I am pleased to announce the appointment of Phil Venables, to Veza’s Board of Directors. With over 35 years of experience in leading security initiatives and large teams at Goldman Sachs and other global technology companies, Phil brings impressive cybersecurity acumen to Veza. His leadership will be invaluable to our team as we tackle a big market opportunity in Identity Security. We’re incredibly grateful for his future guidance as we develop our roadmap in key areas including identity governance, privilege access monitoring, and cloud access management.
Veza, the Identity Security company, is revolutionizing traditional IAM. This is important because enterprise identity access is moving faster than the associated tooling (IGA, PAM, IAM). The enterprise landscape has changed, and organizations are using multi-identity systems (AD, Azure AD, Okta, Ping, IAM, Duo, Auth0, etc.), and systems across cloud and on-premise environments. This includes hundreds of SaaS apps, ranging from Salesforce and Workday to Google Drive, Box, and even source code platforms like GitHub. Every system has its own approach to authorization – controlling who can do what with data. The complexity has pushed tools like SSO, IGA, and PAM beyond their intended design limits, and security teams are left with risky blind spots. Access has never been more complicated–and even modest-sized companies cannot keep up!
The villain here is “Bad Permissions”. These access grants are unnecessarily broad and don’t adhere to the principle of Least Privilege. Each one presents a possible point of entry (and lateral movement) for threat actors. We see that companies have 4 main types of bad permissions:
- Over-privileged: where an identity is granted more access than necessary to do a job.
- Residual: where access should’ve been revoked after a termination, job change, or completion of a temporary task.
- Ungoverned permissions: where local users are created outside the purview of traditional identity tools.
- Policy-violating: where security rules are not being followed due to lack of visibility (e.g. separation of duties, requirement for multi-factor).
Every company accumulates bad permissions every day. And realize it or not, every security team is in a war against these bad permissions.
The reason companies accumulate bad permissions is that they can’t see them. “If you can’t see them, you can’t manage them.” SSO, IGA, and PAM tools do not provide the visibility to answer the simple question of “who can do what with our data?” When we founded Veza three years ago, we spoke to many security and identity leaders, all of whom were concerned about increasing threats from ransomware, insider threats, privilege abuse, and credential theft.
They told us they suffered from a lack of understanding identity access and associated permissions, and even when they used all their disparate tech purchases (SSO, IAM, IGA, PAM, etc.) in concert, still could not piece together the reality of identity access.
A Shared Vision
The greatest insights come from customers, if you’re truly listening. From our early research, we realized that the key to managing access is authorization metadata. Every system (whether SaaS, cloud infrastructure, or custom on-premise apps) has some mechanism for controlling who can access what. In most systems, that metadata can be queried. If someone could make sense of that metadata, and connect the dots across multiple identity platforms like Okta, Ping, and Active Directory (AD), that would unlock the understanding everyone was asking for. In short, the truth of access lives in the systems themselves, not in SSO! Making sense of that very complicated (and voluminous) data is not easy, but this was an idea that would alter the course of Identity Security.
In 2021, we were very fortunate to partner with Karim Faris at Google Ventures who introduced us to Phil Venables. In our first meeting with Phil – a meeting intended to last 30 minutes – we shared our discovery about the power of authorization and the MVP product we had built. The 30 minutes turned into hours as Phil dug deep with our team. As luck would have it, we were kindred spirits, because Phil had recently penned a post about the challenges of productizing authorization data. Metadata is the right foundation, said Phil, for an enterprise-wide identity access governance platform. For us, it was a happy day of validation and encouragement.
In the few years since, Veza has built the foundation of that platform, surpassing 100 integrations and monitoring over 200 million permissions on behalf of customers. With this level of visibility, Veza can solve longstanding security pains. We can watch for privilege violations or residual dormant permissions, left behind when somebody changed jobs. We can watch for new local admins created in a SaaS app, bypassing governance systems… the kind of grants that get CISOs in trouble with auditors. As we like to say, “Veza monitors millions of permissions so you don’t have to!” When Veza finds a mistake, it’s easy to trigger a remediation through ITSM tools like ServiceNow. In short, we’re making it practical to pursue the principle of Least Privilege.
It’s rewarding to reflect on the journey that has taken us from that first meeting with Phil to today’s announcement that Phil is joining our Board. From the very beginning, Veza has found in Phil a seasoned expert and we’re grateful that he’s sharing his wealth of experience and knowledge as we reach beyond IAM to help enterprises secure access to sensitive data across all applications and systems. It’s a happy day. Of course, it’s just the beginning, with lots more to come.
Thanks to the dedication of our team, our investors, and the invaluable feedback from our customers, Veza has demonstrated the power of authorization data as the source of truth to help organizations secure access to data anywhere and everywhere. I look forward to Phil’s contributions and am thrilled to be working alongside him in support of our mission to build the future of Identity Security at Veza.
Learn more in the official announcement.