Innovative architecture mitigates risk by empowering employees to register their own applications, allowing organizations to detect and automatically correct security lapses
Shadow IT spending—applications acquired and used by business professionals with company funds but without IT authorization—now represents more than 40% of enterprise IT outlays
86% of cloud-based services in the average enterprise now represent ‘unmanageable applications’, either in the shadow IT category, or not adhering to industry standards, creating security gaps
Cerby officially launched today with the world’s first security platform for unmanageable applications and an approach that enhances security practices by empowering both employees and security teams. The Cerby Zero Trust architecture takes on the challenges of unmanageable applications in the shadow IT universe—technologies that are selected and onboarded by business units outside the purview and visibility of the IT department, or don’t support industry standards like SAML for authentication and SCIM for user provisioning. The Cerby offering is very different from other options on the market because it moves security automation capabilities into the hands of business users—in effect, it balances empowerment and autonomy with security and productivity.
The company, which has been operating in stealth mode since 2020, already has early customers—including Fox, L’Oréal, MiSalud, Dentsu, Televisa, and Wizeline—where the technology is used to address common application liabilities efficiently while facilitating collaboration. It also announced today $12 million in seed funding from Ridge Ventures, Bowery Capital, Okta Ventures, Salesforce Ventures and others, bringing total funding to $15.5 million.
“Our goal at Cerby is simple but sweeping: To increase productivity for enterprises by empowering employees to use the technologies they prefer while automating compliance and security,” said Co-Founder and CEO, Belsasar Lepe. “In this era of IT consumerization, employee choice and enterprise security are not mutually exclusive—with the right tools and strategies, they go hand-in-hand. When business professionals get real autonomy, security becomes everyone’s responsibility, rather than just one of many priorities for the IT department. The Cerby platform for unmanageable applications enables organizations to boost efficiency, comply with existing policies and reduce exposure to cyberattacks—it’s truly a win-win-win.”
Cerby’s enrollment-based platform combines proprietary technology, robotic process automation (RPA) and seamless integrations with identity providers like Okta and Azure AD. This powerful functionality enables the platform to understand commonly used SaaS applications in a business context, and automate security policies before they lead to breaches.
The scale of the problem is undeniable, in part because while employees choose the applications, they don’t pay for them. Analyst firms, such as Everest Group report that shadow IT spending represents 50% or more of the overall IT outlay in large enterprises. Meanwhile, teams preferring application autonomy are twice as likely to prioritize productivity over security.
Cerby’s own research confirms this trend. The company just commissioned its own study of this critical subject, and the preliminary findings show how much attitudes have hardened with regard to employee choices. The comprehensive study of over 500 business professionals in North America and the UK employed by companies with more than $100M in annual revenue, conducted in partnership with Osterman Research, reveals that a staggering 91% of respondents believe they should have full control over the applications they purchase. On a related note, 52% want the company or IT department to “just get out of the way,” and when employers disallow applications desired by end users, respondents say it will “negatively affect” the way work gets done.
To be clear, these perspectives are not emerging from a vacuum. More than three quarters of the companies surveyed, 78%, have policies in place regarding which applications employees can and cannot use, and just over half the respondents report knowledge or experience of particular applications being disallowed. These actions don’t necessarily go down well with employees: 68% ask for an alternative solution, preferably one that is stress-free and automated; 35% seek an alternative of their own, while stating that it negatively affects the way work is done; and 42% “demand a good reason” for the ban.
“We chose Cerby because we needed a secure and centralized place to manage access to our paid social accounts,” said Nina Donnard, AVP, Paid Social, L’Oreal. “Because Cerby can seamlessly integrate with our organization’s single sign-on technology and also connect to the social platforms’ APIs, we are able to create organizational efficiencies by granting and removing access within one place. Additionally, the automated access removal of employees who have left the company provides a level of security we did not previously have.”
The issue of unmanageable applications within the organization is particularly sensitive because it puts two forces—employee autonomy and corporate security—in direct conflict. The C-suite—enterprise CIOs, CMOs, CISOs—wants security to be frictionless; when security teams take a heavy-handed approach, they often end up blocking key applications and negatively affecting productivity. This encompasses three core problems, which are sometimes contradictory. They feature: Brand risk (including errors, cyberattacks, and fraud); non-compliance (corporate policy, contracts, and industry/government regulations); and inefficient processes (insufficient resources; inconsistent, error-prone access reviews; extraneous steps and wasted time).
Cerby steps into this chasm with numerous capabilities to plug security, compliance and productivity gaps. For example, end users can log in securely to any application, even those that don’t support SSO natively, store log-in data, and share this information securely with collaborators. At the same time, IT and security teams can set policy at the application, team, and company level. Throughout this process, Cerby is actively monitoring connected applications to ensure they are securely configured to meet corporate security standards for two factor authentication, password complexity and many other commonly missed security settings.
“I love that Cerby solves a problem every CIO faces: unmanageable applications,” said Yousuf Khan, Partner at Ridge Ventures and former CIO. “When non-IT employees use unauthorized applications, they might be gaining productivity, but they are also unlocking a Pandora’s box of security vulnerabilities. The pandemic only made it worse: 71% of users in the US now acquire their own applications to do their jobs. Cerby is the first solution I’ve seen that significantly reduces the risk of these unmanageable applications by applying zero trust principles and automating the entire application lifecycle. The best part of it is that it’s not a top-down, managerial edict: Employees become an active and motivated part of the solution. Business professionals get the power to choose their applications, productivity gets a boost, and the company ensures security and compliance–everyone wins. Other cybersecurity products demand enforcement; Cerby encourages enrollment. This is the best way to enhance employee trust and increase productivity.”
The technology is designed to help teams in diverse disciplines use the applications they choose while ensuring security. For example, marketing teams can now securely use any social platforms they prefer—Cerby provides a single place to add and remove access for employees and third-party agencies instead of signing into multiple social accounts and sharing passwords. In other fields, such as finance, Cerby provides an easy way for CFOs and their teams to securely manage access to bank accounts and credit lines without having to share passwords.
Technology
To protect the brand, stay secure and increase productivity, Cerby features numerous innovations, including:
- Detecting unmanageable applications: Because the platform enhances the user experience, enterprises can crowdsource the discovery of new and potentially unmanaged applications, taking away the burden from IT and security departments
- Protecting against breaches: Cerby assesses the risk of connected applications against established security policies and monitors applications for common misconfigurations that often lead to breaches
- Empowering end users: Because end users always outnumber IT and security professionals, the platform takes an enrollment-based approach to security, enabling users and business units to choose the best applications for getting their work done
- Reporting activity: When applications are managed individually and don’t support industry standards like SAML (Security Assertion Markup Language) and SCIM (System for Cross-domain Identity Management), activity reporting can be painful. The Cerby platform centralizes access logging and makes it available to SIEM platforms for further analysis
- Streamlining processes: Many teams manually manage access to applications; by contrast, Cerby leverages robotic process automation (RPA) to streamline the entire login process. Cerby offers a centralized portal to log in to supported applications, extending enterprise single sign-on to applications that don’t natively support SAML and SCIM. This makes organizations more efficient and security teams happy.
The platform also features:
- Unified access: Business professionals currently manage access to critical business applications like bank accounts, credit card accounts, internally built applications, paid social media applications, and many others across dozens of user interfaces; with Cerby, all access management is centralized in one UI, making it easier to onboard and offboard team members and third parties
- Single sign-on for any application: Many martech and fintech applications don’t support single sign-on, forcing users to manage their own passwords and two-factor authentication; with Cerby, any employee logged in with Okta or Azure AD has easy access to non-SSO supporting applications like Facebook, Twitter, YouTube and many others.
Cerby’s management team features an optimal mix of technology visionaries and veterans, including:
- Belsasar Lepe, Co-Founder and CEO
- Vidal González, Co-Founder and CTO
- Jyri Virkki, Co-Founder and Chief Architect
- Matt Chiodi, Chief Trust Officer
- Gabrielle Arroyo Lopez, Head of Customer Success
- Kurt Greening, Head of Sales
Learn more and schedule a demo at https://www.cerby.com/.
Read the blog from Cerby Co-Founder and CEO, Belsasar Lepe at https://www.cerby.com/resources/blog.
Cerby will host a webinar with analyst Michael Sampson, senior analyst at Osterman Research on June 28, 2022 at 11am PDT/ 2pm EDT. Register now to learn about how a Zero Trust architecture for unmanageable applications can benefit you and hear results from the new study on employee perceptions on application choice post COVID-19.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!