Onion ID – Our story, goals and visionAnirban Banerjee
We started Onion ID in early 2015, a little more than a year ago. I had the pleasure of working with some of the most technically astute people that acquired my last company, StopTheHacker, a couple of years back. It was a really wonderful experience. It was time to follow up on a burning itch to solve a problem that I had seen come up again and again and had heard about from many peers – privilege management.
Why Privilege Management and why now?
In the last ten years or so cloud services adoption has shot through the roof. Companies have moved servers from on premise installations to the cloud in droves. This is done for simplicity, ease of use, less day to day management, and economies of scale (for some) and more reasons. A side effect of using cloud services is that employees are now dealing with service providers whose application you as the company do not won or control to any significant degree. Yes, think about this – your employees are using a CRM portal, HR portal, Cost invoicing portal etc. but the business owner has very little control over the applications.
Making sure that the right employee has access to the right level of privileges is important, and it just became harder. This is so because using traditional methods IT and security had more control over in house application – now that employees are interacting with third party solutions they have little control.
Consider the case where your employees are using a cloud based CRM application. If this application does not provide fine grained control over what can an employee see, click on, fill out, download you may be easily running afoul of HIPAA/PCI/SOX and more compliance regulations. Another thing to think about is insider threats and flight risk employees. Are you ready to handle a situation where an employee ready to leave their current position downloads information about unhappy customers and moves to your competitor?
These challenges and more are complicated to resolve in the cloud space. Hence we started Onion ID to provide privilege management not just for cloud applications but also for infrastructure like your servers that send and receive email, power your website and more. Our goal is to create a single pane of glass that provides security, visibility and auditing for cloud application and infrastructure privileges.
Further, the identity and privilege management market is growing at a rapid pace. Nearly every large enterprise has invested or is currently investing in products in this sector. Further, mid market companies and smaller businesses are waking up to the threats from mismanaged privileges, open accounts on cloud services and are jumping on the privilege management bandwagon.
At Onion ID our team is very passionate about security. We love talking about, reading up on and discussing security related topics within the company and with peers. Our goal is to make privilege management for cloud and virtual infrastructure downright easy. We want to make it so where an employee of a company does not feel that their access is being protected by any security system – make security near invisible. We pride our selves on the user experience for the users who interact with our product. We want to make security easy to use and in that vein we provide two factor authentication techniques like Geofencing, Geoproximity, Bluetooth sensing, Yubikeys, Fingerprints and more. Notice the deliberate lack of 6/8 digit codes sent to you via SMS or the need to click on an app on your phone and then enter more numbers on a screen – ridiculous!
When we design our products, we try to think from a customer perspective. What can we do to make the user experience easy for the end client. Onion ID’s goal is to provide near-invisible layers of security on top if your existing password management, SSO, NAC, CASB etc.. solutions.
Our goal is to save time and effort for IT, SecOps and DevOps inside any organization. As of now, 20-60 hours/quarter are spent by these groups helping IT auditors and GRC (Compliance) teams formulate reports and data to make sure the company does not run afoul of regulations. We want to save this enormous amounts of time and effort. We want to make sure that the IT auditors and GRC teams can easily get access to whatever privilege access information is needed to prove controls are in place – without – having to bring core IT, DevOps and SecOps teams into the picture. This saves everyone a lot of time and effort.
Onion ID’s vision is simple: (1) guaranteed 100% compliance by making security simple to adopt inside a company (2) Take the world from Passive Privilege Management to Active Privilege Management.
We are using and will continue to use machine learning to build profiles of employee behavior regarding how an employee interacts with a SaaS app and server. This profile helps us determine the risk score of any action performed by the employee in real time. This in turn enables Onion ID to modify the privileges for any employee as they use an application or server. A major benefit of this approach is that IT admins and security teams do not have to predict the future by guessing what employees need access to. This is not as crazy as it sounds. As a security community we have made the leap from static firewalls to dynamic inline firewalls, the same is the case for malware detection. From static signature based approaches to dynamically exploding binaries, analyzing them in real time. We are taking the world from Passive – your static password, single sign on token, your RSA key, your yubikey to Dynamic – Behavior based privilege management.