Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

A New Approach to Modern Enterprise Access Management (formerly Onion ID)


Written by Jai Dargan

June 4th, 2020

Earlier this week, we publicly announced the acquisition of Onion ID—a San Francisco-based identity and privileged access management (PAM) company. The acquisition marks a significant milestone in Thycotic’s strategic direction as a PAM company.

Over the past several years, we have driven innovation through a multi-stage product roadmap designed to help companies adopt PAM and embed privileged access controls throughout their cyber security programs. Just last month, KuppingerCole ranked Thycotic #1 in innovation among more than 25 PAM vendors.

We’ve done this by also remaining steadfast in our commitment to an optimal end user experience (UX), where products are easy to try, buy, deploy, configure, and operationalize. This ethos is also shared by Dr. Anirban Banerjee, founder and CEO of Onion ID, who has built an impressive set of advanced solutions that allow companies to increase their PAM footprint without sacrificing on UX.

With the introduction of our new Access Control offerings, I am extremely excited about how we are positioned to address the emerging access security challenges that modern enterprises are facing amidst a tectonic shift to remote working.

Our Strategy

Our strategic product vision has been rooted in the recognition that a) passwords are utterly flawed forms of security and b) stopping password proliferation is a necessary first step to achieving a password-less future. We have zoned in on how Thycotic technologies can secure every password and privileged object within the enterprise, irrespective of where they reside—across on-prem systems, multi-cloud layers, and devices.

The acquisition of Onion ID takes us even further by allowing us to embed security controls within the four highest-risk layers of any modern organization’s infrastructure: Clouds, Code, Data, and Devices.

Clouds: We now empower CISOs to onboard more SaaS apps without sacrificing the granular authorization and audit controls they need with Cloud Access Controller. Our new solutions are also container-based and IaaS-agnostic, so you can deploy them anywhere.

Code: We can now help customers automate security around various aspects of container deployment and configuration. Coupled with an array of plugins, SDKs, and integrations with popular CI/CD tools, such as Kubernetes and Terraform, our DevOps Secrets Vault product allows DevOps teams to focus on code without sacrificing security.

Data: Database Access Controller extends multi-factor authentication (MFA) options against *any* cloud or on-premises database (e.g., Redis), while layering IGA controls for enhanced governance. Users can restrict exposure of sensitive content—i.e., PII—across any web application or database as well.

Devices: Remote Access Controller provides a super easy way for remote workers and third-party contractors to access corporate resources from any device, like a Chromebook, without having to sacrifice end user experience. This is an attractive option for organizations who want to reduce their hardware investments without having to worry about complex agent-based deployments or VPNs.

Access Controller Trial

Secure access to all applications and data with a zero-trust approach, fast.

A Departure From Conventional PAM

Conventional PAM models have focused on IT teams: users, accounts, and systems, which reside at the heart of the enterprise. And of course, IT-centric privileged accounts—like domain admin accounts—are still prime targets for malicious cyber actors.  However, as Sean Ryan and Andras Cser from Forrester recently noted, “Traditional access control models, while key, are insufficient for today’s IT architectures.” Infrastructure architectures from 2015 are unable to keep up with the requirements of access control models of 2020, and with heavy cloud workloads and remote work as the norm, this impacts all aspects of the employee identity lifecycle.

Additionally, the very nature of what’s considered “privileged” has evolved. The concept of “privilege” is no longer coterminous with “IT” users. For example, would you not consider your CFO, who has access to the most sensitive information about your company’s financials, a privileged user? Or a member of your engineering team, who has access to your product’s codebase, which, if exposed, could cause lasting damage to your market position?

The vast majority of employees within an ecosystem are accessing sensitive corporate data during the course of their jobs, and preexisting security programs rely on several disparate solutions, often deployed in silos, to protect this data layer. Our new offerings extend advanced privileged access security to users, systems, and applications—each of which have typically fallen under separate cyber security domains, such as traditional identity and access management (IAM) and single sign-on (SSO), cloud access security broker (CASB), or data loss prevention (DLP).

While these traditional tools are certainly essential for modern enterprises, they often fall short in delivering many of the promises that vendors advertise. Likewise, cumbersome deployment often results in poor implementation, so the hyper-granular security requirements that a company needs are never operationalized, due to a lack of technology adoption.

For example, typical SSO/MFA deployments work best when integrated with every corporate web application, so business users only need to remember one password backed by MFA. But we know that non-SSO enabled apps exist across every department, often with weak, unmanaged, and shared passwords.

For applications that often involve only one master set of credentials (e.g., corporate Twitter), Thycotic can now extend advanced role-based access control (RBAC) at a user and group level, syncing with Active Directory, allowing admins to refine what each user can see and do within a target web app, while auditing every access attempt and action at the user level.

Using corporate social media as one use case, several of our customers are using this today to implement role-based privileges for corporate employees and remote contractors, such as PR agencies. This allows the Social Media Coordinator (internal employee) to have full tweet privileges on the organization’s Twitter page, while the external PR representative won’t even see the “Tweet” button on the browser.

Cloud Adoption

We have long seen PAM as foundational for enterprise cloud adoption and ongoing digital transformation (both of which are often interwoven). This year alone, we anticipate having over 3,000 customers leverage our PAM-as-a-Service products, which speaks to the growing recognition that PAM controls for public cloud infrastructures are always better delivered from public cloud infrastructures. Secret Server Cloud has been deployed in some of the largest organizations in the world and many organizations are leveraging the solution as an enterprise password management vault for ordinary business users. Our new capabilities extend our pre-existing controls and help complement the broader identity investments CIOs and CISOs have made to date.

Looking Ahead

What’s next for Thycotic? With the release of these new solutions, you can expect us to continue to rapidly introduce new functionality across our portfolio, which will help companies maintain visibility and control over their cloud workloads and sensitive corporate data. We will continue to introduce new functionality that targets both traditional PAM and emerging IAM use cases.

Again, here’s where you can try Access Controller:

Access Controller Trial

Secure access to all applications and data with a zero-trust approach, fast.


Like this post?

Get our top blog posts delivered to your inbox once a month.