asked for. But I think you were the first one to say, I want an API audit. I wanna know like what APIs we were doing. And I think that's, um, that should be a standard thing. Probably that people audit because that's where a lot of like really important information is traversing, but also it's really the like backbone of, of the, of the infrastructure.
And if bad things are happening there, basically there, it's the window into what's really going on. Good or bad.
[00:32:54] Jamie Grant: I, I couldn't agree more. It's why my entire, I, I tell people that are trying to play in this space, like you don't have to have a technical background. Uh, you have to be curious. Um, you have to, to wanna learn and you have to understand it starts with a single data element.
And if I just do the curious, curious game of like. Now what? Then what, why, why not all the way back to that single data element. I start to discover my APIs. I start to discover my applications. I find networks I didn't know exist. It's, it's really, I mean, Burch kind of touched on it at the beginning. It's a visibility game, whether APIs or, or otherwise, like the, the role of a technology executive is first and foremost in my opinion, visibility because if we have visibility now you can bring your friends to build a strategy with the, the kind of the known.
The problem is there's just like a tiny fraction of visibility, especially in the public sector, and it makes it really difficult to advance progress.
[00:33:45] Nate McKervey: Yeah. Most people, real, the way people get visibility into stuff that's not good and with APIs is when something goes really bad. Yeah. One, one of the companies I was at previously, an engineer turned on.
Some extra logging and APIs and we got a $40,000 overage that month. Yeah. Um, and, and another company I worked at, a previous employee that hadn't worked there anymore, one of his keys leaked and they spun up servers that cost hundreds of thousands of dollars. Um, and that's, that's old, that's when you figure out things have gone bad.
But that, that's just an example of like how bad the visibility is. You think there's so little visibility until something really bad happens.
[00:34:25] Jamie Grant: I think that's right. In Burch. If, if I came back over to you for a second, like the, the thing, one of the, the, the slides I would use in our early all hands decks when I was trying to set the culture of the digital service was would they choose to do business with us if they had a choice?
And I think that's one of the things about the public sector that is, is uniquely challenging, is that we can force you to engage with the tax collector to get your driver's license, you know, the D the DMV or we can force you to do the guns and badges and fines have a, a, a remarkable way of. You know, compelling you to complete a transaction, but what would it look like if I actually had, uh, an environment and a service delivery mindset and application, uh, that, that that left a customer going like, man, that feels like Uber Eats experience to, to use your example earlier, Nate, where like, I found what I want.
It showed up. I'm happy. Um, why do I have to get a license tag in Florida? And I don't know if they've changed this or not, I'm not paying close enough attention, but like, boy, this was a war. Why do I have to go to the DMV? Like, why can't I order it on an app on my phone that says I want this tag. I'm willing to pay this for the custom, or, you know, the specialty tag and it just shows up at my doorstep.
I grab a screwdriver and I'm done. But those kind of examples across government that are easy to, to think of. I think the other one, and I wanna touch on this for a second, Burch, um, and, and we didn't really prep this or call this out, but this is the other one that I think, uh, APIs are the solution to.
And I think we're in the infancy. But, um, for, for backstory here, uh, one of my best friends, uh, former business partner, he is, he's still in the legislature 'cause we kind of dragged him there. Um, but when Lawrence McClure first got elected, he was on the eastern side of Hillsborough County in the Tampa area.
I was on the western side. And a, a guy that's like a, one of my best friend's little brother, Jim Taylor was, uh, the, he, he was like government affairs for Hillsborough County government. And inevitably, Lawrence and I would have something come up where we were just fuming. A constituent would call us and it would be this egregious use case.
And so Lawrence and I would kind of send Jim a text or call be like, Hey man, the missiles are loaded. You got 72 hours. If this isn't resolved on behalf of this constituent, like we're hitting launch and your bosses at the county commission can answer for this egregious service level. And inevitably Jim would go, Hey guys, we have a real problem.
And it would uncover like this one use case. And then I would get this phone call. And I would get this phone call from somebody at the county that would start with Mr. Chairman. I wanna thank you for the opportunity to help Nate and Burch with their issue. We are so thankful that you gave us the opportunity to do that.
And I would, I'm, I'm a pretty, I'm know if chill dude's the right word, but I don't have a temper. I don't get, like, I'm excitable, but I don't have a temper. And I would, this would make me so mad because they were really saying, thank you for giving us the opportunity to do your job that nobody was paying attention to and somebody was abusing a taxpayer.
But because somebody in a position of power called us and said, take care of Nate and Burch's issue, that I think is a misapplication of law. Not asking for anything special, just saying, your law says this. Why are you finding them? Or why are you prohibiting them from opening their business? Or what? And then all of a sudden, because my constituent knew me, or because they knew Lawrence, they got the answer they wanted.
And it was like, what about Sally down the road that doesn't know a chairman in the legislature or doesn't have access to that? And so that's a long setup. But, but, but I see where you're going. The question is like, on the constituent services of like the most vulnerable people, like how do we automate workflows?
How do we digitize forms? How do we allow that data to travel so that nobody in like the disabled community or nobody in the juvenile justice community or the children in welfares community, the foster ho, like there's all these tragic use cases that happen every day because we're just not good enough in government.
And a lot of times that's resources or authority or permission. We have the talent, but like we're losing all these individual use cases that APIs literally unleash the ability to say, we can serve people so much better, so much faster. Burch, I want to tee you up to go back to what you said. Uh oh.
Because you talked about it. In a visibility in elevating what we do, which I fundamentally agree with. Also, what if you took that same approach to APIs and said less administrative, more forward facing customer service?
[00:39:02] Burch: I, I don't, I don't know where to start, but I think that, um, one of the really interesting things to me is like, you're getting me fired up.
Like talking about that example with, um, you know, it's only because someone actually spoke up that this person was taken care of. But how, how many, I mean, it's like with API keys, like how do you even know if a bad actor has your key? There is no way to know. Yeah. If they're doing traffic from outside your network.
So like, how are we okay with this? Well, but I wanna
[00:39:39] Jamie Grant: flip it the other way. Yeah. I wanna flip it the other way. I, I think that's fair. We're gonna, and we're gonna talk on the security side in a second. I wanna point this squarely at the constituent services side that says, how can we possibly accurately service all of the constituents, all of the constituents if we're not investing in APIs?
Because now we have to go back to that farm analogy. Nate, to your point, may maybe coming over to you if that's where you're going, like, the ability to build custom up a great customer experience from within government, I believe is a complete f of complete. It's impossible.
[00:40:11] Nate McKervey: Yeah. Uh, I, I hate when I see, like I have something that could help somebody, but I can't give them access.
Like we've seen it in our customer base where there's one organization that has access to an API and another org in the same company wants Access. They're the same, they're playing for the same team here. But since they have different cost centers, they say, no, we can't give you API access to that because.
Yeah. We don't have this building control what you do with it. We don't wanna give you an overprivileged key. I think this happens all the time, like somebody wants to help and they literally can't because it's too risky for them to share their API key. That doesn't have to exist anymore. Yeah. Now like in, in the public sector, like you could say, I'm gonna give you a virtual key and I'm gonna restrict that key.
So you can't do harm
[00:40:56] Jamie Grant: and it's personalized. I think this is really important for people to understand. Like it is a one of one key in the example you're going down,
[00:41:03] Nate McKervey: so Jamie, I'm gonna give you a key later, and if you act maliciously or do things that you said you wouldn't, I'm gonna know and I'm gonna get alerted on it right away.
And then I can revoke or restrict. But at least now we have a way to help each other. Yep.
[00:41:17] Jamie Grant: I love, I love where that's going because it, it gets back to that war of one sentence, whereas an agency head or a governor who doesn't understand how this stuff necessarily works, and they're like, how many times do we see governors and increasingly say like, I wanna modernize my government, and then they just get.
All of those aspirations, legitimate and genuine, get killed by the corporate oligarchy that wants to keep running these si boondoggles. It gets killed by the folks who want to say, we have to do everything OnPrem and we have to do everything custom and we have to own everything, otherwise the Chinese and the Russians will get it.
And, and it's why I think it gets interesting to see like the next gen standard of an API be like, if it's not personalized and virtual and limited to the function, you're kind of committing malpractice. That malpractice looks two ways. One, you're significantly under delivering what you could be delivering your constituents like.
Mm-hmm. The one thing about the public sector, the one thing that the public sector has that the private sector does not have, um, is access to far more and significant data than the private sector does. What the private sector does is use their data exponentially more strategically and intelligently.
All of the data exists in government to like fully revolutionize what modern government services look like. It's, in my opinion, just a matter of kind of creating the framework where we can securely modernize, which is what I think like a virtual Yeah. Too many people aren't
[00:42:47] Nate McKervey: allowed to order off the menus.
There's tons of menus, there's tons of food. I, and speaking of the menu, you don't have access to the restaurant.
[00:42:54] Burch: Yeah. Imagine coming, coming into a single platform where all of this department, government, whatever hierarchy, all of the connections are there and so you're picking and choosing. So that means if you wanted to do some kind of new development to modernize.
The public sector, you're not starting from scratch and trying to, you know, get that connection. You can just share and then it's fully visible and accountable.
[00:43:21] Jamie Grant: And I think that's what gets so interesting about the API function in general is that like I, I had this happen not too long ago with a, a very dear friend who kind of calls me from time to time and, and he is like, dude, I don't understand what's going on at my agency and why we're struggling with this and that.
And he'll kind of bounce stuff off me and go like, Hey, you know, this is what I'm being told. Is this accurate? Is this what I'm being told this is accurate? And so they were specifically looking at workflow automation, like business process automation, which I think is, is like the lowest hanging fruit right now.
And I'm noticing a trend in the public sector where people are starting to quit, like starting to stop, um, thinking about just big project and then have subset business process automation and starting to go like, wait a minute, how many forms do I have that my agency prints? And why am I spending a dollar per page?
And X per printer and y per processing. And y does Judith in accounting have like a vault. She has to process rather than saying like, Hey, how do I digitize the forms? Well, like, that's only possible in an API economy. And, and so I love the, the API function to say. So he, so, um, he, he and his team were looking at a couple different solutions and, and just like where things are going.
And he goes, like, my team was really impressed with this solution over here, but they don't, they know we can't afford it. And I said, well, what, what do you think the, the budget on that is? And he got the SI price. Like his team is so conditioned to paying sis an extra zero for them to put a bunch of labor on it and build a blended rate, uh, rather than a software price.
And it's, it's crazy when you start thinking about like what people are confusing in the public sector as the cost of a project that is really a services business. Rather than thinking about the cost of software that automates and that Delta is extreme, and I think y'all are playing right in the middle of it.
[00:45:16] Nate McKervey: Yeah, actually. And you bringing up sis like this technology has virtual keys, gives the ability for to, um, hold the SIS accountable. Like for sure. I mean, when you have for sure keep going on this Nate, keep
[00:45:29] Jamie Grant: going. Right?
[00:45:30] Nate McKervey: So like, let's say you're SI or service provider or somebody, um, wants to help you out.
They've, they won the bid, they wanna do something. Sometimes you have to give them keys to your system so they can do their work, they could rack up a lot of costs and they could be very difficult to figure out, um, where those costs are coming from. As well as how do you know that that external organization hasn't leaked your keys?
Yeah. What if you could grant access to your systems without ever giving them the actual API keys? Yep. That's what you can do with virtual keys and you can give them fine grained. Uh, keys that, you know, who owns that key. And so you can invite them into an organization in the software and you can see what they're doing, how much they're costing you.
I'll, I'll, it seems like you've got something to say, Jamie, for this forever.
[00:46:21] Jamie Grant: Uh, so, so I think everything you just said is awesome. I also, with the most love and respect, I think you're underselling the way that you can keep these folks avail. And, and we don't wanna do sales on this pod, so that was a poor pun.
But, uh, I do think you're, you are underselling the value, uh, in that if, if, if, and, and when we did the first year of reforms for the Florida Digital Service, uh, and I was still in the legislature and it was a two year plan of policy, um, and we were quite frankly just fed up with state technology being so poorly done.
So we, people have heard me say it this way before, but it was like, well, we, we wrote that thing with like, the state CIO will do this and this and this and this. Um, and then it wasn't until that bill passed, the governor's office was like, Hey, we want you to be the state CIO. And I was like, I would've written a very different bill if I would've known that this was coming.
Right. But year two, and, and this is where I was really ignorant and naive to just how broken kind of, and, and just the, the, the, the swamp, the oligarchy, whatever people wanna put on it. We thought, hey, write the data catalog. Year, year one, year two was always gonna be the API catalog to say like, I need to know what data I have, and then I need to know what applications I have.
'cause now I have a chance to start getting the answers as a chairman of the legislature that I want to have answers to, to be able to fund where I want to fund, to punish the bad actors, to reward the good actors. But in the absence of the data catalog and the API catalog I had, I had no chance. And so everything, when we go back to like the Doge stuff we talked about, like an API call will actually let me see my license usage, right?
Lack, yeah. I mean like even before we get to like the most sensitive or things that are true, or lack of things are true, lack.
[00:48:02] Nate McKervey: LA license. I wrote a Splunk search for a very large customer one time that identified unused licenses for software, and it saved that one search, saved them $11 million a year.
[00:48:13] Jamie Grant: And that's everywhere. So go back Nate, to your, when we say, like the agencies, they're being told at the federal level, reduce spend 70%. Like if you're not thinking about how to leverage an API economy and your existing solutions mm-hmm. Like a shop that's using Splunk could write that search and save that exact same, their equivalent of the $11 million just by going, wait a minute, why am I spending all this money?
Because the vendor's not gonna show up and say, Jamie, I'd like to revert back to you $11 million of unused licenses.
[00:48:43] Nate McKervey: Mm-hmm.
[00:48:43] Jamie Grant: It's up to me as a CIO to go, where can I find, and, and I think that's why I get so frustrated sometimes around, and why I'm so excited about what Doge is doing, because I think, again, the, the 70% reduction will re will also include increased revenue for the good actors.
Yeah. And those good actors are the ones that are right sizing licenses. Those good actors are the ones that are automating those good actors are the ones that are doing all that kind of stuff. Um, so I just, I, I love where you're going. I want to, I wanna take us real quick. Um, I, I think we've done a, a, a pretty good job setting the stage.
Now I want to talk about, um, A CVE that was just discovered, uh, that made me think of y'all. Uh, I love it Mer. Um, but, uh, recording this, uh, right around the time, uh, of the Kubernetes breach, um, in the CVE that was discovered, uh, when I read that, uh, hat tip to the team and our friends at Wiz, uh, who found this doing some research.
But when I see Kubernetes CVE 9.8, my immediate question is, uh, what happened on the API Gateways? Um, so Nate, I don't know if there's anything you want to touch on, but I think this is a really pragmatic example. I know I've kind of steered us a little bit more towards the modernization conversation up to now, which was, was kind of intentional because I knew we were coming here.
Talk a little bit about, one, explain to our audience in a way they understand what Kubernetes is. Two, uh, I'll just say it's everywhere across the public sector as an open source tool. And so three, what does that look like? Nate, when you read the news, you're a CISO today, you're a CIO today, you're a governor today, and you're like, I don't know what Kubernetes is.
But 9.8 on a scale of 10 looks pretty bad and pretty severe. Tell me where it exists in my enterprise. How do we even get started? So, so Nate, I threw a lot at you. Let's start with what is Kubernetes?
[00:50:38] Nate McKervey: Yeah. So back in my day when I was a systems administrator, we had physical servers. They were like, whoa.
There were racks and there were cables and those still exist. But now, then we took the next step and we virtualized those servers. Um, and we like. Put multiple servers on a server, but we virtualized them and then we, we not, we like society. Yeah. Took it a step further and containerized things. And so basically like all the code that's being executed or rerun or a lot of it is actually being run in these containers.
Now there, there is this giant need to orchestrate all of these containers. And so Kubernetes is, uh, a great way to be orchestrating all of these containers. But you can kind of think of it as like, Kubernetes is the, the sym, the, the sym, the orchestrator, and the symphony. Uh, if he or she gives the wrong symbol or does something wrong, the entire everything's gonna crumble.
It's gonna sound terrible, everything's gonna get messed up. So it's very important that your orchestrator for the symphony. Doesn't get compromised.
[00:51:46] Jamie Grant: Fair to call it. Like I love the symphony dynamic, uh, specifically here. Fair to call it like a true hub with spokes, right? Like I have this hub that is the conductor that's gotta make sure all these different spokes and containers of code are working together, they the way they should be working.
Yeah. And if we were to not live in an API economy, then we would have to take all of those spokes and effectively centralize it in a kind of a, a closed stack where instead of being able to leverage the different containers, I would have to natively build and own the code for each of, uh, those, those spokes.
[00:52:24] Nate McKervey: Yeah. And if I could take it a step further, like with this analogy, I like this, uh, let's say that conductor is looking at a music sheet and there's notes on there. What if someone could live change the notes Yeah. Before the conductor. Yeah. Uh, presents them. Yeah. That's kind of what my understanding. This is hot off the press's vulnerability, but it insufficient sanitization of like API submitted data that's ingress allowed attackers to inject stuff and Yep.
Well basically own the conductor.
[00:52:55] Jamie Grant: Yeah. Yeah. Yeah. I love, I love that. One, two, um, fair to say that APIs are a foundational element of something like Kubernetes, even being able to, to be the conductor so that it's, it's tough to have a hub and spoke strategy without APIs, if not impossible.
[00:53:13] Nate McKervey: Right.
[00:53:13] Jamie Grant: And then secondly, if I was able to get that physical key, to go back to where we were talking before, if the, if the threat actor can masquerade as the conductor, right?
Like there, there's, there's two examples. There's the conductor getting manipulated 'cause the conductor's getting bad data on the music sheet. There's also like the impersonation of the conductor showing up because they had the physical key and could get in. Mm-hmm.
[00:53:38] Nate McKervey: There's not, there's by default, there's no identity with the, uh, with the key itself.
With the string. I love that. Like bur said earlier, love that it's just an api. I key. There's no identity by default, so how do you even know that's the real conductor up there
[00:53:51] Burch: that I love? Yeah. So bringing it back to what actually happened, I'm like connecting the dots. Um, I didn't read the article yet, so
[00:54:01] Jamie Grant: this was this morning, guys.
Yeah. So Timestamping where we are, like we were about to record for our audience and we started talking, uh, this broke right before. So we're, we're kind of giving you like unfiltered, high level, uh, but there's no two people I'd rather have having this conversation aside from the wiz researchers that found it, uh, then burch in it.
[00:54:20] Burch: Yeah. I I So in a virtual key world, would this type of thing happen?
[00:54:31] Nate McKervey: Yeah. Actually you get multi defense mechanisms against an attack like this. And if I like that word, is that, so let's walk through the
[00:54:38] Jamie Grant: multi-level. Let's walk through the multi-level. Like if you, if we were to design, if we, if we looked backwards at what happened here, to the extent we understand it, where are the, like the redundant lines Yeah.
Of defense.
[00:54:50] Nate McKervey: Okay. So my understanding of this vulnerability is with the admission controller, that's like the conductor, and with a carefully crafted API call you can get it to do bad things. Um, now in a virtual key world where the vir, oh, and by it it's the, by the way, it's the, I think it's the default.
Um, settings have this vulnerability. So if you're, you're in the default settings, uh, you're default at Kubernetes, you're saying? Yeah. Right, right. That default and the admission controller. Yep. Um, now even in a virtual key world, even if you're running this vulnerable default. Uh, settings. What would happen is you would have policies built into your key virtual key that prevent against it.
Let me give you some examples. Um, IP restrictions. So with virtual keys, you can set the policy at the key level rather than in the code level. So I can say, Hey, only API calls from these IP addresses should be allowed to proceed. Yeah, that would sub that or something. Yeah. So that would've stopped the attack.
You can also set policies on what a virtual key is allowed to do, so, which particular methods and endpoints, even what parameters. So that could have prevented it as well. But even better, you can, and this reminds me of a, of a, of a story. Um, yeah, I'm gonna tell the story real quick 'cause it's related. I remember, I I was gonna
[00:56:12] Jamie Grant: ask you for this story that you talked about earlier.
If it's the same one I'm, I'm thinking of
[00:56:15] Nate McKervey: Yeah, it is. I remember when, uh, the, the RSA. Uh, hack happened and we had these tokens. We used to have these physical things we'd carry around our, our neck, and we type in a, it's our multifactor authentication, the beginnings, the multifactor authentication. Well, there was a, uh, a vulnerability and the government notified us before it went public.
And what we did was we crafted a Splunk search so we could look at the logs and see if that somebody was trying to exploit that vulnerability. If you virtualize keys, you can do the same thing. So you can look for that targeted, that well-crafted. API call. You can search for that and alert on it in real time.
So not only do you block it, but you also can identify the region of where, where the carefully crafted attack came from. So it's not only a block, but it allows you to like turn the defense into a little bit of an offense.
[00:57:04] Jamie Grant: Burch coming over to you to, to add commentary. I can't help but think about what you said earlier about like elevating to highest and best use.
Um, I like to think lawyers as a profession do one of the best jobs. Like they all, the billable hour lawyer doesn't do anything. That's not billable. Doctors do one of the worst jobs historically, right? Like they just don't delegate. They don't, if we think about it as, as, as technologists, innovators, solutions, um, you know what Nate's talking about that you've talked about earlier, Burch is like, if I have visibility I can continue to kind of elevate up and, and play that offense and, and defense role.
So I think, I think where you kicked us off on that is, is really great. And I don't know if you have anything you want to add to, to kind of this or the macro of what it looks like for us to be kind of empowered to let machines work for us. Because I think those are the people that actually win in the future, right?
The, the folks that are stuck in on-prem, fully remote work, they, they're putting a bullseye on their backs for, for automation to replace the, the task or the function, like the, and so what does it look like for the critical thinker, the problem solver, to embrace where computers and machines are going to say, how do I let that do as much of my administrative work as possible so that I can play at the strategic level, or I can play at the, you know, highest and best use of, of my background, experience, licensure, training, whatever that is.
[00:58:31] Burch: Yeah. I, I mean, the, the part that really blows my mind is we're the concept of virtual keys provides data that just didn't exist.
[00:58:45] Nate McKervey: Mm-hmm.
[00:58:46] Burch: And it's so critical, but it just didn't exist. So now Sure. You put one, you virtualize one API key. Great. But as you add more and more, not only have you made everyone more efficient because they have a single interface to go to, to, to do these things, they can create as many virtual keys as I, you know, you could have one, you could have one for production integration, dev.
The data is huge because we can't even imagine what then becomes possible when you take that data and you feed it into ai and now we can say, oh, this is abnormal behavior for this key. Or we take that data and coalesce it with security items. Or we take that data and we now have cost control, eliminating license.
We're paying for this one service. No one's actually making any calls. So things like that, like the, the possibilities of ways that we can improve our lives becomes incredible. Once you have. Visibility.
[00:59:55] Jamie Grant: Yeah. So, so I, I love, and, and I love the, the, the kind of the parallel that just hit me is you're a property management company, right?
And you have thousands of units, condos, apartments, houses, they're all unsecured right now, they physical locks. And you realize that somebody has figured out that the master lock, right? Well, your choice is I need to go get somebody to go change all of those different locks before the advent of, you know, ring and some of these innovations and, uh, you know, the, the, the virtualized, um, the virtualized keys, right?
Um, so the ability to say, uh, one to many, and I think maybe that's where I'd land this and, and kind of take us in. Nate, I want you to give a little bit of background. I, I know we've, uh, gone into a little bit. I'd love for our audience to kind of understand, you know, what coming outta stealth means and, and, and kind of introduce where y'all are going and, and, and introduce Subkeys formally for a second.
Uh, but if I was to kind of land, I think there's this philosophical choice as a CIO today or an a technology executive today, do you think it needs to be one to many or do you think it needs to, to kind of be the inverse? And, and what I mean by that is the more as a CIO or as an executive, that I could make the change in one place.
It's why I think data governance is the other kind of like, if, if I was to say that virtualized APIs have a, a cousin or a brother or a sister that's right there, it's like the public sector has, I have yet to uncover really meaningful, good data governance in the public sector. Um, and so a lot of times when somebody shows up with a solution, it's like, hey, well we have to go manually make that change at all of these different instances rather than a data governance solution that says like, Hey, make it in the hub and the conductor can make sure that the spokes, uh, have that updated data.
So. I think when you think about the cost of sending out the locksmith to thousands of units for a property management company, um, the security vulnerability exists, whether you admit it or not. So when we talk about numerators and denominators in this context, like the denominators is the total risk known plus unknown.
The numerator is just what you've known. And unfortunately, I think far too much of the public sector, um, for a lot of reasons, uh, but optimistically like getting a lot better pretty quickly. The numerator's a lot smaller than the denominator. And just because we don't know about the opportunity or the vulnerability doesn't mean that it does not exist.
How do we help folks get the numerator to be a number that's a lot closer to the, the denominator? And I think APIs and, and certainly the management of virtual keys is like foundational to that.
[01:02:40] Nate McKervey: I think all CIOs and CISOs would. Agree that the keys to the kingdom are literally the API keys.
[01:02:48] Jamie Grant: We got another pun
[01:02:51] Nate McKervey: and a a ask the ask, like ask themselves, like ask yourselves, like if those are the keys to the kingdom, how well are you protecting them?
Right? How well are you watching them? Like put controlling the keys aside for a moment. Like what level of visibility do you have? There's a lot of technology or software out there that can like, do network level inspection and stuff, but a lot of these keys are being used outside the wall of garden. How do you know these, how your third party APIs are being called?
[01:03:18] Jamie Grant: Well, if I was to kind of, so I love that and I, I think I, I totally agree. I also would take it bigger, like, what does Zapier for government look like? Right. Oh yeah. Like what, what is Zapier for, for digital services look like? Because in my business all the time, I'm writing Zaps that automate things that I could never build the core application.
But I need these six things to play together for our team at redleaf, right? There is currently no Zapier for pubs. Sec and, and I, I believe, and I might be crazy or I am crazy, and I might be wrong here. Uh, I believe that APIs are the gateway. Uh, there's a pun for you on accident Burch, but APIs are the gateway to Zapier for Pup Sec so that a CIO could look at it and say like, Hey, what do I need to automate?
What exists and how can I know it's secure? I don't find many people in the pubs sec even know what Zapier is. And it like mind blowing to me that it's like, man, how are you running an enterprise and not know that again, the sis probably don't want Zapier for pubs sec. So, so there's a reason that that communication doesn't really happen.
But I think, Nate, to your point, it's like that the, the acceleration, you're one of the only innovations I've come across that secure as much as it modernizes, everything plays complimentary, but I don't know that I've come across something as transformational. If we go from like the inception of cloud, then we start to see AI take off all.
Like, those are just massive things. Massive things. None of them are happening without an API.
[01:04:54] Nate McKervey: Yeah. Thank you for saying that. And I just urge people, like, even if you don't use our technology, like find a way to virtualize your keys Yes. In the future. Like it's going, it's the, the way to get this building control safe.
And I
[01:05:05] Jamie Grant: think if you start there, like this is where it gets fun, right? Like I should be as a, as a technology executive, asking myself, if I'm not virtualizing my keys and managing my keys in a centralized place, why? Like, what's the compelling reason not to. Um, I think
[01:05:22] Nate McKervey: in the future
[01:05:23] Burch: you might get in trouble for
[01:05:24] Nate McKervey: not virtualizing.
Yeah, yeah.
[01:05:25] Burch: You know, and we have a lot of people we talk to who are using a password manager as the way to share keys, and they feel that that is secure. And I respect your feelings, but I also say, great, I could still take one of those keys and use it. And you have no visibility. That's right. You don't know what is actually being used with those keys.
You just have a place to store it.
[01:05:47] Jamie Grant: Also, that password manager has a series of APIs. It depends on Right. So like even the function of the password manager to authenticate is leveraging APIs.
[01:05:58] Nate McKervey: Yeah. And rotating passwords is kind of a pain too. And I wanted to bring this back into like, uh, the workflow automation, the Zapier, uh, thing too.
Um, it's great that we can automate these things with, with Zapier, but unfortunately sometimes the API providers force us to rotate keys, and that means everywhere we deployed. Workflow automation. Yeah. That use that key. We have to go update that. Yep. But imagine you virtualize the key. Now what you can do is update the underlying source key, but leave all the virtual keys wherever they are.
So now you can, if a vendor, API vendor is forcing you to do, to rotate a key, that doesn't mean you have to go and deploy new code anymore. You can if you want, but you don't have, I
[01:06:43] Jamie Grant: love it. Right? Like the ability for the two party handshake at the beginning to say we want these two things to integrate and then we want to rotate these numbers.
Uh mm-hmm. This, this copy, this text. In a way that doesn't require either party to take action, um, when we talk about virtualizing like that. But you totally
[01:06:59] Nate McKervey: can if you want, right? You, you can have A-C-I-C-D pipeline that goes and rotates your virtual key and you get the consistent way to do that. You don't have, you're no longer dependent on does the API provider have a way to rotate the key and what is it?
You don't have to rewrite that every time you've got one way. Now it's way easier to manage.
[01:07:17] Jamie Grant: So, so we're gonna show our audience what this looks like and we're gonna do something we don't often do. Go ahead Nate. Yeah.
[01:07:23] Nate McKervey: Uh, the workflow automation, I think the next place that's going is that it's hype now, but like, AI agents and these AI agents are gonna go do work for you, but they're gonna hallucinate they're gonna do bad things.
Hundred percent are you. And so I think organizations that are, have people experimenting with AI and AI agents, they should be asking themselves like, what bad things could that thing do? And they should give. One, they should give virtual keys to those agents that are limited so they can't delete their spend.
Yep. And then two, they absolutely need visibility to see what they're doing and maybe even what data their employees could be leaking.
[01:07:58] Jamie Grant: I think AI agents are gonna be kind of like what NIL plus the transfer portal were and college sports in that, without the right foundation laid it was gonna expose some really great stuff.
So you're gonna see some tax evasion cases where a 19-year-old had no idea that income tax was a thing and they got a couple million dollars in. I like, like there's just this compliance and administrative nightmare around it where the world loves to say like, Hey, we're buying a quarterback, or, Hey, we've got this NIL collective and we're doing those things.
Same thing here with AI agents. I think you're gonna watch some really unfortunate circumstances play out where the foundational. Data catalog, data governance, permissions work wasn't laid where the API catalog doesn't exist where I don't have any way to understand what my APIs are doing. One of my fundamental rules in building a team is everything scales so bad.
Communication at the three person level scales to 30 to 300 eventually becomes metastatic cancer. AI is going to accelerate explosively and it's coming, it's here, it's a tidal wave. It's gonna explosively accelerate transactions. Uh, the question is what kind of framework do we have around it? What type of, how do we make sure it does the good and doesn't do the bad?
To your point, Nate, and the ability to understand what APIs, I have the ability to securely manage those, uh, through, through those capabilities to accelerate the modernization as I think we're gonna see the winners win and really transform the public sector operation. Unfortunately, I think there's gonna be people that skip some of what might seem like the boring and unsexy steps.
I'm gonna, I'm gonna land here, so we're gonna do something we never do on, ever to conquer and we're gonna actually do a quick little demo, uh, after the roundup, so we'll, we'll tease up for that. But I do want to leave here a true story, uh, on the API front that marries the public sector. So I had spent two or three years in the legislature thinking that my problem in getting an API catalog bill passed was my inability to just explain it better.
And it was probably two years, I think two legislative sessions. And I mean, I went recovering lawyer. I had floated it with some of the, the, like the best mentors I had from a technical perspective. I had made it my number one priority. And so year one it was maybe not a great product and I thought, well, gosh, I need to go back to the whiteboard with my friends and I.
Go back to the whiteboard and man, we drafted like the most beautiful model policy for a government to have an API catalog. And we thought, here we go. And I still couldn't get any traction. And then after that session, we went back to the, the, the metaphorical war room. We were like, all right, they're never gonna care about an API catalog.
How do we make them care about an API catalog without knowing that they care about an API catalog? And that was the year that we introduced the digital credential, that there should be a valid, uh, verifiable and authenticated version of your Florida driver's license. It should not be single sourced to one company to just own the technical stack and rip the state off a thousand different ways.
It should have a credential service provider background to it that allows qualified entities to verify, validate, complete the transaction. The example I would use to get people to care about it. Uh, one of my nieces at the time was in college and I said, look, if she wants to go to a grocery store and buy beer, I don't need the person at the cash register to know her full name and address.
I just need them to get a yes no. Is that credential over the age of 21? Which Nate goes back to some of the the Web3 stuff you were doing. Yeah. You know, but ultimately I'm thinking zero knowledge, proofs proof, something
[01:11:37] Nate McKervey: without revealing it. Yeah.
[01:11:38] Jamie Grant: Right. Like the yes, no. And, and this is kind of those first conversations we had, but the reason I stress that is one of the things we really wanna try and do is we bring the art of the possible to the table is like, get people to understand we gotta make the legislators care about it in a tangible way.
Um, and as soon as we made it about the digital credential, I never got another question about an API, again, I could account for the privacy, the security, the modernization, but now I'm going and lobbying a 70-year-old in the legislature who's still on a flip phone, who happens to be a chairman of a committee.
I can't even talk to him about. Uber 'cause he is never seen it. I can't talk to him about, you know, Airbnb. 'cause he's, I mean, never heard of it.
[01:12:16] Burch: How do you explain the internet to someone who's never seen a computer?
[01:12:20] Nate McKervey: Yeah. You make me think like, what if an adversary could look like your friend, but mm-hmm.
They got a key to your house. Yeah. That's, that's what's happening right now. That's
[01:12:31] Jamie Grant: a hundred percent happening. But, but, and we're not gonna win that messaging. Sometimes security is the interesting thing, right? How do we present it to people in a way that says it is malpractice to allow your home, your kingdom to be vulnerable to the crazy ex-girlfriend who still has a key, the threat actor that wants to break in the burglar down the road, whatever that, whatever that threat looks like.
Why are we allowing them to replicate the keys? I. Where your kids sleep, where your wife, where your spouse sleeps. Like
[01:13:06] Nate McKervey: how do we Exactly. There's actually a market for keys. Like you can go and buy people's keys.
[01:13:12] Jamie Grant: For sure. For sure. You can
[01:13:13] Nate McKervey: very much decrease the value of those keys if you're rotating them quickly.
[01:13:18] Jamie Grant: And our inaction as public sector leaders only strengthen that marketplace and increase the value of those keys.
[01:13:26] Nate McKervey: Yeah.
[01:13:27] Jamie Grant: Alright, so we're gonna have some fun. Now we do this at the end of every episode, we get into what we call the roundup. Uh, there's some fun questions, y'all haven't seen 'em. Uh, we're gonna give you both the opportunity to kind of rapid fire, uh, kind of our version of a lightning round.
Uh, but Burch, I'm gonna start with you. I know. And bonus points every time you use a pawn. But, uh, as the princip puns, what is the one piece of advice that shaped your career the most and who do you give a credit for?
[01:13:55] Burch: First thing that comes to my mind is follow the fun. So, um, early, early on I was like really focused on like, how am I gonna climb the ladder?
And I realized I just wanna be happy, and if I follow that, I end up doing really interesting things, uh, that came from my background in improvisational comedy where we say follow the funny. So, uh, I don't have a specific person to attribute it to, but
[01:14:26] Jamie Grant: I love that you went there. Uh, I didn't bring up the improv earlier, and that's a mistake on my behalf.
Uh, uh, like, I, I think we could have a lot of fun on that when we have you back one day. Uh, uh, mad respect for people that can, that can pull that off. Thank you. Nate, what about you? Best piece of advice and who do you give credits for? I
[01:14:45] Nate McKervey: don't know how to follow that up.
You're sweet. I, I
[01:14:53] Jamie Grant: want the next question
[01:14:53] Nate McKervey: I can't
[01:14:54] Jamie Grant: follow. Alright. The next question. The next question. This is, this, I feel like pass is up your alley. Uh, if you have one kind of secret weapon for productivity, one practice, one thing that when you're in rhythm, you're doing this thing really well or this thing helps you get into rhythm.
That one practice that either helps you get locked in or keeps you locked in. What is it?
[01:15:15] Nate McKervey: Oh man, I'm, remove distractions is the first thing that comes to mind, but honestly, I am like most productive when I'm very interested in the thing that it is. So I have to find a way to make it interesting and you'll get productive on it.
You'll just want to be working on that thing more than the other things.
[01:15:34] Jamie Grant: Love it. Burch, do you have a practice or a framework that you would say either gets you or keeps you locked in?
[01:15:40] Burch: Yeah. Well, I. There's two things. You know, Nate's spot on. If you don't care about what you're doing, then that's not gonna be very good and you're not gonna be having fun.
Um, one of the things I, I did early on in my career is I realized I, I don't like to think that often. So how can I make it so I don't really have to think? And when I had to, I used to be a WebSphere engineer, and when I used to have to like, update settings for security things on, you know, 20 different, uh, uh, cells, I, I'm not, you know, I start out, I'm like going sell by sell web interface and then I'm like, screw this.
Just open up all the tabs, have them all on the same window, and then click all tab, click all tab, click all tab. And so I just do one task and then save, save, save, save, save, save. So I guess it's like I, I accelerated the, um, pace that I got the work done. And really just got to listen to music 'cause I didn't really have to think much.
Yeah,
[01:16:45] Nate McKervey: yeah. There's ways to make stuff fun. You sometimes you have to be creative, but like for, for me, like when I had to pick up my Legos, I hate to pick out my room or my Legos. What I would do is I would set a stopwatch and see like how fast could we, could we do it? But I've gotten one even better. I recently was at this conference and they talked about how um, they, they have this, uh, they just use like Google Home or some ai and they have chores for their kids.
And every morning what they do is they, the kids ask for their chores, but it does something different each day. Like it'll say, clean your room as if and act as if you were a Roman soldier. Oh, I love it. And so the kids are looking for, they're looking forward to getting up and seeing what their chores is that day.
'cause there's some new at way to do it. So nobody likes doing chores, but there's ways to make stuff fun where you, I love that are productive. 'cause you're interested. I'm a hundred percent
[01:17:31] Burch: doing that. I,
[01:17:32] Jamie Grant: yeah. I, I feel like it, I can do this to myself. Right? Yeah. Like I, I, I get to be a Roman gladiator while I'm like cleaning my condo.
[01:17:40] Burch: I think in a way we're all a bit of a pro a Roman gladiator. Yeah. All the time. We're all kids and we're all gladiators, right? Yeah.
[01:17:47] Jamie Grant: Um, alright. If you're gonna totally unplug, right? Like, I have some things that like, worst day, best day doesn't matter. My brain shuts off. If there's, if you're gonna do something to kind of totally unplug mentally where like everything is good, what is that thing starting with you?
[01:18:03] Burch: Burch? Do you, do you mean like completely remove myself from work? Yeah. That kind of thing. Yeah.
[01:18:09] Jamie Grant: Not, not work. This is, this is like, I gotta step away. I need kind of a sabbatical, a refresh, clear my head.
[01:18:17] Burch: So sadly I don't get to do this anymore. But one of the things that I did for many years is I would take a week or two of my vacation and in the summer go work at my old summer camp.
I. Oh, and you know, just being around kids and being goofy and not having to dress up and go into an office, not even touching a computer. It was the complete opposite. And that was always like a nice sabbatical. Yeah, for sure.
[01:18:46] Jamie Grant: Yeah. What about you, Nate? If you're taking a sabbatical, what are you doing?
[01:18:49] Nate McKervey: 50 miles off shore in the Gulf, fishing with music and absolutely no cell phone reception.
Love it.
[01:18:58] Jamie Grant: Love it. All right. You each get to pick one book and one band that you're convinced the world needs to know about and might not know about.
[01:19:11] Nate McKervey: I will go with the book. You do the band or I don't, yeah. No, no. Fire away Nate.
[01:19:15] Burch: Well go. Go ahead.
[01:19:17] Nate McKervey: Yeah. So the, the book, uh, the Sovereign Individual I is, is a, is an interesting one. Okay. Um, I, I, I do highly, my most recommended book though, is Surely you're joking, Mr. Feynman. It'll help you. Solve problems and have fun doing them, and just enjoy life.
[01:19:33] Jamie Grant: All right. Burch, you wanna do both Fire away?
[01:19:35] Burch: Yeah. I, I think it's called the goal. Okay. And, uh, I think the, the author's name is like, uh, Israeli. It, it was, it's odd. It was about process automation, but somehow it's really exciting and it like, blows your mind on like how you organize your life Yeah.
Including work and not work. Uh, and then the band is obviously the presence of the United States of America.
[01:20:04] Jamie Grant: Love it. All right. We get, we get two left and we leave with the last one. Then we'll get to the demo. Um, you get to pick 'em here. Mm. I'm Burch. We're starting with you. Nate, I'm gonna save you from this one.
We're gonna, we're gonna, uh, you, you can jump in if you want to. Burch I'll the bullet. This is true improv. You get to pick them. Okay. You pick 'em. Is the wildest thing you've ever done to impress somebody, personal life, professional life? Like you were just really trying to figure out how to impress and did it work?
Or what is your hottest, most controversial take that you don't think should be hot or controversial?
[01:20:41] Burch: Uh, I'm gonna go with the latter because Okay. I had an idea came right to me. Yeah. Um, I think the entire world should not have time zones. I think we should just agree on like some logically it would be GMT would just become zero.
[01:20:58] Nate McKervey: Yeah.
[01:20:58] Burch: And everyone now is at zero. Yeah. And we, thanks to technology will be able to know when people are awake or not. Yep. You know, d different features on our devices, but essentially we no longer have to convert time zones when we go to schedule things. We can, you know, just see oh, they're sleeping at that time.
Um, but everyone tells me. I don't,
[01:21:22] Jamie Grant: I actually, you're the first one to pick that, and I'm not sure anybody can top that, because that's a, that is, that should not be a hot take, like calendar integration, the ability to go like open hours,
[01:21:35] Burch: which you, you know what's funny? People get really upset and they're like, what?
So I'm going asleep at like 2:00 AM Who cares? Yeah. Yeah. Who cares? And also there's no, there's no AM or pm. It's now 24 hour, it's open or closed.
[01:21:48] Nate McKervey: If we could do that and moved the metric system across the world,
[01:21:52] Burch: there's only two countries left. It's up in like America some or something.
[01:21:58] Jamie Grant: All right. So Nate's Hot Take is moved to Metric.
BCHS is GMT. Uh, I love it. Um, all right. The, uh, we ask every guest, uh, to leave a question for the next guest. So our next guest might get two, depending on if that's a single episode or not. Uh, but first you both get to answer a question from the CEO of pursuit, uh, Mike Vi, who left us a great one. Mm-hmm.
What is the most significant or consequential 180 you've done in your life business? Pre prefer, like any con, but like something that you had kind of a conviction or practice about that was the most significant or consequential 180 that you changed operationally. It could be in your marriage, could be with your kids, could be at work, but it's something that you did a 180 on that mattered.
[01:22:52] Burch: You know, going to college is a really great opportunity to start, sort of start fresh. Yeah. And I know this may come as a surprise, but I wasn't the coolest kid in high school. So, uh, you know, I, I think. Go. Going to college was almost like a 180 because it was a pallet cleanser. Like, I'm starting from zero.
No one knows that I wet my pants in, you know, fifth grade. No. You know, well now everyone knows. But, um, and it's, yeah. And it was also actually for me, the time when I fully embraced the name Burch, which is not my legal name.
[01:23:39] Jamie Grant: Yeah.
[01:23:40] Burch: And felt like that was an identity that better represented who I am. Yeah.
And how I wanna be perceived than my legal name was. That's a really, so that was like a, a 180, I guess. That's a big one. That's
[01:23:54] Jamie Grant: like spot on. Thank you.
[01:23:56] Nate McKervey: Yeah.
[01:23:57] Jamie Grant: Nate, do you have anything you wanna add?
[01:23:59] Nate McKervey: Yeah. This took me a lot of thinking. It's a very good question, but it was, it's really, um. Get comfortable doing the uncomfortable thing.
And what I mean by that and is, it's kind of related to what Burch did. Uh, I had to move around a lot when I was growing up and it was hard 'cause you're that big one that has the friends when you get somewhere. But the uncomfortable thing is to go and just get in the group. Let them make fun of you at first because they, you're the outsider, but then you're gonna actually find the true friends that, that, that are not, that you, you like.
Yeah. Um, this in my career constantly. Like I have a comfortable job. Do I wanna do the uncomfortable thing and move my family to San Francisco? Uh, well that was actually one of the, the best career thing I could have done was a little bit of uncomfortable. All my friends and parents were advising me.
You've got a great job. Just, just keep doing the comfortable thing. But it's really where the life experiences come from doing the uncomfortable things that you know are positive.
[01:24:59] Jamie Grant: I love that answer. Um, as y'all are thinking about your one question you wanna leave for the next guest, we have an obsession with vulnerability and depth
[01:25:07] Nate McKervey: here.
[01:25:07] Jamie Grant: And I think like that authenticity, uh, of dialogue around the ecosystem is what it takes, uh, to have some uncomfortable conversations, to do some uncomfortable things. Um, I don't know of any, any sort of innovation or growth personal technological that doesn't begin with a lot of acute uncomfortability.
Um, and, and I love starting
[01:25:31] Nate McKervey: a company is very uncomfortable, by the way.
[01:25:33] Burch: Well, changing, changing a job when you're content with your current one. Preach. Yeah. Or even when you're not, you know, I, I said I follow the fun in my career, but that also meant like creating these very odd new teams. Yeah. For which I was like, this might be a complete failure.
Yep.
[01:25:52] Jamie Grant: Yep. No, I, I love it. Um, all right. What question do y'all wanna leave for our next guest?
[01:25:57] Burch: What's something that you regret doing, uh, in your business experience? Love it in your business life. And what did you learn from it to not do that again?
[01:26:12] Jamie Grant: I love it. Nate, what do you wanna leave? I'll buy you time while you're thinking about it.
'cause this came up last week when I was in dc but former, former co-founder of ours, uh, is now the, the administrator at Deion. We, we like to laugh, but we were sitting at a dinner table and she made a joke, a bunch of people who didn't know her, uh, who didn't know the, the joke, um, and hadn't met her, and she made a joke.
I, I wasted probably 600 grand of, uh, just time and waste because I was so young in my career. And I believe that, that, that gooey and design did matter, but like hyper obsessed over it. Uh, and that was mine. From a, from a business perspective, like I learned to appreciate the backend. And understand that the foundation has to be built before we ever care about, while it does matter, the furniture we pick and the paint colors, uh, like the, the core infrastructure of the thing, literal or metaphorical.
Um, I learned that lesson the hard way and she liked to remind the entire dinner table of how bad that was. So I appreciated that. That's one Amy.
[01:27:13] Nate McKervey: I actually, I'm gonna add on the Burch's question so you can make it one question, two parter. Perfect. And it's going to be what will you regret in the future if you don't try from a business perspective?
[01:27:25] Burch: Yeah, I like it. That's a great, that feels like a separate question. It's, it's themed. We're in the same scene. It's two part. Yeah.
[01:27:31] Jamie Grant: It's, it's, it's, it's, what did you do that you do regret, and what are you not doing that you will regret if you don't do
[01:27:36] Burch: Yeah.
[01:27:37] Jamie Grant: All right, we're gonna do something that we have never done on this podcast and that we honestly may never again do on this podcast.
Um, because when we say we want this to be an environment that is truly non-sales, that's not pushing product that brings people from all sides of the ecosystem, we wanna be really, really careful about that. And just like every rule has some exceptions, uh, and they may be limited, this is one of those. So Nate, I wanna get into a quick demo that shows people what a virtualized API can look like.
So stipulating, as you said earlier, like, you know, regardless of what platform people use, if there's even anybody else doing what y'all are doing. At a bare minimum, I want our audience to be introduced to a virtual API key and put some context to what we talked about. To see the art of the possible. We will do the art of the possible on this podcast.
We will not do sales and distribution and, and product pushing. Um, and so I love what you're doing and where you're going for all the reasons we talked about. But Nate, can you give our audience just a, a few minute demonstration of like, you know, where the caveman met fire and now the technology executive meets the virtualized API key.
What does that actually look like?
[01:28:58] Nate McKervey: Yeah, absolutely. Um, let's, let's do it. We'll get right into it. So what you're about to see is how simple it is to create a virtual API key. Then we're gonna see one used in action and how you can virtualize any third party API and have one place to consume it. All of third party APIs.
See if you notice the moment when an adversary gets a hold of a key that they shouldn't have and does something inappropriate. This is live
[01:29:23] Jamie Grant: fire, right? Like, this is not, this is live environment for people. This is real. This is
[01:29:27] Nate McKervey: live. Yeah. Uh, yeah. So we're gonna make, actually, Jamie, we're gonna make a key for you.
Boom. We just made a virtual key for weather.gov for Jamie. No requirement on weather.gov or any other API to implement anything for us. You can create virtual keys for any API. So I'm gonna go over and grab Jamie's key here and I'm gonna send it to you in this chat, Jamie, so you can run this at home.
I'll run it. Yeah. And actually let's limit this key too. So I'm gonna take Jamie's key and I'm gonna say, you know what? I don't really trust Jamie.
[01:30:02] Jamie Grant: I
[01:30:03] Nate McKervey: don't trust Jamie a hundred.
[01:30:04] Jamie Grant: I trust him one, whatever that unit means.
[01:30:06] Nate McKervey: Yeah, so, so maybe this API has a cost associate, it's an AI API or something. I don't, I don't, I also don't want Jamie to take down the infrastructure by running too many, but, so we just limited his API key.
I'm gonna go over here, I'm gonna run it and boom, we got the weather. And Nate, real quick,
[01:30:20] Jamie Grant: if I can, if I can jump in while that script's running, you limited the number of transactions is what you did there.
[01:30:25] Nate McKervey: I said that this API, this, this particular v virtual key. Jamie's is only. Allowed to run once per minute.
Got it. And so if, if Jamie were to run it again, we're gonna, it's not gonna work. Yep. So it's that simple to create a key and set limitations on it. And you can set all sorts of these policies like GOIP restriction and you can provide a, a defense in depth for your API keys and put policies at the key level, not the code level.
[01:30:55] Jamie Grant: Love it.
[01:30:56] Nate McKervey: And so it worked, and we get full visibility now into every single API request. So here we can see the, um, I ran a request from him in Tallahassee right now, and then, Hey, wait a second. Somebody used Jamie's key in White Plains. I don't even,
[01:31:14] Jamie Grant: what? I don't know where White Plains is. I'm in Greenville, South Carolina.
[01:31:17] Nate McKervey: Oh. There's somebody else on this call who had a, who, who got access to that, that, uh, key that I dropped. And I feel out, I feel like
[01:31:25] Jamie Grant: he might have improvised.
[01:31:27] Nate McKervey: I'm not
[01:31:27] Jamie Grant: pointing fingers at Burch. Whoa.
[01:31:32] Nate McKervey: Yeah, and just think about that for a second. If this key wasn't virtualized and they shared it, how would I as the consumer of this API easily be able to see that it was, it's now being it utilized by someone else in some other location.
I might wanna set further restrictions on this so you
[01:31:47] Jamie Grant: wouldn't, and I want to double click for a second on, uh, for people to understand, but the metaphorical aim, what happened? Is it fair for me to assume that Burch grabbed the key from the chat? Yes, exactly. What happened? Okay, so, so now let's imagine instead of us in a Riverside studio where there's a chat function and there's multiple parties, we actually have multiple applications around my enterprise.
Like I think you just laid a beautiful metaphor in and of itself, whether intentional or not, that somebody else was able to access the chat, copy the key, and then act as if they were me. Yep. And it's happening every day. But, um, now you see that it's happening right now. I have a chance. It,
[01:32:30] Nate McKervey: it's, and you can take action.
I just rotated the key. I could disable it. If it was a contractor, I could set an expiration. You get control of all of your keys now.
[01:32:43] Jamie Grant: Man, I'm glad that we got to do this when nobody knew who you were. Like, uh, there's just so many. I mean, the, the number of use cases, um, I've said a lot of times, and I said it kind of unfiltered.
I think it was at one of my first nassos, they were like, what is, what is it like to be the CIO of Florida? I said, it's like being Helen Keller, trying to play quarterback. Like, you can't see anything. You can't hear anybody, you can't talk to anything, and everybody wants you to put points on the board. Um, I hope some of the folks that are, that are catching the episode are, um, take us to the API connections.
Nate, I don't wanna interrupt, but man, I just, I I just wanna point out an action is just, yeah. Like you're about to become. I, I've told you privately, and I'll say it publicly, I think you're a unicorn in the making with what you're doing. Like it is, this is about to be the industry norm.
[01:33:31] Nate McKervey: It will seem foolish that we ever used real API keys.
'cause that's just exposing yourself to pain. Um, and I just wanna point, you can do this for any, any API. So if we wanted a happy, if you have custom API you can do that. But let's say you wanna get control and visibility of your AI APIs. You simply select the A API. You want, you go over to the API's vendor's website, just get a key.
And when you put it in, can you show that key?
[01:34:00] Jamie Grant: Take the visibility off for a second. Yeah. Oh yeah. Real quick because we've got, we've got folks who have not seen an API key before. Uh, thanks.
[01:34:09] Nate McKervey: Yeah. So, um, this API key. We just exposed our company's anthropic. API key to the world. Like this is kind of dangerous.
This is real. And if I. Don't clean this up. Somebody could do something bad. And so this is what I mean, never use, never share these API keys.
[01:34:28] Jamie Grant: What was the, uh, I've drawn a blank some Burch. I, I feel like you can tell me who was the guy that put his social security number on? Uh, like the identity protection company?
[01:34:36] Burch: Yeah. He bought, yeah, he bought like, um, he bought like didn't, yeah. Yeah. And then he had the car driving around showing his social security number. Yeah.
[01:34:45] Jamie Grant: But Nate, to your point, like that's a really important thing for people to understand. Like you just showed an API between Subkeys and anthropic that if you didn't come in and remediate, somebody could take that and
[01:34:56] Burch: Right.
[01:34:57] Jamie Grant: They're,
[01:34:57] Burch: this is anthropic, but what if we were setting up the one for Salesforce account and now all your customer info Salesforce account, like
[01:35:04] Jamie Grant: go down payroll. Yeah.
[01:35:06] Burch: I mean, there's a lot of these systems where
[01:35:10] Jamie Grant: I think it, it's just for people to understand, like a copy and a paste of an API key lets you charade and, and act as if you are Nate.
Um, or, or whoever.
[01:35:22] Nate McKervey: Yeah. And check this out. So we, I created a few, a few keys, and let's say I shared a key with Jamie Burch. You logged in and got your key. And we also have an external vendor who want, who we wanna have access to our third party service. In this case, OpenAI, since that in, uh, they all have their own keys.
And since that Anthropic key is now exposed, I am in danger of somebody messing stuff up. Yep. So what would normally happen is I have to go give, create new, virt, new keys, and give them to all these different people. But watch this, I'm simply gonna go over to open ai. Uh, let's pretend I delete that one.
I'm gonna create a new key.
This, this is the equivalent of rotating, right? So, so I created a new key from Anthropic, and what I'm gonna do is I'm gonna go update it here. So what I just did is I made it so I updated the exposed underlying key, and I don't have to go give new keys to all of my users, developers, external vendor. This vendor can run the same command they ran a second ago, and it just continues working and we didn't have to go and redo
[01:36:36] Burch: all that work.
So it's almost like you get the, uh, sometimes the provider has a rotation policy, like every 60 days or whatever, but your company may have a different rotation policy. So having the virtualization also helps you support that.
[01:36:54] Jamie Grant: Yeah, I mean, I look, one of the things I kind of gave the disclaimer a little bit when, when we were doing something we've never done and don't plan on doing again, like there, there's lots of people with better mousetraps.
You, you've kind of invented a mousetrap, uh, right. Like you've, you've gone from to Nate to your point, like, why would we ever have used. Physical keys, uh, if we had other options. So anything else you wanna leave us with that, that just would demonstrate? I mean, like, I love the, the tiles in the list of like, Hey, here's, you're kind of showing me Zapier for pubs sec, right?
Yeah. Like, how do I manage all of the APIs in my enterprise and, and NA kind of know at least the numerator number of, of APIs and, and where they are. That gets me closer to the denominator. And then B makes it really easy to manage 'em in one place.
[01:37:40] Nate McKervey: Exactly. That end point is actually pretty important.
It's like now every API out there is like a snowflake. There's a different way to create keys and there's different scopes available and there's different features like rate limiting. But once you virtualize the API keys, you get one place that's consistent to consume the APIs in the same fashion. So you can rotate and restrict and give visibility, send to your favorite blogging system without being dependent on what the API provider.
[01:38:07] Jamie Grant: I, I'll go so far as to say this. I think the, the, the people who see this kind of today, um, that are interested are technology executives. I think the people tomorrow, the general councils of the world and the procurement shops of the world that are writing the Rf Qs, um, that are looking at the specifications and standards, like if I was still on the inside, I, I can't fathom not requiring a minimum capability that virtualize keys exist so that I know if I'm deploying a third party solution, that they're using virtualized keys in their own infrastructure, and b, that they're delivering me the ability to, to leverage virtualize as well.
Like that that's not a sub key specific thing. Even if the, you know, Subkeys can do it, it's a, it's kind of a minimum standard, uh, that we kind of get to, like not virtualizing. Keys kind of becomes malpractice pretty quickly to the point that the general counsels and the privacy officers and the procurement shops are like, Hey, how can we account for.
The security, the minimum standards of the respondents, the capabilities to make sure we're getting best value as, as the buyer and, and also accelerating the, uh, the way to move. So man, I appreciate you taking a, I don't wanna cut you off. Is there, is there something else you wanna show? I was gonna
[01:39:20] Nate McKervey: comment on that, that guy I was gonna pull up.
The, the EU ai um, act that's going into effect later this year is going to require that you have some of the ability to prove that certain A API requests happened or didn't happen.
[01:39:35] Jamie Grant: Nate, we've gotten along so well and this has been so great and you just did something. I don't think anybody who knows me could possibly fathom happening.
Uh, I gotta give a little applause to the EU on public policy and I didn't know that day would ever come, uh, with some of what they've done on day for privacy. But this is an example of what I would stress. Like I. There's a whole regulatory conversation around what y'all are doing here and, and privacy and security that doesn't require the heavy stick and limitations of access to the marketplace by overbearing regulation.
And instead says, Hey, here's the minimum standards to enter the marketplace. And if you can do that, you know, go forth and conquer Jokes aside, I I, you know, it's like, I don't know that I'd ever give California or, uh, with GDPR. Like if you look at the data privacy coming outta the EU and data privacy coming out of, uh, California, sometimes it, it seems to be counterproductive.
Uh, but when you start talking about validating those minimum standards and saying like, as long as you can do this, go compete in the marketplace. I, I couldn't applaud that framework more. All right. Well, we have done something, uh, that I never planned on doing on this show. Um, I'm really glad we did it, uh, because I think you just introduced something to this ecosystem.
Uh, that has a significant need to understand what APIs are, where they exist, why they matter, how they're a security risk, and then how they can kind of get their hands around it and, and understand like, look, I can in fact transform the digital services that my constituents are consuming. And increasingly more frustrated with the public sector applications that, that are out there poorly designed and, and just long times to, to complete the transaction while simultaneously accounting for the security.
And so, you know, every now and then, better, faster, and cheaper are possible. And, uh, I I love the way that you just showed that. All right, Nate Burch, um, thank you for coming to see us, uh, spending some time here today, uh, with us at the Ever to Conquer. Um, Nate, before we leave and, and we'll have information in the show notes, but if people wanna get in touch with you or learn more about the work y'all are doing, uh, what's the easiest way to follow up and, and, and contact you?
[01:41:47] Nate McKervey: Yeah, um, you can find out more@subkeys.io. You can email us at. contact@subkeys.io. We're also on LinkedIn and X. We have a community Discord. We're, we're friendly. Don't be afraid to reach out. And we're actually, um, opening up signups for free for a, a little while. So if anybody wants to give it a spin, it's totally free to try it out and we will end up, uh, waitlist at some point.
[01:42:11] Jamie Grant: Awesome. So we'll put that information in the show notes, um, and help point folks there. Um, I love what you're doing on kind of the proof of concept model. Um, so I'd love to kind of jam out with you on that. 'cause I think I, I have a feeling there's a lot of people listening to this show that would be really interested in, in running, uh, those experiments to understand the art of the possible.
So. Um, happy to help on that. But folks, uh, do me a favor and just go do some homework on, on, on Nate and Burch and the work they're doing. 'cause it's great work, whether it's the right fit for your organization or not. Um, it is the wave of the future when we think about what APIs do and, and today and, and what they look like tomorrow.
So Nate Burch, thanks a ton and uh, we hope you'll come back and see us again as you, uh, take off like a rocket ship that I, I have no doubt you'll
[01:42:55] Nate McKervey: thanks a
[01:42:56] Burch: thanks buddy.