Tell us about your journey. What led you to the cloud-native security space?
My two co-founders and I spent many years solving security challenges in the on-prem identity and access space. However, we each came to realize a few years ago that the migration of workloads to cloud services posed the greatest risk to organizations. That’s because of the proliferation of identities and permissions cross-cloud that now needed to be managed and secured – something which was foreign to the simpler on-prem world.
Specifically, we saw three tremendous challenges that we committed ourselves to solving. One is the simple need to automate the process of uncovering and managing thousands of permissions across SaaS, IaaS, PaaS and DaaS. Many SecOps, CloudOps, and DevOps teams are trying to do this through spreadsheets, which is time consuming and prone to error. This is compounded by the fact that each cloud service has its own access logic, which without automation, must be painstakingly learned before they can be managed and secured. Britive aims to provide cross-cloud visibility and automated controls for cloud permissions.
Second, we viewed the sprawl of permanent standing cloud permissions as an open invitation to threat actors to exploit identity based vulnerabilities. This has most recently manifested itself in the SolarWinds attack where cloud account credentials were compromised by malicious actors to gain access to sensitive data. Our vision is to help companies enforce the idea of Zero Standing Privileges (ZSP) through Just in Time (JIT) permissioning where permissions are granted for a set period of time and then revoked at the end of the cloud session – thereby minimizing the organization’s attack surface. Indeed, cloud access threats have surpassed those of malware over the last few years.
And third, we saw the need to help DevOps teams build access security into their CI/CD processes without adding additional complexity or management overhead. We based this on the fact that DevOps teams are resource constrained and need to remain laser focused on the development process. And since developers, like cloud admins, have elevated privileges, their accounts are of the highest value to threat actors and in the greatest need of strong security. Enabling self-service JIT permissioning secures DevOps users with minimal overhead.
In addition, DevOps has a need to manage secrets dynamically to better secure non-human identities like APis and access keys. Britive enables DevOps to quickly spin up temporary services by generating JIT secrets on the fly.
How has cloud-native technology stack evolved in the last few years, and what challenges does that present for security pros?
The biggest challenge facing cloud security pros today is that the “Cloud-native technology stack” was neither logically planned nor architected as an integrated whole. It grew organically out of a hodge-podge of security solutions designed to address immediate security needs. So now we are left with a dizzying array of CASBs, PAMs, IAMs, CIEMs, SSPMs etc. to secure cloud services – some of which overlap, some of which are repurposed on-prem solutions imperfectly retrofitted for the cloud, while others leave security gaps between them and adjacent technologies.
And perhaps the biggest challenge is that they often provide limited insight or controls over identities and permissions. Britive is designed as a cloud-built dynamic permissioning platform that adds its unique JIT permissioning and secrets governance capabilities as well as complementary capabilities that span, say, the CEIM and PAM chasm, among others.
Also Read: ITechnology Interview with Rajendra Prasad, Global Automation Lead at Accenture
You specialize in permissioning for cloud-native, multi-cloud environments. Why is this important for companies?
Human and non-human users aren’t limited to operating within a single cloud service, but can cross several, if not dozens, of services from IaaS to SaaS. It has been estimated that the average organization has more than 1,800 cloud services running on their network, with perhaps a dozen that are operation critical (typically the 13+ for which Britive has solutions, including AWS, Salesforce, and Office365, etc. ) Each of these services maintains its own access controls and logic, which must be painstakingly learned before managing and securing them. Britive has done this learning for organizations, providing a unified access model across operation critical cloud services.
How would a company use your platform?
As mentioned in question one, an organization can use Britive in a multitude of ways. Most companies find specific value in our unique JIT permissioning. It is useful in both saving costs by minimizing or eliminating standing privileges and multiple accounts (i.e., an admin who must otherwise maintain both non-privileged and privileged accounts to maintain SoD) and for improving security by minimizing the company’s attack surface through enforcing ZSP.
In addition, Britive can be indispensable in the efficient onboarding and offboarding of employees and contractors by ensuring cloud users have the right level of permissions when they start work, have their privilege continually right-sized while they are employed, and have all their permissions fully and quickly deprovisioned when they leave the organization.
Also Read: ITechnology Interview with Rajendra Prasad, Global Automation Lead at Accenture
Automation has impacted virtually every industry. How is it specifically impacting cloud security?
As mentioned, everything from discovering shadow identities and privileges, to securely onboarding and offboarding cloud users, to enforcing Zero Standing Privileges, to managing, securing and right-sizing permissions are time consuming and prone to error (or virtually impossible) when attempted manually. Automating these processes ensures both better security and reduced effort and cost.
What advice would you have for a budding SecOps professional entering the space today?
Embrace securing cloud identities and privileges as a core responsibility, even if it entails responsibilities traditionally held by CloudOps. Those responsibilities include the provisioning and de-provisioning of users, as well as the new responsibility of enforcing least privilege access and right sizing privileges in the cloud.
In addition, look to embracing conceptually, if not organizationally, the concept of DevSecOps. Now more than ever, security needs to be extended into CI/CD processes, which ideally necessitates a close working relationship between security and cloud development experts.
What breakthroughs in security technology are you excited about? What’s next for the space?
The recognition of behavioral-based threats aimed at cloud account access as the predominant threat vector in the cloud is one of the greatest paradigm shifts in security. Clear visibility and control that tracks all risky actions and misconfigured permissions back to a specific permission set, its associated identity, and ultimately a specific user, is critical. This is true for minimizing the attack surface of organizations, limiting the blast radius of risky users and permissions, and fast and easy post-incident investigation.
Tag the one person in the industry whose answers to these questions you would love to read:
Richard Steinnon, research analyst and author of Security Yearbook 2020
Also Read: ITechnology Interview with Roy Dagan, CEO and Co-Founder at SecuriThings
Thank you, Art! That was fun and we hope to see you back on iTechnologyseries.com soon.
Art Poghosyan is CEO and Co-founder of Britive. Art is an entrepreneur with 20+ years InfoSec experience. Prior to Britive he co-founded leading Identity and Access Management (IAM) consulting company Advancive, acquired by Optiv in 2016. There, he shared the confidence of enterprise execs as they wrangled with protecting growing cloud landscapes.
Britive is a cloud-native security solution built for the most demanding cloud-forward enterprises. Our platform empowers teams across cloud infrastructure, DevOps, and security functions with dynamic and intelligent privileged access administration solution for multi-cloud environments. Using deep API-based integrations, our patent-pending technology orchestrates permissioning for the modern enterprise cloud infrastructure and applications.
The Britive platform helps organizations implement cloud security best practices like just-in-time (JIT) access and zero standing privileges (ZSP) to prevent security breaches and operational disruptions, while increasing efficiency and user productivity. Britive allows for rapid discovery of privileged access blind spots like “overprivileged” users (human or machine IDs) and recommends appropriate adjustments. With continuous scanning and reporting, Britive ensures ongoing oversight and control for cloud applications and platforms.
Our customers include medium to large businesses and Fortune 500 enterprises across healthcare, automotive, retail, media & entertainment, and other industries.
