|Last Updated||18 March 2022|
|Part of Research Product||Next Generation Authorization – A Market Overview|
Company Key Facts
|Web – https://www.conductorone.com/ |
LinkedIn – https://www.linkedin.com/company/conductorone/about/
Twitter – https://twitter.com/conductoroneinc
|Founders||Alexander Bovee, Paul Querna|
|No. of Employees||~ 15|
|Total Funding||$5 million|
|Locations||Portland, Oregon, USA|
|In Their Own Words||“Automate Your Identity Governance”|
“We’re building a user-friendly, cloud-loving orchestration platform that makes granting, reviewing, and removing access and permissions fast, secure, and compliant.”
ConductorOne has had one publicly acknowledged funding round – a $5 million round in April 2021, led by Accel.
|Announced Date||Transaction Name||Number of Investors||Money Raised||Lead Investors|
|Apr 5, 2021||Seed Round – ConductorOne||4||$5M||Accel|
Further details and reasoning behind the Accel funding is available here.
Technology Key Facts
|Go To Market Message||“ConductorOne Is Automating the Identity and Permission Lifecycle for the Cloud”|
“The first-ever platform for orchestrating and automating identity and permission management for the cloud”
|Solutions||Reduce time to access for employees / Reduction in over-permissioning / Reduce access review time / Automate access removal / Risk based approach to access review|
|Products / Platform||SaaS based Risk Management for Access Request, Approval and Review.|
|Company Size||Region / Sector||Persona||Use Cases / Problem Being Solved|
|Mid market / 200 – 2000 employees||Global / All – but likely those in regulated industry or with internal/external compliance requirements||IT leaders for budget; Governance & security leaders for operational ownership||Migrations from existing manual compliance lead projects. The classic “spreadsheet” audit projects that can be automated and cloudified. Improved identity and entitlement visibility through better data integration.|
ConductorOne came to view in April 2021 after their initial $5 million funding round. They’re entering a mature and at places a saturated market for identity governance and administration, access certification and access request management.
The growth in IGA and identity audit goes back to the early 2000s with the need for many US centric organizations to become compliant with the likes of the Sarbanes Oxley Act – specifically section 404 – where organizations essentially had to prove they had control of employee access. The complex “who has access to what?” question. This created a need for automated access review – mapping subjects to entitlements – mainly as the initial provisioning and user setup processes were manual and ticket lead, leading to erroneous permission mappings, privilege creep and a movement away from the principle of least privilege (POLP).
Automation in this area seemed inevitable and led to a raft of companies providing on-premise access certification capabilities. Many required the need to pull in data from downstream systems along with HR data that attempted to act as the organization’s “single source” of truth as it pertains to employee identity data. Integration effort was large, with many deployments needing custom connectors to pull data into the system as well as time needed by business analysts to understand approval workflows and permission mappings. The result was a set of automated access certification workflows that ultimately resulted in line managers approving every user to permission relationship – mainly as the process had no context and contained many requests.
Problems Being Solved
ConductorOne is aiming to add value in several parts of the identity compliance puzzle. Firstly, access request approval and certification is no longer just the purview of the large enterprises. Organizations of any size now gain significant benefits from understanding their user to entitlements posture – both from a security perspective and a productivity standpoint.
The “modern” enterprise now faces several challenges that impact the user to entitlement relationship model.
- SaaS services proliferate – organizations no longer leverage entirely home grown or on-premises applications and services
- API first integrations – data held in SaaS systems can be accessed via APIs which provides an automation opportunity for user onboarding and permissions management
- Hybrid Identity – organizations no longer rely on a single source of identity. Data can be held in multiple locations, different identity providers and cloud infrastructure platforms
This distributed and hybrid environment drives new requirements as they pertain to user and entitlement management.
- Do organizations have a single view of user entitlement data?
- Do users have the correct permissions to do their job?
- Do user permissions get removed based on dynamic changes to their status and job role?
- Can permissions be assigned to users based on a task or timed project?
- Can high risk users and entitlements be identified based on usage, peer comparisons or threat?
ConductorOne aims to provide capabilities to help the mid-market organization be more in control of their user to entitlement model. The increasing need for a continually secure, contextual aware and zero trust focused approach to infrastructure and user security is seeing an emerging set of requirements for a more risk based approach to access approval and review management.
By focusing only on the high risk exceptions, driving automation for integration and data collection allows security and governance administrators to focus their attention squarely on remediation, access removal and improved security reporting.
ConductorOne are seeking to bring some interesting capabilities to the market:
- Out of the box integration to cloud and SaaS based identity data APIs
- Out of the box template campaigns to accelerate clean up of entitlement data in popular cloud systems
- A risk based approach to entitlement cleanup
- Delegated approach to access review
- Access request management based on tasks and time
The Cyber Hut Comment
ConductorOne is entering a mature market that has a range of existing vendors and solution providers aiming to solve the compliance and access review conundrum. However, as with any set of existing capabilities, improvements can be made and are indeed needed to keep abreast of new requirements as they pertain to the SaaS-first hybrid nature of the modern enterprise.
Their focus on being cloud first, APi-lead from an integration perspective and being “opinionated” in their out of the box workflow model, will appeal to many mid-sized organizations that want to move costly and erroneous manual access review processes to a more automated and outsourced model. Their focus on a risk-based approach is also interesting as this will help overcome the “tick box” approach to access reviews.