How CloudKnox Is Innovating Identity Authorization Security

Privileged accounts are often over provisioned with more access and capabilities than what is actually needed. CloudKnox's approach looks to help reduce that attack surface.

CloudKnow architecture

Managing identity privileges across multi-cloud environments is not an easy task and is an area that is in need of innovation, according to Balaji Parimi, founder and CEO of CloudKnox Security.

Parimi started CloudKnox in 2016 specifically focused on making it easier to manage identities across hybrid cloud environments in an increasingly fragmented market. The idea for CloudKnox was born out of a real operational problem he had at a previous employer, where he wasn't able to easily figure out all the privileged identities that the organization was using in the cloud. Not having visibility and control over privileged identities, represents a potentially unbounded risk for organizations, as those accounts have broad access and capabilities.

"The biggest risk that we see within any infrastructure are un-managed privileged identities," Parimi told eWEEK. "Privileged accounts have the ability to export data, without ringing the alarm of most the DLP (Data Loss Prevention) tools that out in the market."

CloudKnox has raised $10.8 million funding to date and officially emerged from stealth in October 2018. The company was one of ten finalists at the 2019 RSA Conference Innovation Sandbox event, where is showed off its' platform and what it can do to help organizations limit the risk from privileged accounts.

According to Parimi, many organizations today rely on static Role Based Access Control (RBAC) technology to grant access. The problem with RBAC however is that it can provide more access than what is actually needed.

"The paradigm has to shift from using static roles to a dynamic data driven approach, where we are we are providing 'just enough' privileges," he said. "That requires constantly monitoring and keeping track of which operations are being done, which privileges are being used, which identities are touching the infrastructure and what they are doing."

Additionally, Parimi said that there is also a need for full accounting of all privileged accounts across different workload deployment models including on-premises systems, VMware deployments and public clouds.

How CloudKnox Works

What CloudKnox has done is create an activity based authorization protocol. Parimi explained that each cloud provider today has its own way of implementing authorization, which has led to confusion and policy gaps. The CloudKnox protocol provides a way to normalize all the different authorization approaches.

"We implemented our protocol implementation that can interact with other authorization systems and make decisions properly," Parimi said.

CloudKnox packages its' Sentry software into a Linux virtual machine that customers can then run in whatever environments they are deploying workloads. The CloudKnox Sentry software collects data related to identity and identifies what the different activities the identity is associated with. Data from CloudKnox Sentry is sent to the CloudKnox FortSentry service where the data is processed.

"Our machine learning algorithms in FortSentry create profiles for each and every identity and we compute the risk using our privilege creep index," he said.

Parimi explained that the privilege creep index, identifies how many privileges a given identity has been given and how many it actually uses. He said that it's a way for organizations to understand how many un-used privileges have been granted to various identities. Going a step further, since the CloudKnox system is continuously monitoring identities and access, an organization can know at any time what the risk is from the various privileged identities and are empowered to help reduce the risk. Reducing the risk is about right-sizing the privileges across the identities, which is achieved with the CloudKnox Just Enough Privileges (JEP) Controller. 

"With JEP you can right size the privileges based on what the identities have actually been doing," Parimi said.

Parimi sees differentiation between the innovation that CloudKnox has developed and what traditional Privileged Access Management (PAM) vendors provide. In his view, PAM is geared toward endpoints, like desktops and laptops and isn't necessarily well suited for the cloud. He also emphasized that CloudKnox is an authorization technology and not an access technology. Rather than just granting access, the CloudKnox system authorizes an identity with the required permissions.

"Basically, everybody precisely gets what they need in order to do their day to day jobs without compromising on productivity and trust," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.