SGNL snags $30M for a new take on ID security based on zero-standing privileges

Date:

Share post:


Security experts often describe identity as the “new perimeter” in the world of security: in the world of cloud services where network assets and apps can range far and wide, the biggest vulnerabilities are often leaked and spoofed log-in credentials. 

A startup called SGNL has built a new approach that it believes is better at securing how identities are used to access apps and more — it is based on the emerging concept of zero-standing privilege, where user access is conditional rather than “standing” — and today it’s announcing $30 million on the back of strong growth. 

The funding, a Series A, is being led by Brightmind Partners, a new VC focusing on cybersecurity (it has yet to announce its first fund: that is due to come later this year). Also participating are strategic investors Microsoft (via M12) and Cisco Investments, along with Costanoa, which led SGNL’s seed round in 2022. 

SGNL has now raised $42 million, and while valuation is not being disclosed, the company is definitely growing. It claims to have “multiple” major enterprise customers, including one that has “major media, entertainment, and technology operations” and is using SGNL to streamline access management across its cloud environments. 

The startup does not disclose its customer list but notes that examples of the kinds of breaches that have resulted from holes in identity posture — the kind that would be better plugged by using technology like SGNL’s — include the breaches at MGM ($100M), T-Mobile ($350M), AT&T, Microsoft, and Caesars.

SGNL is the brainchild of Scott Kriz (CEO) and Erik Gustavson (CPO), who had previously co-founded another ID access management company called Bitium. Google acquired that startup in 2017 and there, Kris said, he and his team were tasked with not only directory services for products like Google Workspace and Google Cloud Platform, but also building and maintaining ID access management for the company itself, specifically how employees at Google were able to access data. 

It was there that Kriz and Gustavson saw a gap in how ID services were being managed across enterprise ID access tools at the time, including their own. 

“Essentially, we realized that there was a missing solution in identity security that was not just unique to Google, but across the industry,” he said. “There was this desire for companies to get to a place where there was no standing access.” 

In a nutshell, Kriz said, ID access requires a level of context: you need passwords, but also access privileges, for each app. “But even in [services] where that was being done — Okta was one, Microsoft was another — they were very good at opening doors. What they weren’t very good at was closing that door.” 

In other words, once one circumstance changed — employment status being the most obvious, but also others like whether a particular job was finished — access was not getting closed off. That, in turn, created potential vulnerabilities for malicious actors to exploit.

Kriz said that a couple of factors have kept security companies from being able to close off that access, until now. The first has been a lack of agreement between vendors for a standard. The breakthrough for that came from another ex-Googler called Atul Tulshibagwale, who was the inventor of CAEP (the continuous access evaluation protocol), which is what underpins SGNL’s platform. CAEP has been adopted by the OpenID Foundation, and Tulshibagwale is now SGNL’s CTO. 

“It’s not proprietary to us, but, we are the ones that you know originated that, and now it has adoption in Microsoft, in Apple, in Cisco, in the largest companies,” Kriz said. 

The second development, unique to SGNL, is how it has built what Kriz describes as “the rich context” that it uses to build its access management. This lets, essentially, companies set up multiple access policies, plus a number of conditions that additionally have to be met, in order for someone to be able to access a particular app or other data. 

SGNL has created not just the structure for how access can be permitted (or closed off) but also what it describes as the “data fabric”, an identity graph that lets the system work without depending on individual data sources being up to date. Kriz noted that one of its customers had 400,000 employees and 30,000 roles within AWS, and it helped it to reduce that down to six policies (plus multiple conditions connected to them). (As for the AI in its name, it uses AI to build and manage this data fabric.)

There are multiple large companies doing more around zero-standing privilege, including CyberArt and SailPoint, alongside a number of startups; but that isn’t deterring investors. 

“I love the fact that they’ve founded and exited a company, and they’ve spent a decent amount of time at Google. Those things are very important. They understand how large enterprises work,” said Stephen Ward, one of the founders of Brightmind (and himself a former CISO of HomeDepot and ex-government security specialist). “It’s not a popular venture thing to say but, with an idea this big, you can create a big moat just from building the platform.”



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Republican Congressman Jim Jordan asks Big Tech if Biden tried to censor AI

On Thursday, House Judiciary Chair Jim Jordan (R-OH) sent letters to 16 American technology firms, including Google...

Bench is charging people for services they already paid for, some customers say

After Employer.com acquired bankrupt accounting startup Bench in a fire-sale late last year, CEO Jesse Tinsley pledged...

AI coding assistant Cursor reportedly tells a ‘vibe coder’ to write his own damn code

As businesses race to replace humans with AI “agents,” coding assistant Cursor may have given us a...

Profitable Klarna files for a potentially blockbuster IPO

Swedish fintech Klarna took the next step in its highly anticipated U.S. IPO on Friday when it...

Google is replacing Google Assistant with Gemini

Google will replace Google Assistant on Android phones with Gemini later this year, the company announced on...

‘Open’ model licenses often carry concerning restrictions

This week, Google released a family of open AI models, Gemma 3, that quickly garnered praise for...

Testing the Uber-Waymo robotaxi, Rivian goes hands-free, and Travis Kalanick has AV FOMO 

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of...

TechCrunch Mobility: Testing the Uber-Waymo robotaxi, Rivian goes hands-free, and Travis Kalanick has AV FOMO 

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of...