The founders of ConductorOne, an identity and access control startup, both came from Okta, which is itself a single sign-on vendor based on the zero trust model. In fact, they were in charge of authentication and zero-trust products and saw firsthand how companies were struggling to control permissions and access across a complex environment that often included not just cloud applications but also on-premises pieces mixed in as well.
They decided to move on and start a company to help solve that particular set of problems with the goal of automating a lot of the access control activities that up to this point have been done manually, or worse, not at all.
Today the company announced a $15 million Series A.
CTO and co-founder Paul Querna said they were keenly aware of the pain points companies were facing around these issues. “Permissions and access management is still very painful to end users and IT teams or the engineering team managing all of this,” he told TechCrunch. That’s because with a malfunctioning permissions system, you can underprovision, keep people waiting to use the tools they need to do their job, or overprovision such as maintaining permission for users who are no longer working at your company. “I think a lot of us have seen firsthand these kinds of experiences,” Querna said.
His co-founder and CEO Alex Bovee adds that they wanted to make it easier for companies to control these access management tasks and bring the principle of least privilege to the solution. “We started ConductorOne to really automate as much as possible from an identity security perspective how people get access, retain access and revoke access to help companies achieve more of a least privilege level of access control,” Bovee told me.
The former Okta employees see their company solving a distinctly different problem than their former employer around securing identity. “They do a great job of centralizing some of your corporate users into a central directory. I think when you think about identity from a security perspective, it's fundamentally about understanding all the identities in your environment, whether or not they're connected to your SSO solutions,” he said.
He adds, “It's also about understanding the permissions, the roles, the data that those different identities can access. So we are taking much more of an orchestration centric view. Frankly, it's just a different architecture, more of an orchestration view and visibility first view across your environment to be able to give you that as a security and GRC (governance, risk, compliance) team, and then building the workflows on top of that to execute it,”
Part of the way it works is through out-of-the-box integrations to popular services like Okta, GitHub, Slack, Datadog, Jira and so forth to understand what’s happening across the company and what actions could be having an impact on someone’s permission to access a program. It's worth noting, however, that they can work with any corporate directory solution beyond Okta.
Today, the startup has 17 employees with plans to double that by year’s end. Bovee says that building a diverse workforce is written into the company’s original values documents. “We posted our company values very early on. It's one of our first blog posts, and I think one of the mechanisms to attract that talent, especially early in the sourcing funnel, is to be public and transparent about how you want to run the company and emphasize that you believe in diversity and you want that as part of your company culture,” he said.
Today’s $15 million Series A investment was led by Accel with participation from existing investors Fuel Capital, Fathom Capital and Active Capital along with several prominent industry angels. The company raised a $5 million seed round last year, which was also led by Accel.
The new funding should help them start rounding out the longer-term vision for the company. “Our vision and strategy for the product long term is to automate that full lifecycle across access control. So not only the on-boarding process, but eventually the off-boarding process and handling things like time-based access control, so it's not even an issue in the first place because you grant the access for a period of time and then remove it,” Bovee explained.