How did we get here?
After our last company, Bitium, was acquired by Google in 2017 my co-founder, Erik Gustavson and I spent four years learning at one of the largest and most innovative companies in the world. At Google adhering to legal policy to protect company and customer data was not a stretch goal but rather the barest minimum standard.
The true goal was to protect customer data from being accessed for any reason that did not have a clear benefit for, or was not explicitly granted by the owner of the data.
In other words, do the right thing.
It seems obvious to say, but actually doing this at large, complex companies is extremely difficult. The accelerated pace of digitalization brought on by the pandemic, ever increasing privacy expectations from us as consumers, the shift to hybrid working, and the rise of complex, extended workforces have all exacerbated an already daunting challenge.
Doing the “right thing” isn’t just good for customers, it’s mandatory in today’s environment.
Our vision of a better future
Every business today is at heart a data company – their most valuable asset is their data. This has led to an increasing focus on cybersecurity to protect those assets from bad actors. At SGNL, we focus on how data is accessed by internal employees, contractors, and vendors through the access that they have through internal applications and services. Some of the most damaging cybersecurity incidents in recent years have been either through hackers hijacking internal user accounts or a result of an actual insider directly. These incidents are hard to detect because the actions taken are often within the ambient permissions afforded to the user by their role. We’ve been asking the wrong question about access … it’s not what “can” I do with my permissions but rather what “should” I do?
Until recently, it was not feasible to build a scalable solution to address this problem. We were constrained by database structures and microservices architectures. Additionally, security policies were owned exclusively by IT. In that world, solutions like Role Based Access Control (RBAC) were leveraged for coarse grained access control. Existing policy frameworks were focused on people who needed to understand the nuances of these languages and were customized for every application, making it impractical to manage fine grained policies across every application.
SGNL’s platform unifies data from multiple, existing sources of truth. This enables us to have an understanding of the current state of a business and apply policy centrally to provide access in realtime when the user needs it. This means that, by default, users do not have access to data. We call this model of providing least-privilege access Just-in-Time Access Management.
The power of the SGNL platform becomes clear when assembling a policy expressed in human readable text. As with most powerful technologies that seem simple, this relies on underlying architecture that is anything but simple. Through decades of work on policy language and architecture, the SGNL team has built a policy engine that allows practitioners to create, review, and simulate policies that are readable and understandable to anyone in the company, and for applications to get fine-grained authorization decisions in milliseconds.
Where do we go from here?
With SGNL, the future of building trust and confidence in systems is bright. It should be a relief to us all that the best companies in the world are acknowledging the importance of keeping our data secure from bad actors, both external and internal to the companies themselves. But it requires commitment, and action. Customers should feel empowered to ask/demand this level of data security from the companies that they do business with, personally and professionally.
As our lives continue to become increasingly digital, we have an opportunity to ensure that our data is private and secure. Join us on this journey to embrace our new digital reality with trust and confidence.