Privileged Access Managment Q&A with OnionID Founder Anirban Banerjee
I first met OnionID CEO Anirban Banerjee when he was head of research and development for a company called Stop The Hacker which exited to CloudFlare. I was very impressed with Anirban’s leadership and technical abilities and became an investor in his company, OnionID, which enables privileged access management for cloud and data center applications.
What are some common misconceptions between authentication and privileged account management?
This is a critical question that needs to be understood. The primary job of an authentication product, typically “single sign on”, is to vouch for the identity of the person and then broker a login into a web application. Privileged access management (PAM) deals with authorization — once you are logged in, what can you do with the login that has just been granted to you.
Think of authentication as whether you can enter a secure building with your ID or not. Authorization with PAM decides where can you go inside the building, who can you meet, how long can you stay in the building and what can you see and hear. PAM products sometimes get categorized as SSO solutions, which is not correct. PAM products may have elements of authentication, but they are specific to focused needs that PAM products need to service. Also, PAM products straddle 3 different worlds: Servers, web apps and APIs where single sign on products typically focus on web apps only for authentication.
How does OnionID help address these issues?
Onion ID is like having the secret service guard the digital crown jewels of your organization. Onion ID’s unique, low friction privileged access management SaaS solution enables customers to layer security without interrupting high speed DevOps. Onion ID achieves this by integrating with existing DevOps tools, seamlessly, and bubbling up visibility and control to Security teams. Onion ID uses an agent-less architecture to layer PAM on SSH, RDP, web connections and modify privileges inline while the application, server or API is being accessed.
When I was Tenable CEO, I ran into many organizations who could not get their SSH access under control and had hard coded passwords, bastion hosts and very rarely rotated keys. What can OnionID do for these organizations?
Onion ID can bring tremendous relief to organizations that are experiencing these issues. Onion ID takes care of generating SSH keys, rotating them, invisibly inserting them in session and making the whole process transparent to the end user. Its important to strike a balance between solving the technical problems and making things really easy for the end user. We think we have a good handle on this with Onion ID. Essentially we can replace multiple layers of legacy bastion hosts and replace them with an elastic, secure, multi-factor authorization enabled and audit ready PAM gateway.
How does Onion ID help to control SaaS access? Can you give some
examples of controlling administrator access to SaaS applications as well?
Onion ID has found that customers are adopting SaaS applications at a furious pace. It stands to reason that privileged accounts are also preset in SaaS banking, HR, expense management, healthcare and many other web applications.
Onion ID can act as the authentication broker for these applications, and can also act hand in hand with existing SSO solutions to broker a login. Once the login is complete Onion ID takes over the session and manages the content being transferred to the browser and implements checks and balances to ensure the right person can interact with the allowed portions on the SaaS app.
Typical examples would be to allow you CPA to access the banking administrative account but not generate wires. Your CFO may be able to generate wires, but only if they use the fingerprint sensor on their mobile device to verify the authorization grant.
How do you work with other vendors in this space such as Okta and OneLogin?
We integrate with SSO vendors like Okta, CA and more. Our customers may use their existing investments to help employees login to apps as usual, and then Onion ID as an additional layer on top to manage what can the employee do inside an application. We also collect logs and integrate at a user and group level with these SSO solutions so that you can control various parameters of the SSO application from within the Onion ID dashboard itself.
What sort of user behavior anomalies or security checks do you provide?
Onion ID focuses on anomaly detection by profiling access rights, server clusters, SSH accounts, keys, logins and much more. Alerts are generated and are customizable for every individual customer from our dashboard. Onion ID profiles and sorts user behavior in normal, elevated and threat buckets. With its builtin step up authorization process we can validate and verify elevated events and bring them down to normal or mark them appropriately as threats and then take more action to cut off access for the account being targeted till the administrator chooses to specify the next steps.
Where can readers go to learn more or test an evaluation?
We encourage readers to please visit our site at www.onionid.com and also learn from the many videos we have about our product here — https://www.youtube.com/c/OnionIDOfficial . Evaluations are also available from our website and we welcome all interested people to talk to us and explain what their needs are so we ca see if we can help with their use cases.
