Dotan Bar Noy, Authomize: “we need to manage our identity security more diligently than before”
Considering the possibility that one’s identity might be stolen is an unpleasant yet necessary practice. An effective solution to the potential problem would be to mitigate the risk by limiting everyone’s access to the required information necessary for work purposes.
Storing information across devices and platforms has become a chaotic norm. But accessing and sharing this information online with large numbers of people in a secure way remains a significant challenge. Overall prevention from malware & high caliber password encryption is a must, yet there are numerous weak spots that need to be addressed.
Frankly, along with the increasing number of technologies used in workplaces, the matter of cybersecurity isn’t left behind. One of the companies that works on improving the cybersecurity posture is Authomize. Its CEO and Co-Founder, Dotan Bar Noy, will tell us how to manage secure file sharing online.
How did the idea of Authomize come about?
Our Co-Founders have been around security for a long, long time and understood that there was a real need to help organizations manage their identity layer, especially in the cloud.
Having experience of working at companies like Check Point and Palo Alto Networks, they saw the gap in the market that many of these legacy players were not addressing. While some others have brought interesting ideas to the table, they have all been point solutions that answer only part of the question of how to manage access securely.
We knew that we could do it better, so we built it.
So far, the response from investors and paying customers has been fantastic.
Can you tell us a little bit about what do you do? What are the main challenges you help solve?
What we do:
Authomize addresses the challenge of managing access privileges securely across multiple cloud environments (IaaS, SaaS, Data, etc).
We detect and continuously monitor all the organization’s identities, access privileges, assets, and activities, mapping and understanding how those access privileges are being used (or not used as is often the case).
This comprehensive yet granular visibility helps the organization to mitigate their risk by improving their security posture and ability to respond in near real-time.
We help our customers to:
- Achieve and maintain Least Privilege
- Reduce their risk from over-privileged and compromised identities
- Streamline Access Reviews for compliance purposes
- Detect and remediate exposed assets
- Implement a Zero Trust architecture with strong Authorization Security controls
Challenges:
- Managing with the scale and complexity of managing growing numbers of identities and assets across multiple cloud environments (IaaS, SaaS, Data, etc)
- Reduce the threat surface and blast radius from an attack vai Least Privilege
- Detect externally exposed assets (ie. files shared with 3rd parties)
- Securely managing the Joiner, Mover, Leaver (JML) Lifecycle
- Completing Access Reviews for regulatory compliance on time and accurately
You state that identity is the new perimeter. Can you tell us more about this approach?
Identity is the New Perimeter.
In the old days, work happened on the local network. If you were on the network, then you probably were a good guy, and it was safe enough to give you access to resources. As we started to connect more to the internet, we began using firewalls to protect whatever we were storing on our on-prem servers from whatever was out there in the wilds of the web.
Now in the cloud era, everything from our production environments where we build our products to our valuable data (financials, customer data, etc) is all stored and worked with outside of our network. The old protections that we used to use to keep the inner circle of the perimeter safe are no longer effective.
The new perimeter is not about where you are, but who you are. All our cloud assets are accessible with the right identities and credentials. The bad guys know this and are compromising identities to access our assets.
For defenders, this means that we need to manage our identity security more diligently than before, focusing on how we manage the access privileges that allow people to reach our assets.
The best way to do this is to not only ask the question of if you are who you say you are, but what you should be granted access to. And if an identity is compromised, as they so often are, how do we mitigate our risk by limiting everyone’s access to the bare minimum for them to be effective at their jobs.
Essentially, how do we achieve Least Privilege and stay there? Our goal is to help organizations protect themselves not only from breaches but provide additional protections post-breach to limit the damage.
The perimeter isn’t dead. It’s just shifted to focus on identity as the most important layer of security. I’ve shared a fair amount of additional background on it.
Have you noticed any new challenges emerge in your industry during the pandemic?
Yes! 2020 was the year of the great cloud migration. Even if your organization was working in the cloud before the pandemic hit, absolutely everything moved up there when we all became remote by default.
The challenge is that many CISOs who knew that they had a problem with managing their multi-cloud (AWS, Azure, GCP) and cross-cloud (IaaS, SaaS, Data, etc) environments did not know what they had to do to be secure there. We have found that there has been a lot of market education going on here to help bring everyone up to speed.
To my mind, the market felt that they had a couple more years of on-prem grace before they’d have to make the (mostly) full cloud transition. But they are quickly playing catch up, and we’re helping them get there faster.
Since the use of stronger identity verification methods is becoming a common practice, what tactics have come up in an attempt to bypass this safety measure?
Attackers are getting much better at getting around the walls, essentially making bigger ladders as the walls get taller. There are great stories about how they’re doing that. That’s the game, though.
I would say that the issue is less that they’re able to get around better verification, which they are, but more about how they can leverage those compromised identities for valuable attacks because people are not limiting access well enough.
Compromises are going to happen because the more people that are in an organization, the more chances that someone is going to have a password reused or click on a bad link.
In your opinion, which industries fail to recognize the necessity for quality authorization management systems?
I don’t think that there’s an industry that is bad at it, but there are ones that stand out as better.
Cloud-native organizations are generally pretty aware of the need to manage their identities and authorizations. They never built-up technical debt in a legacy network, so it’s also easier for them to start fresh.
I’d add that for regulatory reasons, organizations that fall in the Financial and Health are very aware of this need. Especially the ones whose core business is serving those industries from a tech POV. Think of fintech as a great example.
Why do you think sometimes organizations are not aware of the security risks they are exposed to?
They are aware that they have a risk but are likely unaware of the extent of the issue.
Even if they are using solutions for provisioning access, the apps and cloud services that they’re using are going to allow employees to do their own amount of access granting that the security teams have no insight into.
Because we are looking at the activity of the access privilege usage, Authomize can see what the effective state of access is and give them the visibility that they need to manage it securely.
Do you think each company should invest in a cybersecurity system tailored just for them, or are security measures universal across all sizes and types of organizations?
Every organization is going to need solutions that meet their specific needs, but it is often sufficient to work with solution providers to address their challenges with general use products.
Their needs will also change over time as they grow and alter the way that they work. They need solutions that will grow with them.
When we work with a customer, everyone has the apps and cloud services that they’re using in combination with their identity provider. We make sure to onboard them and provide them the support they need to use Authomize for the use cases and applications that they need.
Would you like to share what’s next for Authomize?
Expect to see Authomize come out with expanded features to help organizations manage their cloud infrastructure security. We are leveraging our observability across all the cloud apps and services to provide a more comprehensive control in the IaaS space.