Omri Gazitt, CEO of Aserto: “Authorisation is going to be the next multi-billion dollar segment at the intersection of developer, infrastructure and security”

The term “industry heavyweight” is often over-used, but we think it’s an apt one for Omri Gazitt, CEO of Aserto, an authorisation startup. Over a 30-year career that reads like a who’s who of cloud computing, he was the VP & GM of HP‘s Cloud Native Platform and a GM at Microsoft where he led Azure and .NET.

In short, Omri’s career has been dedicated to building developer and infrastructure technology, most recently as CPO of Puppet. And now he wants to solve one of the industry’s biggest challenges: authorisation (authorization to any US-based readers).

As Omri says in the interview below, “identity has moved to the cloud” but “access control is still very much an unsolved problem”. Rather than force this complicated task onto in-house developers, Aserto aims to provide authorisation as a service.

Read on to discover what drove Omri Gazitt to take on this monumental challenge and for his four pieces of advice to prospective entrepreneurs.

Related reading: What is IAM (Identity & Access Management)?

What’s your elevator pitch?

Every SaaS app requires permissions and RBAC, but building authorisation correctly is a dark art. Engineers toil over building (and rebuilding) a table-stakes feature that rarely offers real differentiation.

Aserto makes it easy to incorporate fine-grained, policy-based, real-time access control into your app, freeing your engineers to focus on your core features.

What made you launch a startup?

Omri Gazitt
Omri was VP & GM of HP’s Cloud Native Platform, and a GM at Microsoft where he led Azure and .NET.

15 years ago, my Co-Founder Gert Drapers and I were working on what became Azure Active Directory. I was the GM of the Azure Access Control Service and my Co-Founder was the Principal Architect of Azure Active Directory. Our mission was to move identity & access to the cloud.

As an industry, we’ve largely achieved the first goal — identity has moved to the cloud. But access control is still very much an unsolved problem. It’s also harder because authorisation is more domain-specific than authentication.

For application developers, authorisation is one of those things that doesn’t make your beer taste any better. It’s the cost of doing business — you need to have it if you build a business application. But it’s not differentiating your application in any way. It’s toil.

So, we founded Aserto to build an authorisation platform for developers, helping them implement access control in a much more cost-effective and secure manner than if they were to roll out their own system.

We were also motivated by how prevalent broken access control is. There’s a reason broken access is at the top of the OWASP top 10 list of security issues. There’s so much pain to go around: it’s not just developers, it’s security teams, it’s IT teams. We wanted to solve cloud-native access control for all of them.

Can you explain the authorisation problem you are trying to solve?

Authorisation is a nightmare. Every organisation that builds or buys N applications will have N different authorisation models.

Administrators have to manage the cross-product of users in their organisation and the entitlements they have in each of these N applications.

Security teams deal with Broken Access Controls — the #1 risk on the OWASP top 10 list of security risks. In fact, the OWASP found that an astonishing 94% of applications they tested exhibited some form of Broken Access Controls.

Compliance and Audit teams engage in manual, error-prone, soul-crushing work to prove that only the right people have the right permissions.

And CISOs are terrified that former employees might still have access to internal systems, and that compromised identities can wreak havoc because of overprovisioned permissions.

Fixing authorisation helps address all of these challenges. 

Related reading: In his guide to passwords, IT manager Michael Dear explains the difference between authorisation and authentication

Who are your main competitors and what distinguishes your startup from them?

In-house development is our main competition. One of the main challenges in cloud-native authorisation is that every application is responsible for its own authorisation. Yet, there are no standards, protocols, or developer APIs for authorisation.  So, every application is forced to build its own access controls.

In the last few years, a set of vendors has emerged to fill the gap and offer authorisation-as-a-service. Aserto is one of those vendors. It makes it easy for developers to add fine-grained, policy-based, real-time authorisation to their applications. It supports every authorisation model, such as RBAC, ABAC, ReBAC, and combinations, so that you can seamlessly evolve your model as requirements change. And because it is an externalised system, changes to authorisation logic take effect immediately, without redeploying the app.

There are a few other differences between Aserto and a homegrown system, but the main difference is that with Aserto you can get started in minutes and production-ready in a week or two, compared to multiple months for an initial rollout of your homegrown system.

How has the startup scene in Seattle helped your own startup’s development?

We founded Aserto in Seattle, which is blessed with a large and successful tech scene, with Microsoft and Amazon being the “anchor tenants”. The startup scene isn’t as well developed as the Bay Area but has been growing rapidly over the last decade.

But none of that seems to matter anymore. Covid transformed us into a global business — we learned that geo-proximity is less important than quality talent, who can live and work from anywhere. So we have a development office in Romania and our US team is spread out across three states.             

Where do you hope your startup will be in ten years?

We aim to be the “Okta” of authorisation. We feel like authorisation is at least as big of a problem to solve as authentication, and in ten years, we’ll see a number of multi-billion dollar companies growing to fill that gap. 

Even more importantly, I hope that as an industry, we’ll evolve authorisation to catch up with the progress we’ve made on authentication over the last ten years. We’ll know we’ve succeeded when we have a mature set of interoperable standards and a variety of open-source and commercial implementations. These standards and products will make it easy for developers to implement authorisation cheaply and safely, and for IT organisations to run an “authorisation control plane” to manage all the applications in a common and consistent way.

What would you say to potential investors reading this interview?

Authorisation is going to be the next multi-billion dollar segment at the intersection of developer, infrastructure and security. Follow this emerging market and stay tuned!

What advice do you have for aspiring entrepreneurs and anyone looking to launch their startup?

Be fearless. Founders early in their careers don’t have fear. They don’t know what it’s like to fail and that is an advantage. The more experienced you are, the more you’ve seen patterns, and the more you apply the wisdom you’ve learned to other situations. You also might become a bit more realistic and that can take away from the magic. So stay fearless.

Remember why you are doing this. Why do you want to found a startup? What are you in this for? There’s nothing like tough times to make you ask yourself why you’re doing it. Having a good answer is really important.

Keep a sense of perspective. You don’t want to get too affected by the highs or lows of a startup. It’s great to celebrate success but remember that it’s a marathon. You have to even things out.

Give it your all. You want to give everything you have as a founder but know that there’s only so much that you can control. An economic downturn isn’t under your control. A market that’s too early isn’t under your control either. Focus on the things that you can control.

Avatar photo
Tim Danton

Tim has worked in IT publishing since the days when all PCs were beige, and is editor-in-chief of the UK's PC Pro magazine. He has been writing about hardware for TechFinitive since 2023.