Announcing Our Investment in Authomize
A data-first approach to solving authorization at scale
What digital resources should someone have access to? This is a problem that companies have had to wrestle with for decades. You want to ensure that employees have access to the information needed to do their job, but you also need to safeguard certain sensitive information to the right people. And so, as early as there were file systems, there were tools to help control permissions and access to those file systems — Sheryl should be able to access the quarterly financials, but John shouldn’t.
However, there are a number of factors that have recently made the question of “who has access to what,” often referred to as “authorization,” more complex than ever:
- Permissions can now be assigned to a far greater number of “things.” Employees, roles, groups, machines, service accounts, and services are all entities that can take actions based on a permission set.
- Permissions are far more complex and granular than they ever were before. Are you a reader, an editor, an admin, or something else? What specific fields in the database can you change?
- Most companies now use a huge number of third party SaaS and PaaS solutions. Each service has its own permission system that needs to be managed separately, yet impacts many other services within the company.
- Environments are far more ephemeral, dynamic, and complex than they ever were before. Services are constantly spun up and spun down in a self-service way by engineers, and individuals and teams can onboard new SaaS tools in minutes, and all of these systems interact with each other in very complex ways
Putting this all together, the complexity of authorization in modern cloud environments is almost unfathomable. Even the simplest of questions such as “Who has access to system X” or “What does Jane have access to” require immense manual work by security and compliance teams. Yet, addressing such needs is critical. A large percentage of cyber breaches involve abusing privileged credentials — breaking in via a technique like spear phishing, and then sequentially taking advantage of over-privileged access to ultimately reach something valuable. In today’s multi-cloud, multi-app workplace, corporate security and compliance teams need a scalable way to protect and manage system access.
However, in spite of its importance, authorization in cloud-native environments is mostly an unsolved problem. Legacy tools were designed for a highly static, on-prem world, and more recent approaches suffer from a few problems.
Various companies have built point tools that solve authorization for a very particular type of asset: complex SaaS tools like Salesforce, Workday, and Netsuite; cloud infrastructure platforms like Azure, GCP, and AWS; platform-as-a-service tools like DataBricks and Snowflake; or the long tail of simpler SaaS tools. While these point solutions have utility, they fail to solve the bigger picture. Many issues in authorization stem from more complex interactions, such as someone having permission to modify something in your CICD pipeline, which changes code that manages your AWS environment, which retrieves resources from your Snowflake deployment. More fundamentally, it is untenable for a security team to manage permissions in 10+ different systems — there needs to be a single source of truth on authorization within the company where policies can be consistently applied.
Complicating things even more is the fact that many of these tools lack intelligence. Once you understand the permissions as they are within an organization, the next step is to improve the permission posture over time, answering ongoing system management questions like: Which permissions should be revoked? Which permission groups should be created? Which permissions should be split up? How can we identify anomalous permission usage or access requests? It’s challenging to answer these questions, especially in a way that doesn’t produce excessive false positives or overly restrict employee access. Many other existing tools rely on overly simplistic heuristics such as “Use it or lose it”, which lack nuance and can’t be relied on.
That’s why we are excited to lead Authomize’s Series A round. Authomize is a unified authorization management platform that helps organizations understand, manage, and automate their identities, permissions, and access policies. Their product is built around two core insights. First, if you go through the hard work of defining a universal authorization schema, you can create an authorization graph that spans all systems within a company — SaaS tools, cloud infrastructure, platforms like Snowflake and DataBricks, CICD tooling, and more — which ultimately allows for complete visibility of an environment. Second, by leveraging complex graph analysis techniques and incorporating machine learning into their system, Authomize is able to do a much more nuanced, fine-grained analysis of the state of permissions, ultimately allowing for much richer discovery, recommendations, workflows, and automations on top of the universal permissions graph.
Authomize helps companies overcome some of the biggest challenges in authorization and security: being a single source of truth to manage multiple interconnected apps; and automating and scaling permissions as companies, clouds and outside app usage grows. These insight-driven advantages have allowed Authomize to build a truly unique product in this market. In one of our first conversations about Authomize, we spoke with a CISO who told us that after asking tens of VCs and countless other CISOs, Authomize was literally the only product on the market he could find that solved his authorization problems.
After just over a year, Authomize is already working with some of the most forward thinking security organizations out there, and is beloved by those who have adopted it so far, including companies like Fiverr and Sapiens. Dotan, Gal and Ron, the founders of Authomize, have deep context in this space, and have assembled one of the most well-assembled leadership teams we have seen for such a young company. We couldn’t be more excited for what they are building, and our hope is that over the next ten years they revolutionize authorization the same way that companies like Okta and Auth0 have changed authentication.