March 20, 2023

Why we invested in Aembit

Bringing identity-first security to workloads

By Jake Seid, Co-founder and General Partner

Our very first investment from Ballistic comes out of stealth today.

Aembit became our first investment from Ballistic Ventures when we led their pre-seed round, and today I’m excited to finally be able to talk about them as they come out of stealth, announce their Seed round, and their recognition by Gartner as a Cool Vendor. Mark Hatfield and the Ten Eleven Ventures team led their Seed round and we’re excited to be working with them, too. 

I got to know Aembit founders David Goldschlag and Kevin Sapp back in 2021, before we actually launched Ballistic Ventures. Their prior company was sold to Netskope and was an incredible success in delivering what was eventually marketed as Netskope Private Access. They had a deep understanding of zero-trust and identity-based architectures, which made for an incredible founder-market fit when it came to Aembit. 

Aembit and our thesis around zero authority

A few weeks ago, I wrote about one of our key investment themes: zero authority. That is, the belief that least-privileged access and zero trust are not the purview of one product but instead a fundamental architectural sea-change that will transform every product category. That’s where Aembit comes in. 

Aembit is building a very important enabler of the key market trend around zero trust environments. Forging a new category of Workload Identity and Access Management (IAM), Aembit’s identity platform lets DevOps and security teams discover, manage, enforce and audit least-privileged-access between federated workloads. An easy way to think about their solution is like an “Okta for workloads.” 

Enterprises have spent significant resources securing the connections between people and the software they use. However, as businesses move to SaaS and cloud architectures, a new and fast-growing attack surface has emerged. The mesh of workload-to-workload connections (also called service accounts) created when software talks to other software need to be identified, secured and managed. Aembit is doing just that

Ultimately, service accounts and workload-to-workload connections are the majority of connections that an enterprise will have to secure, and that’s what creates tremendous opportunity for Aembit. That’s also why we believe Gartner recently named them a “Cool Vendor” in its “Identity-First Security” report.

Why do workloads need IAM?

The need for workload authentication and authorization is particularly acute when a workload has to cross an enterprise’s trusted perimeter (for example, when an on-prem workload needs to talk to cloud services like IaaS, PaaS or SaaS). This use case of applications inside the trusted perimeter talking to applications outside the trusted perimeter has become increasingly common – not only for tech companies, but more broadly for traditional companies in the F1000 that have accelerated their move to adopt these cloud services. 

As F1000 companies accelerate their internal software development efforts and use a variety of different cloud services, they can’t rely on one incumbent IaaS, PaaS or SaaS vendor to solve this workload-workload authorization problem. Hence, there is a natural need for a third-party independent vendor to deliver this solution. 

At the same time, large cloud and SaaS platforms require application developers who call their APIs to put tokens in their apps so their apps can authenticate. This requires significant manual work and creates a “role your own” approach which results in inconsistent operations and, ultimately, material security vulnerabilities. There’s also the common practice of developers pasting keys into code, which makes it very difficult to refresh those credentials and, furthermore, that code is being placed into broadly accessed repositories like GitHub resulting in exposed credentials. 

As developers build more connections to SaaS and cloud infrastructure, it’s created an explosion of service accounts. Organizations don’t have the same visibility and controls on service accounts that they have on user accounts. 

Too many companies have seen security breaches from this exact issue.

Given the highly distributed nature of APIs, databases, SaaS services and partner workloads, these are day-to-day challenges that DevOps and DevSecOps leaders know they have, but have not been able to solve.

The Aembit solution

With a cloud-based platform that’s easy for DevOps and security teams to deploy and frictionless for developers to adopt, Aembit solves for the challenges described above.

Aembit’s approach handles all of the significant work and processing of IAM functions, as well as analytics and discovery. This includes the workload directory, discovery and event logs as well as provisioning, access/conditional access policies and decision making. 

Over time, Aembit’s analytics can also understand what’s normal and what’s unusual behavior when making authentication decisions. That allows authentication to also be conditional during the session as opposed to session-based. If the analytics determines behavior has become suspicious during the session, it can deauthorize a workload mid-session (or take action based on policies set by the administrator). The results are:

  • Secure access between workloads and custom APIs, API gateways, and APIs from third-party SaaS providers
  • Secure access between workloads and databases, data warehouses, and data lakes
  • Secure access between workloads in multi-cloud environments

It’s been amazing to work with Aembit since Day 1 and take this next step in their journey with them.