Aembit raises $16.6M to bring identity management to workloads
Aembit, a Maryland-based security startup focused on helping DevOps and security teams manage how federated workloads communicate with each other.
Officially launching its service today, announcing a $16.6 million seed funding round from Ballistic Ventures and Ten Eleven Ventures.
Essentially, Aembit’s workload identity and access management service leverages industry knowledge from user and device access management to cloud workloads such as APIs, databases and other cloud resources all without developers having to change their code.
Co-founders, David Goldschlag and Kevin Sapp have spent the last 17 years working together.
Among other startups, they co-founded zero-trust platform New Edge Labs, which was acquired by Netskope, and mobile device management platform Trust Digital, which was acquired by McAfee.
“Along the way, people always ask us: What about application-level access between workloads?
There’s always been this thing, and it’s important, but we haven’t addressed it,” Goldschlag explained. When the founders left Netskope in the summer of 2021, they decided to finally tackle this challenge.
“It was important because all these things were happening in the ecosystem, right? You had all these APIs that were becoming part of people’s applications,” he noted.
“If you think about open source a few years ago, people were building open source applications. People today build applications that include databases and APIs—and now you have to enable secure access between them.”
He noted that Aembit’s mission is different from that of API gateways and security services.
These services work in front of APIs and help developers create and expose them securely to internal and third-party developers.
But Aembit focuses on the client accessing the API and ensures that that client is authorized to access it. He likened it to how today’s identity management systems help businesses authorize their users.
When a user uses Okta to sign in to Microsoft 365, for example, that user communicates with Okta and then gets credentials to access the service.
To top it all off, Aembit also needs to become the system of record not just for all these workload identities, but for the workloads themselves (and these workloads are often ephemeral these days, which makes it an even harder problem).
Start at the base level, which is that you have identities and you have policies. You allow access and log this.
But you’re probably going to want to discover more and more workloads from all these fragmented places — and then you might want to discover patterns of access,” Goldschlag explained.
“Our system can already do that. We can deploy the system in non-enforcement mode – detection mode – and tell us what accesses are happening.”
When you then use that as a road map, it becomes much easier to see how these workloads typically interact with each other—and to take action when things change.”
Businesses have invested heavily in securing the connection between people and the software they use. An empire has emerged,” said Jake Seid, co-founder and general partner of Ballistic Ventures.
“The network of connections between workloads created when software communicates with other software must be identified, protected and managed.
Ambit defines this new category of IAM workloads to protect an enterprise’s most important digital assets.
It is an honor to work with them Ambit We support founders from day one and continue to support them on their journey. “