At some point or another, we have all experienced pains with cloud access. If you are an application engineer, chances are that in the course of your work, you found that you required access to some sensitive resource. Usually, a production datastore such as an S3 bucket, that may contain customer data, to troubleshoot a customer issue. Or maybe a Kubernetes namespace in a production cluster, to restart a service, scale up/down pods, or simply port forward traffic from a specific pod. Or maybe a table in a data warehouse like Snowflake or Databricks.
On the other hand, if you are a security engineer, you have faced the reverse problem. How do you know which identities, engineers and service accounts alike, have privileged access to your company’s crown jewels? How do you safely provide access to your application teams, without causing friction? And most importantly, how do you revoke access, when it is no longer necessary?
Having experienced access challenges in our previous jobs, last year, we set out to solve these problems. We saw several point solutions in the market that were only solving a small portion of the overall problem. Some solutions provided visibility for human users, some for machine users, some provided just-in-time access for human users, while some helped set birthright access. Almost none of these solutions were designed for a cloud-native environment, and none solved the access security problem holistically, which is what CISO’s ultimately want.
Today, as we emerge from stealth, I am proud to announce P0’s general availability. P0 is the first unified offering that helps security practitioners secure cloud access for all identities, without impacting developer productivity. We are also proud to announce a $5M seed investment, led by Lightspeed Venture Partners, with participation from SV Angel and several prominent angel investors. With this seed funding, we'll continue to build and enhance our flagship product.
Out of the box, P0 provides deep visibility into which identities — whether human or machine — have excessive and dangerous permissions to sensitive cloud resources, such as virtual machines, storage buckets, cloud services, or production Kubernetes clusters. Security engineers can use P0’s dashboard to right-size roles and permissions for any identity, and identify attack paths to critical resources.
But monitoring in-and-of itself is insufficient. The real challenge for security teams is how to drive changes in cloud configurations without causing any friction with developers. This is where P0 truly shines, and helps security teams automate access escalations. Engineers can use P0’s Slackbot to request just-in-time and short-lived access to fine-grained cloud resources. This automation has helped reduce the average approval times from hours to mere minutes across our customers.
To quote Eugene Yedvabny, Senior Staff Software Engineer, Afresh, “P0 is a game-changer. Previously, to provide engineers safe access to critical resources in Snowflake and Kubernetes, we created a patchwork of static groups and roles, used Azure PIM to provide escalated access, and spent a lot of time managing group membership. We had to choose between access granularity and ease of use. P0 gives us the best of both worlds by scoping permissions exactly to what our users need, when they need it. Unlike most security products, where it is very hard to drive engineer adoption, the ROI on P0 is clear and almost instantaneous.” Needless to say, we are immensely grateful to our early customers like Eugene, who agreed with our vision, and helped us bring our solution to the market.
Let us zoom out for a minute to understand what’s unique about securing access for cloud-native environments, and what’s in the future for P0.
According to Cloudstrike’s 2023 Cloud Risk Report, 47% of critical misconfigurations in the cloud are related to poor identity and entitlement practices. However, most organizations do not start off with a secure-by-design mindset. Many influential security leaders lament that security is, first and foremost, a problem of people and processes. While there is some truth to this statement, the reality is that at big and small companies alike, projects usually (correctly) start with the sole purpose of attaining product-market fit. Speed to the market is of the essence, and security takes a back seat. Developers have high levels of access to the cloud, and the typical justification is that they do not need any friction right now.
At some point, once the organization and/or the project matures, security starts getting prioritized. The impetus is usually one of:
- an impending compliance certification like SOC2
- a large enterprise customer that wants more security controls
- (God-forbid) a security breach
- a newly empowered security team that is concerned by the lack of visibility and controls
Such initiatives immediately run into challenges. Security teams may not have any visibility into which engineers or service accounts have sensitive levels of access. They may decide to purchase a visibility tool, but then get drowned in alerts, and do not have any context into the “risks”. If they try to remove access, engineers usually start complaining. Any process that they implement results in a lot of operational overhead, in the form of access tickets.
Companies usually fall into one of two buckets: ones where every engineer has excess permissions to sensitive infra, or the ones where access controls are tightly locked, and there is a high amount of operational overhead. Very few companies find the right compromise between these two extremes. The ones that succeed, usually have large sophisticated security teams, a luxury that is not available to 95% of the market.
P0 believes that the future of cloud security will be led by security practitioners, who must secure cloud access, over the entire lifecycle, in a way that does not impact engineering teams.
If access security sounds like a problem that you have experienced, we would love to help. You can sign up for a free account, and get immediate value by running a free assessment of IAM risks in your environment. If you want to use secure access for your engineers, feel free to browse our docs, reach out to us, or join our Slack community. Our vision is that developers and security practitioners should never need to struggle with cloud access – because
Access is our Priority Zero!