Widespread cloud adoption has created a new security challenge for enterprises. The cloud environment that underpins speed, efficiency, and flexibility from an infrastructure perspective is also fragmented, complex, and opaque from a security standpoint. Machine identities outnumber human identities by approximately 20 to 1, external firewalls have become powerless as identity has become the new corporate security perimeter, while the rise of DevOps and the “shift-left” movement in security have blurred the definition of a privileged user.
In this context, identity holds the keys to accessing sensitive corporate resources in IaaS/PaaS environments such as AWS, Microsoft Azure, and Google Cloud Platform, and has become the biggest attack vector. JP Morgan’s recent CIO Survey found that identity and access management is now seen as the biggest security priority for enterprises. A recent survey of CISOs in the US found that 79% had experienced a cloud data breach in the last 18 months, and three of their top five challenges related to access policies in the cloud. One of the biggest cybersecurity breaches in recent years, the Capital One incident, was primarily the result of mismanaged permissions.
CISOs we have spoken with cite the management of access privileges as a major pain point: their existing Privileged Access Management (PAM) tools have limited use in the public cloud, prompting them to rely on infrequent manual audits to map and control access permissions. Several CISOs estimate that the number of permissions they currently grant can be 10x greater than ideal, as they lack any real-time granular information on individual user needs and activity.
It is therefore clear that existing tools and processes do not fully meet the security demands of complex cloud environments that feature hundreds of identities, roles, and access policies – all of which need to be continuously monitored and managed. The volume and complexity of authorizations that must be granted have grown rapidly in the cloud, but the tools to help enterprises manage these securely have not kept pace.
Into this space is stepping Ermetic, a Tel-Aviv based company founded only last year, but which has already shown the potential to become an important player in cloud security, with an innovative approach for managing identities and authorizations in IaaS/PaaS environments. Its product surfaces rich permission graphs that map both individual identities and specific resources – allowing security and engineering leaders to observe, for example, every identity that has access to a sensitive storage service such as an AWS S3 bucket, or the full scope of resources a particular user has access to. This directly addresses the lack of visibility and context that has made permissions so difficult to manage in the public cloud.
In addition, Ermetic allows its customers to analyze and model authorization policies, using access and activity patterns to eliminate excessive privileges. These capabilities equip enterprises to enforce the least-privilege principle, which means only giving access to the information and resources that are needed, by creating a more easily auditable environment and in turn condensing the attack surface. They allow Ermetic to provide a solution for multi-cloud environments that neither the in-built security tools of major IaaS/PaaS vendors nor legacy PAM providers with their roots in the on-premises world, can match.
Ermetic is an early mover into what we expect to become a thriving “cloud-native PAM” category, building on Accel’s track record of partnering with identity security leaders such as 1Password, BetterCloud, Callsign, Centrify, and ForgeRock. Its Series A has come at a relatively young stage of the company, which reflects both the scale of the opportunity and the proven quality of its management team.
We’re thrilled to be partnering with Shai, former co-founder of endpoint detection and response startup Secdo; Arick, former co-founder of incident response business Sygnia; as well as Michael and Sivan, whom we’ve had the pleasure of working with already at Accel-backed Aorato, an early leader in active directory security. Their previous companies were acquired by enterprises such as Microsoft, Palo Alto Networks, and Temasek.
Together, they make up a founding team with strong commercial and technical experience, whom we’ve had a real pleasure getting to know closely over the past few months. That, along with Ermetic’s relevance to enterprises that face complex cloud security demands, makes us excited about solving one of the most complex identity puzzles in the cloud together.