Israeli start-up, Authomize, has launched the Authomize Platform and announced a US$6 million seed funding round. The Authomize Platform is aimed at helping IT operations teams get control of permission sprawl across the enterprise. The participants in the seed funding include M12, Microsoft’s venture fund, Entrée Capital and Blumberg Capital.
Dotan Bar Noy, Co-founder and CEO at Authomize, said: “We founded Authomize after seeing the chaos organizations experience when it comes to managing the authorization lifecycle.
“Current Identity Governance and Administration (IGA) tools lack the ability to provide the intelligence and automation needed to make informed and efficient decisions. With Authomize, IT and Security teams can make highly informed decisions or choose to automate processes, removing the need to compromise between IT efficiency and impeccable security hygiene.”
What is the issue of permission sprawl
One of the major challenges for IT administrators is managing access permissions. The longer an employee stays at a business, the more access they are likely to accrue across multiple systems. It happens because as employees change roles, they keep access permissions to ease the handover. These are eventually forgotten about. Another cause is blanket permissions based on department or perceived requirements for a specific role.
It is not just employees that have excess permissions. Everything that operates on and runs across a network or machine has an identity and permission to access resources. Many get a default set of permissions to get them working, but these are never reviewed.
The move to collaboration and cloud-based solutions has exacerbated the problem. IT ops lack insight into all the cloud-based solutions that are in use. As a result, it doesn’t know what company data is being held in those systems, who has access to it or what access they have. It makes it hard if not impossible, to control and manage.
All of this plays into the hands of attackers. Steal the credentials of a user, especially someone in the C-Suite, and they have access to the most sensitive data a company has.
What is Authomize doing about this?
Authomize claims its platform can automate and resolve permission sprawl for every identity in the enterprise. It begins by taking an identity and enumerating all the permissions it has. These could be access rights to a directory, an application, a device, even an API. Importantly, it is platform-agnostic, so will look at on-premise systems and cloud.
Once it has mapped all the permissions, it will make suggestions as to what permissions should be changed or removed. IT administrators can then verify whether that identity requires the permissions it has. If not, it can ensure that they are revoked or downgraded to something more appropriate.
One area where this is likely to have an immediate impact is determining which identities have administrative access in an enterprise. Lazy administrators often give out admin rights to quickly solve access problems. As they never get revoked, they are a significant cybersecurity issue.
Automation to solve the JML flow
The use of automation to speed up processes and reduce errors is on the increase. Authomize is targeting HR departments when it comes to permissions. The process of adding and removing someone from a system can be cumbersome. New joiners can wait days before they have all the relevant permissions to access data for their role. Similarly, when someone leaves, their account is suspended not deleted so that all data is accessible. It leaves a lot of orphaned accounts inside enterprises that can be quickly re-enabled by attackers.
Authomize says that automation is a key element in solving the authorisation lifecycle management challenge. It calls out the Joiner-Mover-Leaver (JML) processes as things that would benefit from automation. Importantly, its AI solution is capable of learning over time what accesses are right for a specific role and allocating or removing them automatically.
Enterprise Times: What does this mean
Anything that can reduce permission sprawl is likely to be welcomed by organisations. It gives IT operations and administration teams an accurate view of what is happening in their environments. It also reduces security risks by helping minimise the access damage that can be caused by credential theft.
The role of Microsoft as an early-stage investor here is also important. Getting a granular and effective view of permissions across any sizeable Active Directory is a non-trivial task. If the Authomize Platform can deliver on its promises, it will find a very lucrative market among large corporate IT teams. Its platform-agnostic approach is also likely to win it much attention from security vendors and service providers.