Oasis Security leaves stealth with $40M to lock down the wild west of non-human identity management
When people hear the term “identity management” in an enterprise context, they typically think of apps that help users authenticate who they are on a network in order to access certain services. In a security context, however, human users are just the tip of the iceberg when it comes to managing access and making sure it doesn’t get breached.
A whole, considerably more complex, universe of machine-based authentications underpin how just about everything IT works with everything else — a universe that is arguably considerably even more vulnerable to hacking simply because of that size and complexity, with some 50 “non-human” identities for every human typically in an organization, and sometimes more. Today, a startup out of Israel called Oasis Security is emerging from stealth with technology that it has built to address this.
It’s coming out of stealth only today but has already raised funding and acquired customers while still under the radar. The fast-casual food chain Chipotle, property firm JLL and Mercury Financial are among its early users.
The funding, meanwhile, speaks to the early enthusiasm from investors. Led by Sequoia (specifically Doug Leone and Bogomil Balkansky); Accel, Cyberstarts, Maple Capital, Guy Podjarny (founder of Snyk) and Michael Fey (co-founder and CEO of enterprise browser startup Island) also participated across two different rounds that are being announced today: a $5 million seed and a $35 million Series A.
Sidenote on the funding: one investor mentioned Oasis to me months ago, describing the jockeying among VCs to back the still-unlaunched Oasis as an “incredible frenzy.”
The crux of what Oasis is tackling is the fact that non-human identity — which covers not just how two apps may interact together by way of an authentication, but also how two machines or any processes might work in tandem in an organization — may have become an amporphous but essential aspect of how modern businesses work today. But because so much of it does not involve people at all, there is a strong lack of visibility around how much of it works, including when it doesn’t work.
Human identity management is already fertile ground for bad actors, who use phishing and many other techniques to catch people off guard, to steal their identities and use them to essentially worm their way into networks. Oasis’ founder and CEO Danny Brickman says that non-human identity is very much the next frontier for those bad actors.
“If we’re just playing the statistics game, if it’s true that identity is the new perimeter when it comes to security, then this is the new risk for organizations,” he said in an interview in London. “If you have 50 times more non-human identities than human ones, that means the attack surface is 50 times larger.” For CISOs, he added, how to handle non-human identities “is top of mind right now.”
To tackle this, Oasis has built a three-part system, which in its most simplest terms can be described as “discover, resolve, automate”.
The first of these builds and tracks a full picture of how a network looks and operates, and creates, essentially, a giant recreation of all the places where machines or any non-human identities interface with each other. It describes this as a visualised map.
It can then use this map to track what data moves around where, and when it appears that something is not working as it should. That might or might not be related to an authentication: it could also relate to how data moves through a system once it’s authenticated. In both cases, Oasis then provides remediation suggestions to respond to anything unusual. As with many remediation solutions, these suggestions can be carried out automatically or triaged by humans.
The third part is the proactive continuing work: an automated refresh of the map and the ongoing observation around it.
Brickman’s track record is as elusive as the threat that his startup is aiming to contain, but the basics of it give some clue as to why investors were willing to give him money before the product even launched, and why the startup is able to sign on users so early on.
He spent more than seven years in the Israeli Defense Forces, where he worked in cybersecurity. There, he tells me he led a team that identified and then fixed a major problem in the military.
What was that problem, and how it was fixed? Brickman wouldn’t say, no matter how many ways I asked him.
Leading a team of engineers, he said, “We worked in a basement. Nobody knew about our project. We didn’t want to lose momentum.” Eventually, they had a breakthrough, and they won an innovation prize awarded by the head of the army for the work. Which no one still knows about, it seems.
It was through that work that Brickman met many other engineers, including Amit Zimmerman, who became his co-collaborator on that secret, award-winning project and is now his co-founder at Oasis, where he is the chief product officer.
There are a number of companies that are now focusing on the challenge of tracking non-human, machine-to-machine authentication and identity management. One of them, another Israeli startup called Silverfort, just last week announced a big funding round of its own. Silverfort is taking a big-picture approach to the problem, including human identity as part of its bigger remit: its premise is that the two continue to be inextricably linked, so one must consider them simultaneously in order to truly secure a system.
This is not something that Oasis wants to look at, for now at least. True to its name, it thinks that there is something salient and distinct and ultimately more lucrative in definitively quantifying and solving the myriad problems in the non-human space first.
“We’re focused on non human identity,” Brickman said. “We want to drive the value from there.”
“Identity is the new perimeter, and non-human identity is the gaping hole in that perimeter,” said Balkansky at Sequoia Capital in a statement. “We are excited to work with the Oasis team to solve one of the biggest challenges in cybersecurity today. The company has come out of the gate very strong and fast, signing up blue chip customers less than a year after it was founded, which is a testament to the latent demand for such a solution and to this team’s capabilities and commitment.”