Security experts often describe identity as the “new perimeter” in the world of security: in the world of cloud services where network assets and apps can range far and wide, the biggest vulnerabilities are often leaked and spoofed log-in credentials.
A startup called SGNL has built a new approach that it believes is better at securing how identities are used to access apps and more — it is based on the emerging concept of zero-standing privilege, where user access is conditional rather than “standing” — and today it’s announcing $30 million on the back of strong growth.
The funding, a Series A, is being led by Brightmind Partners, a new VC focusing on cybersecurity (it has yet to announce its first fund: that is due to come later this year). Also participating are strategic investors Microsoft (via M12) and Cisco Investments, along with Costanoa, which led SGNL’s seed round in 2022.
SGNL has now raised $42 million, and while valuation is not being disclosed, the company is definitely growing. It claims to have “multiple” major enterprise customers, including one that has “major media, entertainment, and technology operations” and is using SGNL to streamline access management across its cloud environments.
The startup does not disclose its customer list but notes that examples of the kinds of breaches that have resulted from holes in identity posture — the kind that would be better plugged by using technology like SGNL’s — include the breaches at MGM ($100M), T-Mobile ($350M), AT&T, Microsoft, and Caesars.
SGNL is the brainchild of Scott Kriz (CEO) and Erik Gustavson (CPO), who had previously co-founded another ID access management company called Bitium. Google acquired that startup in 2017 and there, Kris said, he and his team were tasked with not only directory services for products like Google Workspace and Google Cloud Platform, but also building and maintaining ID access management for the company itself, specifically how employees at Google were able to access data.
It was there that Kriz and Gustavson saw a gap in how ID services were being managed across enterprise ID access tools at the time, including their own.
“Essentially, we realized that there was a missing solution in identity security that was not just unique to Google, but across the industry,” he said. “There was this desire for companies to get to a place where there was no standing access.”
In a nutshell, Kriz said, ID access requires a level of context: you need passwords, but also access privileges, for each app. “But even in [services] where that was being done — Okta was one, Microsoft was another — they were very good at opening doors. What they weren’t very good at was closing that door.”
In other words, once one circumstance changed — employment status being the most obvious, but also others like whether a particular job was finished — access was not getting closed off. That, in turn, created potential vulnerabilities for malicious actors to exploit.
Kriz said that a couple of factors have kept security companies from being able to close off that access, until now. The first has been a lack of agreement between vendors for a standard. The breakthrough for that came from another ex-Googler called Atul Tulshibagwale, who was the inventor of CAEP (the continuous access evaluation protocol), which is what underpins SGNL’s platform. CAEP has been adopted by the OpenID Foundation, and Tulshibagwale is now SGNL’s CTO.
“It’s not proprietary to us, but, we are the ones that you know originated that, and now it has adoption in Microsoft, in Apple, in Cisco, in the largest companies,” Kriz said.
The second development, unique to SGNL, is how it has built what Kriz describes as “the rich context” that it uses to build its access management. This lets, essentially, companies set up multiple access policies, plus a number of conditions that additionally have to be met, in order for someone to be able to access a particular app or other data.
SGNL has created not just the structure for how access can be permitted (or closed off) but also what it describes as the “data fabric”, an identity graph that lets the system work without depending on individual data sources being up to date. Kriz noted that one of its customers had 400,000 employees and 30,000 roles within AWS, and it helped it to reduce that down to six policies (plus multiple conditions connected to them). (As for the AI in its name, it uses AI to build and manage this data fabric.)
There are multiple large companies doing more around zero-standing privilege, including CyberArt and SailPoint, alongside a number of startups; but that isn’t deterring investors.
“I love the fact that they’ve founded and exited a company, and they’ve spent a decent amount of time at Google. Those things are very important. They understand how large enterprises work,” said Stephen Ward, one of the founders of Brightmind (and himself a former CISO of HomeDepot and ex-government security specialist). “It’s not a popular venture thing to say but, with an idea this big, you can create a big moat just from building the platform.”
