Securing the Cloud: Why Britive Is Just In Time

Today, I am thrilled to share our most recent investment, in LA-based Britive. The founders — Art, Alex, and Sameer — are seasoned operators and experts in Privileged Access Management (PAM) and are building product at the intersection of two of the most important trends of our time: the migration to, and securing of, cloud infrastructure.

Britive is a part of the broader security movement to zero-trust security (where no user is trusted by default) and one of its core tenants, Just in Time (JIT) access, whereby users are dynamically granted ephemeral access vs. the legacy process of “checking out” and “checking in” credentials. By granting temporary privilege access vs. “always on” credentials, Britive drastically reduces cyber risks associated with over-privileged accounts as well as the time to manage privilege access and the workflows needed to manage this across multi-cloud environments.

What is PAM and Why Is It Important?

To take a step back, PAM centers around two fundamental principles: authentication and authorization. All of us are familiar with authentication whether we know it or not. When you hand your ID to a TSA officer in the airport, you’re going through the authentication process — AKA “are you who you say you are?” If the picture looks like you, and the name matches the name on the ticket, you’re good to go. If not, (un)pack your bags. This same process happens every time we unlock our devices, sign into our email, or access Twitter. Enter a username and password and you are authenticated — you’re in.

Authorization is the next step. Once you’ve confirmed who you are, where are you allowed to go? In the airport, your ticket has information about the departure gate, the class you are traveling in, and your destination. You can’t go through security with a ticket to San Francisco and board a flight heading to Austin.

And as end users, we experience this multiple times every day. When you sign into your email or Twitter, you aren’t able to access someone else’s email or Tweet on their behalf. But what about someone who determines authentication and authorization, like the TSA agent or a system administrator? What processes occur to confirm they are who they say they are and are doing what they are allowed to do?

In the cyber world, privileged users in IT have access to underlying systems, so the core PAM use case is determining who can manipulate the infrastructure that entire applications are built on. The potential damages and losses from hacking a privileged user are magnified vs a regular user, and the attack vector is that much more compelling for would-be hackers. So it shouldn’t come as a surprise that PAM is one of the fastest growing sub-sectors of cybersecurity, growing at a CAGR of 33% (2018–2021) and expected to be worth $3.8B by 2021.

Scaling for the Cloud Makes PAM More Complicated — and More Exciting

Art, Alex and Sameer spent nearly two decades implementing PAM solutions on-prem (including founding and selling their first business to Optiv — they then went on to run Optiv’s identity and access management practice for the last two years.) So they deeply understand the strengths and weaknesses of existing tools.

Specifically, while incumbents were beginning to offer cloud-focused PAM solutions, these products were not built cloud-first but rather were retrofitted to fulfill familiar use cases. But these se cases did not map one-to-one to the cloud despite the fact that misconfigurations occur not just in AWS or Google Cloud, but also in the apps that ride on top. Those apps (and their vulnerabilities) are scaling rapidly with cloud environment expansion — entire companies have emerged around auditing Salesforce security settings alone!

A new world technological approach is required to deliver a product that can scale with the cloud ecosystem by being well-documented, API-driven, and configurable in a dynamic environment in which solutions often translate into expensive shelfware because it doesn’t actually solve the company’s specific problem.

This opportunity prompted Art and team to leave Optiv and found Britive. And as we got to know the Britive team, it became clear they had a unique skill set to build products that would be put into production quickly and scale as cloud environments scale, whether they are starting with one instance on one cloud provider for one type, or an organization that was deployed across AWS, GCP and Oracle with multiple applications running on top.

Fast forward to today: Art and team have a live product, paying global customers and formal go-to-market partnerships with PAM product and implementation leaders. I’m truly excited to work with this team not just because I believe so strongly in this set of leaders but also because this market segment is one of the most interesting I have come across in the last six years as a VC.

PAM is Poised to Explode in Growth

Why? Well, first, PAM is at the top of every CISO/head of cloud’s list of needs. Yet for reasons already mentioned, it is hard to do well and implement in even simple cloud environments let alone a constantly changing hybrid-cloud environment across infrastructure and applications.

Second, this sector has strong analogies to historical budget spend in the on-premises world. It is more clearly positioned for further committed budgets than I almost ever see when I invest. These budgets are well understood by the buyer and scale to high, sustained ACVs quickly.

Third, providing a solution that can be immediately understood and implemented by a developer and the C suite that can scale is critical. Many may say they know how to scale on a slide, but these guys have lived scaling with customers of all sizes in this space for a decade. It is why before taking any venture funding, Britive already served global scale, paying customers across automotive, health care and retail.

For all these reasons and more, I couldn’t be more excited about this investment. The team has exceptional relationships with senior security leadership across the industry. Early customers are clamoring for their product. I’ve rarely seen a business at the seed stage with so much traction in the market. And beyond the market opportunity, Art, Alex, and Sameer are thoughtful, intelligent, and technical founders. When we partner with entrepreneurs at Upfront, we are partnering for the long haul and I had no hesitation entering this relationship with Art and team. Please join me in welcoming them to the Upfront family!