Tel Aviv-based Token Security has emerged from stealth with $7 million seed funding led by TLV Partners with participation from SNR and angel investors.
The firm’s platform tackles the growing identity problem by reversing the normal emphasis. While many existing solutions concentrate on human identity management, Token claims to be the first ‘machine-first’ approach to identity security.
It suggests, quoting a 2022 report from CyberArk, “The typical enterprise has 45 times more machine identities than human ones, and the number of identities has doubled in the last three years.” Tracking, monitoring, and securing this volume is increasingly difficult, but increasingly necessary since the majority of breaches stem from identity compromises. It is no hyperbole to suggest that most modern attackers do not break in, but log in.
The traditional approach to identity management starts from the human identity, where visibility is good, and control is possible. Today, however, most identities are no longer human identities, and visibility is poor. “In the cloud and gen-AI era,” comments co-founder and CEO Itamar Apelblat, “identities are no longer human only, and they’re not in one place – they are all over the place.”
Apelblat told SecurityWeek, “We are changing the approach. We start by looking at the machine identities and understanding which users can gain access to those identities, and to your databases and your cloud provider – and we trace it back to understand which workloads are using which users. We’ve flipped the entire approach to how we look at identity security.”
The first part is a map of all existing identities. Sensors are placed around the identity repositories used by engineers. “We can spot the moment that an engineer pushes a new environment, or a new account creates a new credential or permission,” he continued. Token does this as it happens without interrupting the engineers’ work.
Token also understands how different identity issues are used by attackers. A single identity can include eight or more issues, such as lack of use, lack of rotation, or being shared among different users. Being aware of non-human identities and knowing how they are being used, allows Token to prioritize and manage the risk associated with those identities in almost real time.
This is server to server communication, so these identities are not affected by Google’s proposed 90 day certificate lifecycle. Nevertheless, said Token, “Our goal is to get our customers to a place where they can rotate their identity secrets on a similar 90 day basis.”
The system can remediate discovered identity risk automatically, but finds most customers prefer to do so manually on alert. This manual process is likely to change as the volume of machine identities continues to increase and faith in automation grows. “What we’re doing,” said Apelblat, “Is assisting in the process of remediation, and providing the tools to manage the entire lifecycle of the identities.”
Ido Shlomo, Token’s CTO, adds, “Ultimately, there will be a lot of process in the identity lifecycle management that organizations will need to automate simply to handle the pace of new identities and the associated problems with them. Right now, most organizations are still in the basic stage just needing to understand what the identities are, and what issues need to be protected. We provide that information. Then they can move forward and improve their security posture until they have enough trust in the process to be able to automate some of the remediation with a platform such as ours.”
For now, he continued, “We discover, inventory, and standardize data across IAM repositories. We cluster identities, credentials, and entitlements for different teams – Engineering, DevOps, Data engineers, SREs and more. We prioritize the most critical identities and their vulnerabilities and reduce risk using remediation capabilities.”
Related: Non-Human Identities: The New Blindspot in Cybersecurity
Related: Mismanagement of Device Identities Could Cost Businesses Billions
Related: Venafi Leverages Generative AI to Manage Machine Identities