Experts in security commonly refer to identity as the “new perimeter” in today’s threat landscape. In an era dominated by cloud services where network assets and applications are distributed across vast distances, the most significant vulnerabilities often lie in compromised or spoofed login credentials.
A new startup, SGNL, has devised a novel strategy to enhance the security of identity usage in application access. This approach is rooted in the emerging principle of zero-standing privilege, where user access is conditional rather than permanent. Today, the company announces a $30 million funding round, supported by impressive growth metrics.
This Series A funding round is led by Brightmind Partners, a new venture capital firm specializing in cybersecurity (which has not yet released its inaugural fund, expected later this year). Strategic investors in the round include Microsoft (via M12), Cisco Investments, and Costanoa, which had previously led SGNL’s seed financing in 2022.
SGNL has successfully raised a total of $42 million. While specifics regarding valuation remain undisclosed, the company reports continuing growth and claims to serve “multiple” significant enterprise clients, including a major player in media, entertainment, and technology that utilizes SGNL for enhancing access management across its cloud platforms.
While SGNL does not reveal its full customer base, it highlights instances of breaches stemming from identity management failures. Notable examples include the security incidents involving MGM ($100M), T-Mobile ($350M), AT&T, Microsoft, and Caesars.
SGNL was founded by Scott Kriz (CEO) and Erik Gustavson (CPO), who previously established another ID access management firm called Bitium. This company was acquired by Google in 2017, where Kriz and his team were responsible for managing directory services for Google Workspace and Google Cloud Platform, as well as ID access management within Google itself.
At Google, Kriz and Gustavson identified a substantial gap in the management of identity services across enterprise tools, including their own solutions.
“We recognized a significant gap in identity security that extended far beyond Google; it was an industry-wide issue,” Kriz remarked. “Companies sought a state where there was no standing access.”
In essence, according to Kriz, identity access needs to be contextual: it requires not only passwords but also specific access privileges for each application. “However, even in platforms where this was addressed — such as Okta and Microsoft — they excelled at granting access but struggled with revoking it effectively.”
This deficiency meant that when situations changed—such as job status or project completion—access often remained open, creating vulnerabilities that could be exploited by malicious actors.
Kriz identified two primary reasons that have hindered security companies from effectively closing access until now. The first obstacle has been a lack of standardization among vendors. A significant breakthrough came from another former Googler, Atul Tulshibagwale, who created the CAEP (Continuous Access Evaluation Protocol), which serves as the foundation for SGNL’s platform. The protocol has been embraced by the OpenID Foundation, and Tulshibagwale is now serving as SGNL’s CTO.
“Though it’s not proprietary to us, we were instrumental in its development, and it is now adopted by leading firms such as Microsoft, Apple, and Cisco,” Kriz stated.
The second unique feature of SGNL lies in its ability to create what Kriz describes as “rich context”, which it leverages for access management. This capability allows organizations to configure multiple access policies and conditions that must be satisfied for individuals to access specific applications or data.
SGNL has established a structure not only for access permissions but also for what it terms the “data fabric”—an identity graph that enables the system to function without relying on the timeliness of individual data sources. Kriz noted that one client, with 400,000 employees and 30,000 roles within AWS, was able to streamline that down to just six primary policies (and associated conditions). The AI referenced in its name facilitates the construction and management of this data fabric.
Numerous large enterprises, including CyberArt and SailPoint, are exploring zero-standing privilege, alongside several emerging startups; however, this is not deterring investor interest.
“I appreciate their history of founding and exiting a company, along with their extensive tenure at Google. These experiences are valuable, as they comprehend the dynamics of large enterprises,” commented Stephen Ward, one of the founders of Brightmind and a former CISO for Home Depot. “It may not be the most conventional venture perspective, but with such a significant concept, building the platform can indeed create a formidable competitive advantage.”
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
