We’re at the beginning of a renaissance in digital identity, but most people don’t know that yet. Early stage startup founders are some of the best people to talk with if you want to find out what’s happening and where the future is headed.
I had the opportunity to speak with Ron Nissim, the co-founder and CEO of Entitle, shortly before the Cloud IGA company emerged from stealth. We covered a wide range of topics during our discussion, including:
Building a Cloud IGA product from the ground up: What the Entitle team has learned from customers and the advantages of building from the ground up in today’s cloud-based world.
How Entitle works: What Entitle does and how the team chose where to start within the massive surface area of Cloud IGA.
Product strategy: The conundrum of starting with provisioning or governance, just-in-time provisioning, and the advantages of being cloud-first.
Convergence of IGA and PAM: Observations about the convergence of use cases between IGA and Privileged Access Management (PAM).
Transitioning from on-premise to cloud: How IGA products can bridge the gap during the transition from on-premise to cloud.
Note: This interview has been lightly edited for clarity.
The journey towards building Entitle
Cole Grolmus: Could you give me some background on Entitle — what you've built up to this point and how you decided to build it? I'm also curious what you believe are the big differentiators versus both the well-established identity products on the markets, and also among the new generation of competitors.
Ron Nissim: Permission management is still one of the biggest risks to organizations, even though IGA solutions have been around for decades. When we asked companies what their biggest problems are, the first thing that we heard from all the security people we spoke with was governance — knowing who has access to what, how do I know who has access, is it still relevant, and so on.
We spoke not only with security professionals but also with IT and DevOps. They also spoke about permission management, but from a different side of, "how do employees get permissions to begin with when someone joins the company?", "how do I know what they what they get when someone changes positions?", "how do I know they should be getting versus what should be taken away?" We realized the whole operational side of things was very, very manual even in the most forward thinking companies.
We identified three types of companies: the big enterprises of the world that had SailPoint or other traditional IGA products for provisioning and governance, very large cloud companies, and smaller cloud companies. Cloud companies almost didn't look at traditional IGA products as a viable alternative. We spoke with a few who ran proof of concepts, figured out that wasn't working for them, and then developed their own internal solution. A lot of big cloud companies developed internal solutions for Cloud IGA — companies that were cloud resource intensive and got to the size where they could hire a 20 person team and develop an access management solution.
Smaller cloud companies are the SaaS companies that we all know and love, but they're smaller in size than very large cloud companies (around 1,000 employees). They haven't reached the size where they wanted to develop their own solution. They were doing very manual processes. When the process is manual, it has a lot of direct challenges for the business with how long it takes people to be efficient and getting access to what they need. For many companies, 30% of tickets to the IT department are access requests, which is a huge burden on both the business and DevOps.
The real interesting part was because processes were manual, downstream security teams had no auditability. When you get your access by calling up your friend and it and saying, "hey, I need access to Salesforce," no one knows how you got access to Salesforce. That's what gave light to a bunch of new identity governance companies and compliance automation tools, which are very focused on the visibility side.
Our "aha" moment was when we realized the real problem was not governance. The real problem is how it's done to begin with, and because it's done in such a manual fashion, governance is very, very hard. We realized if we automate the way that employees get access, a business will be more efficient because employees have access and they're not waiting around. IT teams will be more efficient because they're not processing access requests. And security teams will have auditability because everybody knows who's getting access and what they're getting.
How Entitle works
Cole Grolmus: Could you give an overview of how Entitle works and some of the core aspects of the product?
Ron Nissim: The solution itself has four core aspects. The first part is self-service, which is what we call front end agnostic because you can attach it to whatever employees are used to using — Slack, Teams, ServiceNow, JIRA, whatever.
The second part is the policy engine. We have a no code workflow where security teams can define what that flow would look like in different cases. Based off the risk profile, they can identify who should be signing off on what. A concrete example that's really popular to start with: create a policy for someone who's on call with pager duty. If this person requests access for less than six hours, they get it automatically, even if it's super sensitive because they're probably firefighting. If they're not on call, then they have to go through the approval of the Head of Engineering unless it doesn't include PII. In that case, they could get access just with the approval of their direct manager. The idea is to enable companies to strike the balance between being bureaucratic enough in places that are really sensitive, but enabling people to get what they need and being able to audit that in retrospect.
The third part is API fulfillment. This is a big part of what we bring to the table, as opposed to the traditional IGA products, because we're very much focused on cloud resources. It's a very self-service installation. IGA tools are historically renowned for being bought through consulting agencies and having multi year projects with a ton of professional services hours. One of the huge powers of what we're doing is because everyone uses AWS, everyone uses Salesforce, everyone uses this bulk of 100, 200, or 300 applications, which we've already pre-researched. We come out of the box with what should be the 80% to 90% of what you need. Within a day, you already have Entitle configured to provision to all your different core applications.
The fourth part is governance. Governance is a byproduct of good provisioning. So once we're the ones that are giving and taking away access, then knowing who had access, when they had that access, why they have the access, should it still exist, have they changed roles since, so on and so forth — that's the easy part. The next step is very, very trivial, as opposed to the provisioning aspect.
To give a concrete example, a customer that we're at right now already bought one of our startup competitors. Their GRC team bought them for access reviews. And now they're trying to upsell into provisioning, and it's a completely new sales process. It's a different buyer. They're starting from scratch. We have just as strong of a case as they do — they don't have an edge because they're already installed because it's a completely different business unit. The other way around, this is not the case. If Entitle were installed in a company and provisioning permissions inside that company, then opening a user for the GRC team is really easy. That's why starting from provisioning is the much more interesting case long term.
There's a logical case for why to start from governance instead of provisioning. The biggest case is because Fortune 500 companies need governance. They're very compliance-driven. But when you speak with companies that are more agile, they're much more focused on what best serves security than what ticks the box from a compliance perspective.
Starting with provisioning versus governance
Cole Grolmus: The philosophy about whether to build the product starting with provisioning or governance is interesting. There is a grand experiment going on right now among the early-stage, cloud-first IGA companies.
If you're starting with governance, you're accepting the mess of entitlements that is there in a company's environment. You're almost intentionally, saying: "We're not going to proactively intervene in that mess. We're just going to visualize all of it through our governance tool and then fix the problem through access reviews."
Starting on the on the provisioning side, you're more deeply ingrained operationally and intervening with the problem early in the provisioning process. You're hoping that governance will be easier later on because you've done a better job with the management side of it.
It will be interesting to see which approach ends up being more effective, or even if this set of problems gets solved at all in this round of companies. In some ways, this space seems like one of the existential problems of security that may never be completely fixed. I hope it does, though.
Ron Nissim: You're completely right about this being a grand experiment. There's a lot that's still to be determined. It's on us as vendors to figure out what customers want and what's going to work.
Customers need to have both provisioning and governance. But the question is: what do you do really well, and what do you do just good enough? Compliance is where customers want to be just good enough. They don't need a kick-ass product. They need something good enough to get them through their audit.
From a provisioning perspective, there are real business implications — from people not having permissions in time to people getting stuck without the access they need. That's why we believe provisioning is the more interesting place to focus on.
Cole Grolmus: There are a lot of ways the provisioning side of it can go wrong. You can definitely see the impact when that happens.
What happens in governance is a recertification doesn't get done on time, the scope of it is wrong, or something else isn't quite right about it. Even if you get a control deficiency in an audit, there's usually still time to make the control operational again. There's some margin for error.
If you do something wrong with provisioning, de-provisioning, etc. — even if it's one person — sometimes that person is the wrong person, and you get a call from the CEO. The stakes are definitely higher when you're managing access.
Ron Nissim: That's the hardest part of Entitle. We have to earn our customers' trust. And that is a very big challenge. There are a lot of things, even from a security perspective, that we've done to help enable trust.
We need we need admin privileges to all the systems we manage so that we can edit permissions. Governance tools don't need that. They just need visibility and read-only permissions. That's a harder challenge to solve, but if we solve it, then we'll be number one. That's how we've been looking at it.
Cole Grolmus: From an early stage founder's point of view, provisioning is riskier because there is more to build from an integration standpoint. It's also harder to convince your potential customers to trust you and let your product have the privileges it needs to do its job.
Provisioning is a steeper mountain to climb, but it's also an important barrier to entry. That problem is not unique to you. Anybody else that's entering the market now also has to solve the same challenges.
So, it's really a question of who has the perseverance and the runway and all of the attributes that it takes to climb that metaphorical mountain and make it work. That's probably who's going to win this time.
Customer demand for just-in-time provisioning
Cole Grolmus: IGA has such a massive surface area of problems. Where did you decide to start? Did you make any adjustments based on early feedback from customers?
Ron Nissim: We started with the change management aspects. So, when an employee needs access to something they don't have and put in a ticket. That's a fairly easy place to start, and we took it from there.
What customers took us towards was just-in-time access. What we said is we're automating the way that employees get access and take away that access when it's no longer needed. But what customers heard was: if you're making it really easy for employees to get access, I can now feel comfortable taking away that access. Whereas beforehand I felt uncomfortable taking access because I knew the burden would be very high in getting it back.
Just-in-time access has become almost ubiquitously the first use case with customers. We start with a few core applications and provide temporary access to those sensitive resources. That could be databases, production environments, admin roles in Okta, admin roles in Salesforce, or specific areas which are very sensitive.
Cole Grolmus: It's interesting and surprising to me to hear you say that just-in-time provisioning came up a lot with customers and that you ended up deciding to focus on it from a product perspective.
The reason it's interesting to me is because just-in-time provisioning has been talked about for a long time. I remember presentations from ten years ago with people talking about temporal and just-in-time access. But the secret was that it never worked. It was a better idea on paper than it was in practice.
What about your tech stack, or the tech stack of your customers, that has now made it possible to do just-in-time access?
Ron Nissim: The reason we ended up focusing on just-in-time is, when I put myself in our customers' shoes, a lot of these companies are at the beginning of the process of thinking about their identity and Cloud IGA infrastructure. Or maybe not at the very beginning — the beginning is you buy Okta — but what's the next step?
If you're in the CISO's shoes and decide you need to do Cloud IGA, where do you start? I start with my most sensitive resources. I start with Okta admin, Salesforce admin, super sensitive databases, and critical infrastructure. In all of those places, there often isn't a need for someone to have access to those resources all the time.
I believe that's why, from a priorities perspective, it makes sense for customers to start with just-in-time access — because it's very easy to show quick value. Within a week of using Entitle, there are no constant admins in all the applications that are critical to you. It's powerful to see that kind of success very quickly. Onboarding and off-boarding is important, and it's good to know you have a tool for that. But it's hard to see well-defined success, so that's why I think our customers ended up pulling us in that direction. You want to start with your crown jewels.
What has changed over the last five to 10 years is a couple things. First of all, systems now have APIs which enable configuration from the outside. For CyberArk to manage access to databases, they had to sanitize your query. You put the query into CyberArk, it looked at the query, and then determined you're accessing a table that you shouldn't be accessing. StrongDM and a lot of these other solutions had to be met in the middle from a networking perspective to be able to control what you get access to.
All these solutions now have awesome APIs that enable us to control access from the outside. It's as if there are a lot of faucets and we're the ones opening and closing all the different faucets based off the configuration. You want access to that table? No problem. We'll edit your user. Now you can access that table. You want it for only three hours? After three hours, we'll go in and remove the setting inside that database that enables you to get access to that table.
The second thing I wanted to mention is that authentication to these systems is becoming a solved problem. I don't think it's fully solved. Five years from now, it will be a solved problem, whereas five years back, Teleport didn't exist. A lot of other startups have solved authentication to more complex cloud infrastructures. Before that, the only way you could solve authentication was with a jump server.
Now, a lot of companies have some sort of authentication mechanism for servers, databases, and SaaS applications. SSO is becoming standard, whereas 5-10 years ago, a lot of companies didn't buy SSO. Now, you can't start a company without buying SSO very, very early on.
Once authentication has become a solved problem, then being able to discuss the more fine grained access management inside the applications becomes more interesting. It's now possible to look at problems like, "Who is Cole inside a lot of these different applications?" It's a hard question.
Those are the two things that have changed over the last five or so years that have enabled a more clear focus on permission management.
Building an IGA product for the cloud
Cole Grolmus: I have a follow-up question, and I'm trying to get at something abstract. What you described earlier are factors external to your product — progress in the technology environment that now makes things like just-in-time provisioning possible. Is there anything within Entitle itself that also makes it possible?
The reason I'm asking is because changes to external factors are good for everybody. That's good for SailPoint. That's good for any of your competitors. What is it that's differentiated about the Entitle that lets you win because of these changes in technology?
Ron Nissim: First of all, what's interesting about our company and how we build things, we're a team of security engineers. Everyone in the company is or was a security engineer. So, we've been tackling this from a security-centric approach in a world where traditional IGA is very governance and bureaucracy- driven. Bringing that fresh approach has enabled us to make a lot of interesting decisions and how we should be building the product in terms of recommendations, understanding what's relevant, what's good from security perspective, and what's just adding more bureaucracy and friction to the system.
We've been investing a lot of time researching different applications and understanding how permissions should be provisioned inside every application. A lot of times, companies will come to us and say things like, "We don't know how to manage access in Kubernetes. You tell us what we should be doing." We come with that expertise. We know what should be done and how it should be done.
The second part is because we've researched these applications very well, and on the other side, we know the organizations very well because we're integrated with the HRIS, the identity provider, and all these other systems, we can now recommend what permissions are relevant and irrelevant. I like to draw similarities to what Amazon does when they say people who bought this usually also bought that when you're buying things.
It's very similar from a permissions perspective. How can you cluster together permissions that are often that often come together that are similar from a business or a risk perspective? For example, what does it matter if you have access to the PII database that sits in Ireland on AWS or that sits in Iowa on AWS? It's the same database, so from a risk perspective, it doesn't matter if you're getting access to one or the other.
That's something Entitle can tell you. It will tell you, this is actually the same permission, so you can get access to both of these. It shouldn't be another step. It shouldn't be another process. What that enables is a consolidation between business enablement and security.
Cole Grolmus: It's interesting to hear about the advantages of building a product greenfield versus being an already established company in this space. The way you would manage access to Kubernetes or cloud environments is fundamentally different than how you would manage access to some on-prem Active Directory environments.
The IGA product tends to reflect the environment that it's managing, in some ways. Or, even more abstractly, the philosophy of the people who are doing the management. What's going to end up benefiting new companies like Entitle is that you're starting with a fresh approach to IGA in a new world of cloud infrastructure. That is going to make the product more advanced and kick off some of the cruft that used to be there from the old days of on-prem.
Convergence of IGA and PAM
Ron Nissim: Another topic that I'm really keen to hear your thoughts on as someone that's been in this space for a while: I have a theory that IGA and PAM are converging in the cloud; that PAM in the cloud has become very API-centric, and that vaults are becoming commoditized.
What's essentially been happening to us is that we've been solving a lot of CyberArk use cases. We used to compare ourselves often to SailPoint. I'm starting to realize that people find SailPoint synonymous with governance more than they do with provisioning. And a lot of the provisioning aspect of who has access to different resources is often covered by some sort of jump server, like a temporary access management solution.
A big benefit of being in the cloud is you don't have to be man in the middle from a networking perspective. To give you access to MongoDB, you don't need to connect to us so that we can connect you to MongoDB. We will go to MongoDB, create a connection string, and send it to you. Your connection is done directly to MongoDB. And because everything's logged, we can take the logs and give them to you. We can provide a lot of the things that customers need from PAM, like just-in-time, temporary access management.
Cole Grolmus: The convergence of IGA and PAM is definitely something I see and believe, too. I've felt like they were inevitably going to converge in some way, shape, or form, for a while now.
There were so many reasons it was going to happen, or it will eventually happen. Some of it is operational — a lot of the things that you're saying, and the way that people are engaging with technology, how architecture has changed, and other factors that just necessitate them to be tightly integrated. If you also look at the business end of the industry with large private equity firms buying identity companies, it's going to make sense economically to have some of the IGA and PAM companies under the same umbrella.
The challenge is going to be — at least for established companies with products that were built separately — I don't know if they're ever going to be able to truly integrate the products in a way that really works. That's a really hard challenge to take products that are years, if not decades old, and get them to work well together in an acceptable way that's better than just a light integration. I don't know if that's going to be possible.
Not that it's easy to build a company, either. At least you get to start with a fresh approach from a product perspective and build it in a way where the product is incorporating some of the PAM use cases you and your customers feel are really important and putting them together from the start. It's a more natural and organic integration from a product perspective right from the beginning, instead of having to piece that together later.
Both of those approaches are hard, but I wonder if the companies that had a chance to like start greenfield are going to end up being more effective eventually.
Ron Nissim: Yeah, that's a benefit of starting from scratch and a new technological environment — you don't have to deal with all the legacy stuff. It's not that we're not supporting IBM mainframes. That's just not the place where we're 10x better. You have your proprietary stuff, you have your on-prem stuff, you have that solved because it's a problem that's 30 years old. The new problem is your SaaS, your infrastructure — those are things that are changing rapidly. Those are the new things to your environment. What do you do there?
I met with a Fortune 100 company not too long ago. I really appreciated them because he was super brutal. He said, "Wait, I don't get it. I have SailPoint, CyberArk, and a bunch of internal scripts. What do you what do you replace for me, and what do you sit beside?" My response was, "I'm willing to bet that SailPoint and CyberArk cover your old on-prem corporate applications, but all of your cloud infrastructure stuff, your databases, your SaaS applications you've bought, those are either untouched, or you've developed internal scripts that cover those." He said, "That's exactly right. We've built an internal system that does self-service for these." That's what Entitle replaces and improves. And that's a theme I'm seeing repeat itself.
From a go-to-market perspective, there are two types of companies that like Entitle. One is companies that are "born in the cloud." They don't have to be born in the cloud, but they have to be cloud resource intensive. That's their core business. And then you have really large companies that maybe have SailPoint, maybe they have IBM mainframes. They have all these other traditional applications, but they have a cloud environment that's been untouched. We want to partner with them to be able to solve for that aspect. The hope is that over time, as more and more of their workload moves to the cloud, we will be the natural partner.
Managing permissions during the transition from on-premise to cloud
Cole Grolmus: Supporting cloud versus on-premise is a really interesting conundrum. Especially the latter category of companies who have some on-prem workloads and legacy apps, some cloud apps, and an increasingly growing cloud.
If I were to put myself in the shoes of a Fortune 500 CISO that's in charge of identity, what do I do?! I've already spent all this money to implement SailPoint, CyberArk, or their equivalents, and that's taken care of my on-prem infrastructure and maybe some of my very common cloud infrastructure. But I don't know if they're going to get to my cloud infrastructure from a product perspective. They may not keep pace with where you're starting — with a focus on the cloud. It's going to take them a long time to get those integrations taken care of and adapt the product to be able to have full coverage of both on-premise and cloud applications. That's hard.
From your end, it's also hard because you can come in and help cover my cloud applications, but you're never going to touch my mainframe. So, what do I do? As a CISO, I'm stuck in this hell where I have to have both old and new IGA and PAM products. That's probably just going to be reality for a while.
Ron Nissim: There are two things that need to happen. First, one of the biggest challenges in IGA is that every person in the company has some sort of interface with the IGA tool, which just makes it so much more complicated.
So, in that meantime when larger companies need both a Cloud IGA tool and a traditional IGA tool for on-premise access, we're working on creating a unified front end to the end employee so that they don't feel that they're working with two systems. I put in a request in JIRA or ServiceNow, and that's routed to either Entitle or another tool automatically. That way, users don't have to know, "For this, I go to Entitle, and for that I go somewhere else."
The second part is that, at some point, we'll have to acquire an on-premise product to join the Entitle family.
Cole Grolmus: So the point where you think this conundrum is going to get resolved is convergence from a business perspective, as opposed to established companies building out all the cloud integrations, or in your case, building out mainframe integrations.
Ron Nissim: There's going to be a point where we'll have to do that. It's just that on the mainframe, we don't plan to be 10x better. We want to be good enough. Where we want to be 10x better is in the cloud environment.
Cole Grolmus: That makes sense. For clarity, I know that I'm talking about things that are way down the road and problems that are not anywhere near your near-term vicinity as an early stage founder. This part of the discussion was more about the long-term vision of the market and how it ends up playing out.
Identity is such a hard market because these are legitimately hard problems that we're talking about here. Probably some of the hardest in security. People who don't understand identity look at these problems and say, "Oh, of course you should build an IGA platform that covers mainframes, on-prem, Active Directory, and cloud." That's really hard to do. It would probably take a billion dollars of capital and a decade to build.
I think what we do in this messy middle period is fascinating. That's why I called it a renaissance. I feel like we're getting new ideas and fresh energy back into this problem domain that had waned for a little while. It felt like progress had become stagnant in a way that made you think the current state was as good as we could do. In the last two or three years, there's been this renewal of new people who want to tackle this problem, who are really serious about it, and actually have a chance to do it.
Thank you to Liz Safran and the team at Montner for helping to make this interview possible.