As part of our latest announcement, Cisco Investments’ Soo Jin Park sits down with Scott Kriz, Co-founder and CEO of SGNL.ai, a Dynamic Access and Authorization platform. SGNL helps companies achieve a Zero Standing Privilege (ZSP) security posture by continuously and contextually evaluating user access and authorizing access only when needed. Learn more about the latest addition to the Cisco Investments’ portfolio.
Soo Jin Park (SP): My name is Soo Jin Park. I'm a Senior Manager with Cisco Investments, responsible for identifying and leading investments in cybersecurity. In the case of Identity security, Cisco owns industry leading solutions such as Duo Security and Oort. But as cyber threats continue to evolve, so do the technologies that protect us.
That has led to an interest by Cisco Investments in new Identity solutions, such as Continuous Authorization Platforms. One of those solutions is SGNL.ai, a recent investment by Cisco Investments. SGNL's platform helps companies achieve Zero Standing Privilege security posture by continuously and contextually evaluating user access and authorizing access only when it's needed. I am joined here today by Scott Kriz, Founder and CEO of SGNL.ai to tell us more about this exciting solution. Welcome Scott. If you wouldn't mind, I would love to jump right into the first question. Maybe you can quickly introduce yourself as well as SGNL.ai.
Scott Kriz (SK): We believe that companies need to take a Zero Standing Access approach across the board. And what that means is, let's say you have access to a resource like AWS, as an example. If someone else obtains access on your behalf, it's very damaging. And we're seeing that the attack vectors through session hijacking and through credential theft, or just getting more regular. And they're impossible to stop, especially not at the authentication layer. So, really dealing with this at the authorization layer through continuous access evaluation is where SGNL is focused.
SP: Scott, now that we have a good understanding about what SGNL does, let's talk a little bit about the technology and how you got here. What inspired you to turn your attention to dynamic authorization space? And how did you go from just the idea to where SGNL is now?
SK: - Yeah, well, my last company was in the authentication space. So, we did Single Sign-On provisioning and directory sync. And during my time at Google and at Alphabet, I was working on not only authentication challenges, but also internal authorization challenges. And I saw firsthand that companies at scale have this very complex Identity architecture.
And ones that are very challenging to solve at the authorization layer, there was a concept that most organizations want to be very granular about who gets access, when to data. And those are mostly internal user use cases. So, the whole concept of dynamic authorization was really, and SGNL was really inspired by, what we saw first at Google and at Alphabet companies, but later talking to other folks at large companies and asking them what their challenges were.
And it seemed like everyone had a desire to move into this Zero Standing access. However, it was really challenging to get there. So, that was the inspiration behind why we started to do it. That was the kernel of the idea. And then of course, learning more about the use cases as we talked to prospective customers was when the story started to unfold on what needed to be solved and potentially how to solve it.
SP: Given the changes in the modern work environment, Scott, you know, moving beyond the four walls of the office space to more borderless enterprise, can you maybe explain why dynamic authorization is critical now? What specifically are the challenges that SGNL solves? And maybe as you alluded to, you can highlight a few use cases for us.
SK:
So, when the world changed and hybrid became more the norm and people were working remotely, I think the expectation was that maybe things were gonna come to a screeching halt because almost overnight, within the matter of a week or two weeks, people had to figure out their access requirements from at home environments. Maybe unexpectedly, there wasn't as much friction as you would have thought.
And I think security folks woke up and looked at that and said, "Well, I guess that's a good thing from an operational side, but from a security perspective, that's really not ideal." And so thinking about how much easier it is in an environment that is distributed to understand the context of people that are doing work or the ability for someone to walk away from a computer and someone else to walk out, not just the perception, but the reality becomes real. And so the risk increases even more than it did prior to that.
So, when you think about that, it's really no different than a lot of the environments that are not just hybrid, but totally remote or in office. The same things exist. You have actors that are already beyond that authentication layer and they can do whatever that person was authenticated to do. So that's where authorization really comes in is to figure out what should people be doing, what can they do? And really trying to get that to a least privileged point.
SP:
I also wanted to touch on whether or not you could highlight some use cases for us, please.
SK:
The use cases really depend on the company, but we do see commonality. Generally speaking, the higher the user population and the more sensitive the data, that cross section points out a use case that's really high priority. We're finding that these are focused in various areas, but I can highlight probably two or three that we see quite often.
One is access to Amazon Web Services, or any infrastructure for that matter, to make sure that there aren't standing privileges and when someone is actually getting access to that environment, that it goes through that extra step to make sure that they have a business justification or a rationale behind that. And that and that tends to be across most organizations who have a complex cloud infrastructures. We see something similar in applications like Salesforce, where you have high user populations of sales and support that have access to customer data.
So, a use case might look something like customer data needs to be protected in a specific region, like in a country, let's say Germany, that only German citizens can access German citizen data. So, being able to understand that and make that as one of the criteria in many policies to justify access to that data is a very common use case. I'd say there's many others.
The third that I'd say comes up quite often is for DevOps and the ability to integrate into Git repositories like GitHub. And so being able to contribute code and have that go not only through human verification of checking that code in, but looking at an external authorization service, SGNL being that service, that can do really advanced fine-grain, dynamic authorization decision on that contribution. So, those are three that we see quite often, but it really depends again on the higher the user population and the most sensitive data. And we typically start with those use cases for our customers and then expand from there.
SP:
That makes a lot of sense, Scott. And you just mentioned, you talked about a few use cases or success stories. Maybe without getting too specific, would you mind just elaborating a little bit about who your typical customers are?
SK:
Yeah, so we're kind of surprised that many of these solutions resonate equally well for a 200 person company as they do for 100,000 person company. They might be slightly different, slightly more complex or less complex, but one example I can give without getting into too much detail is a company with a few hundred folks who are now actually looking at the Zero Standing Privilege posture as a differentiator from their competition. And they're leveraging that to go out to new markets where there's a lot of compliance and being able to actually use that as a revenue generator to open these regions. So, in some cases, you see things where Zero Standing Privilege is just a pure hygiene security thing. And then at the other end, you see this as actually unlocking the ability to generate more revenue or to retain revenue that you already have with new compliance coming up.
SP:
And I caught that earlier this year, Scott, you announced that SGNL would be offering the first free Continuous Access Evaluation Protocol or CAEP transmitter. Can you maybe tell us a little bit about why offering this CAEP is so crucial to Zero Trust Security?
SK:
There's been many attempts in the past to figure out how to have Continuous Access actually work. And what that means is if there's a break in the chain, so to speak, enabling someone to transmit out a signal to other providers to let them know that something is not correct. And this gets into being able to kill sessions, as an example.
Our CTO actually was the inventor of CAEP. And it progressed from being Continuous Access Evaluation Protocol to Continuous Evaluation Profile, but it's still the same concept. And what we believe strongly is that without an open standard that's open source and people can contribute to, it becomes very hard for this to be a better for everyone scenario. So, only through getting the largest companies to adopt standards, and we had seen this happen in authentication with JWT and SAML, but having a mechanism to do that in a continuous way for authorization, we believe is important. And we know that we're going to be part of solving the Zero Standing Privilege problem. We're not going to be the only one, but we do believe that it's a better together scenario.
So, the more that folks in industry can get around a standard, the better it will be for the landscape. And that's why we really set up the transmitter to enable people to build receivers and be able to interact with something that's actually functional rather than having to stand up their own facility to do that.
SP:
Scott, Cisco Investments is super excited to be part of this latest funding ground with SGNL.ai, where you guys raised an additional $10 million. Let's talk a little bit about how our solutions can potentially work together. And your perspective, how do, how do you think SGNL and Duo complement each other and where do Authentication and Dynamic Authorization meet uh, to better secure the modern enterprise?
SK:
And, you Duo being one of the leaders in authentication and multi-factor authentication. This is something that, you know, we still do find enterprises that have not adopted a Cloud IAM solution. However, most one, at scale enterprises have. And when we think about how that works with the Duo solution as a strong IDP, and I'm starting to actually cross that authorization barrier. You can think of when you provision in Single Sign-On into a SAML application, it can actually have a role associated with it. And so that's actually evidence that there's a crossing of the authentication and authorization barrier, because you're not just authenticating someone, you're now authorizing them.
There's a very powerful thing to do, to say if someone is an administrator versus a user in any type of solution. The next steps really get into more details around the authorization pieces. So not just the role, but the role being leveraged as a piece of a policy that can then go even deeper into authorizing. So, for example, maybe you only want folks who are working on a specific project to see certain files. That would be an example of getting a little bit more granular. And so being able to stack up these complicated policies from an authorization side and combining that with the authentication piece makes a lot of sense as a complete solution.
Also with CAEP being leveraged as a standard, having an authorization provider being able to talk to the Identity provider and tell Duo, "Hey, something, something's going on here," whether it's a device compromise or an authorization behavior that was anomalous and not expected, and then letting them go back through that authentication flow. So that's just a really super high level highlight of the first steps that I see with how authentication and authorization providers can work together. Well, and so, and it gets more complex from there, but you can see how that, you know, starting with that role and getting into the more detailed context of a request.
SP:
Yeah, I can definitely see that. Well explained, Scott. And final question for you, what is next for SGNL What are your future plans and where do you SGNL going from here onwards?
SK:
Our mission is really to create a Zero Standing Privilege Identity industry across the board. I don't want to be so uh, bold as to say we will solve that problem alone. I think this is a problem that takes many different vendors to get behind, but that is really the mission that we're after to solve. And so whether that's through partnerships and leveraging CAEP, or extending our platform in many other surfaces, so applications, microservices, different layers of protection.
That is our sole mission. We think that this is a very ambitious goal and we hope to achieve it with partners in the industry, including working closely with Duo as an Identity provider. So, that's what we're looking forward to.