On September 7th, I started my new role as CEO at Cloudentity. I couldn’t be more excited and honored to join this all-star team of deep industry experts on their mission of helping to better deliver and secure the world’s next-generation applications, APIs, and data. I’d like to take a moment to talk about my move, the opportunities I see in the market, and how Cloudentity might just be the key to unlocking tremendous value for customers in the next phase of their digital transformation journey.
Professionally, I’ve had the good fortune to work with many amazing people serving customers across IT, security and application development, cloud engineering and DevOps teams, and in organizations both large and small. I’ve worked in established enterprises like F5 and VMware, and, along with a few dedicated people in a humble office above a teriyaki joint, I co-founded two venture-backed companies from the ground up. Some of the most impressive folks I know are still working for Apple and VMware, acquirers of my last two startups. In every one of these companies, I’m most thankful for the people.
Substantial innovation always starts with people, and the Cloudentity team continually spoke to me through their passion, openness, and skill. But while a great team is a must, it’s not enough – you also need interesting and important problems to solve.
Making Business Flow – The Challenge of Securely Sharing Data in an API First World
As companies look to move more information online, the prevailing pattern for modern cloud-based applications has been centered around providing APIs for data sharing and automation. APIs are fundamentally created to simplify the exchange of information with users, customers, partners and other internal services. Whether you are booking flights, reloading your coffee card, ordering parts on a partner's catalogue, or choosing whom to share medical records with, you are hitting APIs that control who and under what conditions information can be shared.
Users, applications and partners must be carefully authorized to access this information. But as APIs pass business-sensitive data in ever more connected ways to ever-larger ecosystems, they become more unwieldy to manage and riskier to handle in a piecemeal, disconnected approach. Just this week I spoke with a customer whose organization has thousands of public APIs spread across applications, offering up information of all shapes and sizes to their partners. Governing how this data is shared is a big challenge. Enter privacy....
Managing Trust and User Consent
Managing the security and policies of public API access may seem simple enough, but in reality, it’s rarely done well, even on a single API. Identity and authorization complexity increases exponentially with every additional application, data type, and with the need for policy granularity. Without the requisite controls, your company or a partner may be leaking data through unsuspecting API calls. As a partner, you are now on the hook for storing that information and managing the compliance requirements that come with it – even if you didn’t ask for the data.
Initiatives such as open data and open banking illustrate the emerging requirements around how data sharing can streamline the customer experience. But passing this information between companies must go hand-in-hand with privacy and user consent where customers grant permission to share their data. As a user, I want to control exactly how my information is shared with an organization and any partners within the ecosystem. Managing this information across B2B2C deployments is difficult. Organizations want to reduce user friction by making it easy to pass information on to their partners, but when and under what circumstances should that occur?
As we look to the future, it’s hard to imagine that data privacy and sharing will get easier. These trends make a strong case that we must address the full spectrum of authorization management, enabling an easy and efficient way to meet both fine-grained authorization (FGA) and user consent requirements in concert.
Every Transaction, Authorized
During my early years at F5 Networks, a pioneer in the application load balancing space, we used to have a saying: “SSL everywhere.” We delivered one of the first SSL proxies and hardware-accelerated solutions in our platform, BIG-IP. The challenge question driving us: what if we made running encrypted protocols so fast and cheap that encryption could be enabled by default to secure all communications?
Today, I believe we are facing a similar question around authorization decisions for modern applications.
If we could perform dynamic, per-connection fine-grained authorization at high speed and low cost, isn’t that fundamentally better? What if we could insert more context and intelligence to validate every transaction? The ability to verify API transaction could go a long way in fighting fraud and certifying the authenticity of our most important application calls.
Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications. But API security is more than keeping the bad guys out. It’s also about providing the right access to every user, partner and system.
With cybercrime on the rise, adding more intelligence and dynamic authorization at cloud speed and scale is critical as data is shared more broadly. In effect, companies must create and enforce manageable dynamic data sharing agreements that enable the business while protecting the personal data of the customers they serve.
Zero Trust for APIs, Kubernetes and Microservices
I have to admit the string of words in this heading looks like buzzword bingo for everything that’s hot right now in the industry. But as customers adopt modern application patterns, the proliferation of internal APIs just happens naturally. You start with a billing service, then you create an inventory service, a rules service, an onboarding service and so on. In the end, your multi-tenant application is a collection of services talking over private APIs that you believe will never be discovered by the outside world.
But what happens when a partner needs access, or the business wants to roll out a new service that relies on the inventory service, or God forbid, a developer makes a mistake? Developers built the APIs with perimeter defense in mind. But as partners, IoT, and customers expand, those internal services are pushed outward and the perimeter becomes the data access point--- the API itself.
This need for Zero Trust APIs is nicely outlined in this Venturebeat article from Forrester. Indeed, adding Zero Trust for APIs is the only way to address the above scenarios, to enable strong authentication of the requestor, strong authentication of the service, and authorization of every data element being passed.
When applying Zero trust principles, we need to have a policy service that validates both users to services and service-to-service communication. Micro-segmentation is not just for the network, it’s for your APIs too.
Delivering Value Faster with Any to Any Integration
Cloudentity is on this journey in lockstep with our partners and customers. We want to work with the industry’s best and make it easy to leverage any IdP and plug into whatever API gateway or service mesh controller you use.
Although I’m no stranger to startups, this is the first time I’ve had the opportunity to join a startup and platform that is up and running with impressive capability, scale and maturity. Already, Cloudentity has seen great early momentum and support. We’re eager to learn and hungry to help.
If you are Interested in one of the following, I’d love to connect and see if we can help:
- Fine-Grained Authorization and Policy Service Build for Modern Apps
- Privacy Policies + User Consent Management to address Open Banking, Open Data, Ecommerce or partner ecosystems
- API Access Security and Zero Trust
Our goal is to help customers get to market faster, save money and improve your API security, all in one shot.
Thank you to the Cloudentity team, customers and partners for welcoming me to this journey. I look forward to the ride, as we tackle these interesting and important problems together.