Announcing Our Investment in Scytale

The Okta for everything other than humans

We’re excited to share news of our investment in Scytale, along with Bain Capital Ventures, Bessemer Venture Partners, and TechOperators. Phrases signaling the ineffectiveness of perimeter security have been in circulation for quite some time. I was fortunate to work at Forrester with John Kindervag, who was the early pioneer in reversing the age-old concept of “trust, but verify” with Zero Trust, and spent a number of years advising large enterprises on implementing Zero Trust as their security strategy. Since then, it’s been great to see the continued influence Zero Trust has had on the security community with many vendors aligning themselves with the philosophy.

At the same time, the rapid pace of changing infrastructure and development practices has security and engineering teams struggling to embed consistent Zero Trust principles across their technology environment as it becomes more heterogeneous, ephemeral, and massive in scale. This, in turn, has slowed down many large enterprises’ move to the cloud as hybrid cloud authentication challenges prove too cumbersome and risky. That’s why it’s so exciting to see the Scytale team tackling the thorny foundational problem of service identity management in a cloud-native world.

The Team

Community played a powerful role in connecting us with Scytale. Brandon Philips, CTO of Work-Bench portfolio company CoreOS (which sold to Red Hat in 2018 for $250 million), introduced us to Sunil James in Fall 2017. We quickly learned and were fascinated by Scytale’s ambition to take the production infrastructure best practices from high tech organizations, like Google, Facebook, and Netflix, and enable all organizations to build distributed software in the same way. We knew this team of seasoned engineers hailing from AWS, Duo Security, Google, Okta, and PagerDuty could make this dream a reality and we were eager to join the ride. At the same time, the two open-source projects Scytale helps lead — SPIFFE and SPIRE — started making ripples. That’s because organizations from Pinterest to Uber to Square were encountering the same issues in securing distributed infrastructure, and sought to build upon an identity framework that was quickly becoming a de-facto standard.

The Problem

As enterprises adopt cloud infrastructure and emerging technology like containers and serverless, they quickly find their footprint spread across multiple platform-specific identity providers. Engineering teams are thus tasked with implementing workarounds for identifying and authenticating applications or services, usually at the expense of security or development velocity, or even blocking cloud migration efforts. Existing IAM products don’t make the cut when it comes to securely connecting these new workloads. Consider the problem of authenticating between an application built in the cloud and an on-prem database that supports only Kerberos.

The growth of microservices as a development architecture further complicates things. Innovations like service mesh enable the promise of visibility, reliability, and security in a dynamic multi-cloud world, but not all enterprises are building pure greenfield apps and will typically require integration to their legacy environment. Building with the future in mind is hard when there are so many more urgent priorities to address in the near term. Enterprises are looking for a solution that will both solve for their immediate challenges, as well as create a foundation for true application-centric security, visibility, and reliability controls.

The Product

Scytale Enterprise alleviates today’s pain of uniformly identifying software services within and across an enterprise, allowing customers to easily extend their existing hardened authentication controls to any dynamic platform that they adopt. Built upon the SPIFFE and SPIRE open source identity framework, Scytale delivers unified identity management and access control for hybrid IT environments.

With Scytale Enterprise, customers can:

• Define identities by policies, not by credentials. Instead of insecure methods like hardcoded credentials, SPIFFE and SPIRE provide a secure method and standardized process for mutual service authentication.
• Describe policies using multiple factors. Authentication policies can be robust and include factors such as “can we affirm the integrity of the machine it runs upon?” or “has it been signed by the CI/CD pipeline?”
• Deliver credentials from any identity provider to all platforms. Enterprises are an amalgam of old and new. In order for these services to work together support for technology like Active Directory and Kerberos across these multiple environments is crucial for Fortune 500 buyers.

It was clear from early customer conversations leading up to our investment that service identity is an infrastructure pattern with major security benefits. Aside from being able to set up consistent authentication between services, the promise of Scytale and SPIFFE impacts areas like rate limiting, debug-ability, and cost controls. As we look to future security innovations, we realize better security isn’t more products, but security already built into the infrastructure that engineers use to create and operate.

Zero Trust is predicated on the fundamental pillars of all resources being accessed in a secure manner regardless of location, enforcement of least privileged access control, and inspection and logging of all traffic. Just as Cisco, Palo Alto Networks, and vArmour segment and control the traditional network and Centrify, Microsoft, and Okta provide IAM for users, Scytale is taking the next step of bringing Zero Trust identity management to everything other than humans, which becomes even more important as enterprises strategize their container and microservice journey.

We’re thrilled for this milestone but even more excited for the years ahead working with Sunil and the Scytale team as they continue to scale and build the future.

If you’re interested in learning more, check out:

• Scytale Enterprise, the industry-first service identity management for the cloud-native enterprise.
• Andrew Jessup on Why Cloud and Containers Require a New Approach to Service Authentication
• Press coverage in TechCrunch, The New Stack.