Most data breaches don’t happen because attackers are geniuses. They happen because organizations give too much access to too many people for far too long. Despite decades of security frameworks and best practices, enforcing least privilege remains one of cybersecurity’s most persistent challenges. The culprit isn’t technology: it’s politics.
In this episode, Mokhtar Bacha, CEO of Formal, discusses how their granular privilege access management solution operates at the packet level to enforce least privilege across databases and APIs. Joining him are Howard Holton, COO and industry analyst at GigaOm, and Arvin Bansal, a Fortune 100 veteran CSO. The conversation tackles the truth about why access management fails, explores how AI agents are exploding the identity landscape, and examines whether automated policy enforcement can finally solve the political friction that has plagued privilege management for years.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Formal
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking with Formal and what they’re doing in privileged access management. Now, the problem that they’re addressing is how do you enforce least privilege for identities across data and infrastructure?
Definitely a hot topic and we need to figure out how they’re helping to solve this. Luckily, we have two experts on board helping us ask all the right questions – Howard Holton, COO and industry analyst over at GigaOm, and Arvin Bansal, a Fortune 100 veteran CISO – lending their expert voices.
So, Arvin, I’m going to start with you. Why is enforcing least privilege still a problem for organizations? It’s least privilege, not exactly new.
[Arvin Bansal] You’re right, Richard. Least privilege, it’s not just a best practice, it’s a ticking time bomb. So, most breaches, they don’t happen because attackers are genius. They happen because we give out too much access to too many people for far too long, and if you can’t explain why someone has a permission, then probably they shouldn’t have it.
[Rich Stroffolino] Sage words indeed. Howard, I’m going to come to you. Do you agree with Arvin here? I mean, why are we still struggling with enforcing least privilege for identities?
[Howard Holton] Politics, I would say, is the number one reason. I was on Reddit, like I’m sure many of us are in one of the cybersecurity forums, and a guy was expressing his frustration that he went in specifically to remove permissions on someone that not only had never used the permission but shouldn’t have the permission anyhow.
His CEO got involved and said, “That person’s been here 17 years, they should have access to everything.” That is pervasive, I don’t care the size of your company. That sort of attitude is pervasive inside business. We’re still not taking cybersecurity seriously, and we continue to make insane decisions for political reasons that really have no value.
Instead of just taking a moment and going, “Actually, sir, you shouldn’t have access to that data. That information has nothing to do with you doing your job.” It is critical for cybersecurity in case something happens to reduce the blast radius. We really have to focus on blast radius more than anything else in cybersecurity and we’ve ignored it for far too long.
[Rich Stroffolino] All right, I’ll give all of our listeners time to facepalm very quickly after hearing that, Howard. I think we all need a moment of relief. And then, we are going to turn and talk to Mokhtar Bacha, the CEO over at Formal. Now, Mokhtar, let’s start out by answering three essential questions about what Formal is doing here.
How do you explain the value of your solution to a CEO? What does your solution do, what does it not do? And what is the pricing model? Can you help us out with these preliminaries?
[Mokhtar Bacha] Yeah. So, the value for a CFO or CEO, I think, is very straightforward to explain. As Arvin said it, most hackers are not geniuses, and most data breaches happen because some folks have too much privilege for too much time. If you look at some of the most recent data breaches that happened, they were mostly targeting customer support folks, working for BPOs in third-party countries where basically the hackers just pay those customer support agents to go fetch data and then send screenshots of this data.
So, it’s not like a very sophisticated hack, right? And so, what you want actually to make sure is just to enforce least privilege at a very granular level. And when you look at privileged access management software that’s on the market, they are very limited because the level of access they give is either at the resource level or nothing, and with Formal, our focus is really to enforce privileged access management at a very, very granular level, basically at the packet level of data.
What our solution does, our product is a reverse proxy that’s protocol-aware, so what it means is that it can understand a lot of different wire protocols, whether it’s like databases or APIs, and it helps enterprises better understand the flow and control of the flow of data in the organization.
The way we price is we try to meet our customers where they are, and so our pricing model is mostly like a usage-based pricing model that depends on the number of users or resources in an organization.
[Rich Stroffolino] Fantastic, all right. So, we have the groundwork before us, but I’m sure we have a lot of questions from our panelists. So, Howard, I’m going to start with you. What other questions do you have for Formal?
[Howard Holton] This is a little bit of a crowded space. There’s a whole bunch of change happening within the space. GenAI has really changed, I think, the focus on privileged access management. What makes you distinguished amongst your peers and what is kind of your disruptor?
What is your unique value that you’re bringing to the market?
[Mokhtar Bacha] So, I agree that GenAI and AI in general is actually radically changing the landscape for privileged access management. I think when I was at Black Hat last week, I heard a lot of folks saying the acquisition of Palo Alto Network doesn’t make sense because PAM is an old category, and it doesn’t make sense like in the context of AI to acquire an identity company.
I actually think that it makes a ton of sense. I don’t know if I would [Inaudible 00:05:30] CyberArk specifically, but I do think that in the context of AI, you want privileged access management. The way we’re looking at AI identity is that that’s privileged users, and so you want to make sure that they only have access to what they need.
And so, really what differentiate ourself from our peers is our ability to inspect the traffic and understand basically data at the layer seven of the networking stack. So, we understand the data that are flowing in, whether it’s Postgres or Snowflake or HTTP calls.
And because we can see and understand this data, we can enforce very, very granular least privilege policies. For example, we can make sure that a customer support agent, whether it’s an AI agent or actually a human agent, see customer’s data only if there’s a ticket that’s assigned to them and only for that specific customer.
So, that’s the type of privileged access management we can do.
[Rich Stroffolino] Arvin, I’m going to come to you. What questions do you have for Mokhtar and Formal?
[Arvin Bansal] I think technology-wise, Mokhtar, what you’re saying makes sense. Just going back to the earlier comment by Howard, the biggest problem with least privilege is politics. How do you look at that part? How do you help your customer stakeholders for business alignment and navigating those political frictions?
[Mokhtar Bacha] I do agree that politics often, not just in security, in most organizations, I think is a big problem. The way we’re looking at ourself, right, is I don’t think we can solve every problem in an organization, and I don’t think we can necessarily solve the political aspect of it.
But what we can do is we can give the tool to the security team to effectively make better, defend what they’re trying to do, right?
And so, for example, on the permission side of things, a part of our product basically has the ability to analyze access requests over time and see if folks were using those permissions or those data over time. And we can automatically suggest policies that enforce least privilege and say, “Hey, that entire team never used that amount of data for that amount of time; therefore, we suggest that this policy could be enforced on that team.” And we have like a Slack and Microsoft team workflow to ask that team, that specific user, if they are okay with that policy, and if that makes sense, and if they need that data and permission, and they can say yes or no, and then the security team can approve the policy ultimately.
So, we give the tools, but there’s obviously things where, in the specific example that Howard shared, I don’t think we could have done much, to be honest, but I think for most of the time, for 99% of the time, what we provide, I feel, is enough.
[Rich Stroffolino] All right. Well, the floor is open for questions. So, Arvin, Howard, feel free to jump in.
[Howard Holton] So, MCP is a wonderful protocol. I’m really happy that it exists, but also, it’s a kind of typical developer tool that was developed, that was built, right? There wasn’t a whole lot of thought to security given day one. How can your tools help add a layer of security to the risk contained in MCP, so we don’t lose the value?
[Mokhtar Bacha] Yeah, I’m glad you asked this question. Our CISO, Paul Yu, was before at Ramp and joined us to lead security, actually wrote a blog post about it on our website to talk exactly about how Formal helps in the context of MCP. So, today, actually, customers are already using us to secure their MCP use cases.
We have a customer that basically have a Snowflake MCP server. They were not necessarily comfortable with their Snowflake data being dumped into cloud desktop or other AI tools. And so, they’ve deployed the Formal proxy in front of the MCP server so that we can filter data, redact, for example, PI or sensitive data in real time and effectively decrease the scope of data that flows outside of their MCP tool.
And in those use cases, we have the ability to understand the tools being used by AI agents and we can potentially block tools that are used in anomalies, like in a non-standard way by the AI agent.
[Arvin Bansal] So, Mokhtar, just thinking about the big picture, what’s the most common reason that companies are not able to implement least privilege and after buying your tool, how do you help them avoid it?
[Mokhtar Bacha] The reason most enterprises can’t enforce least privilege at scale is because a lot of security teams are understaffed and most of the tools just provide visibility. By visibility, they create a lot of direct tickets that end up in the backlog of the security team and then needs to be assigned to other folks, and so things never really move forward, right?
The way we do things at Formal is we take a position in the enterprise that’s a lot more powerful, right? We are proxy in front of the infrastructure, data, and applications. Therefore, we have a lot of power on the type of things we can do. And actually, we have the ability to automatically enforce and generate least privilege policies thanks to our AI policy agent so that the security team just approve or decline policies that are suggested by our product.
And by doing so, we can effectively decrease the workload on the security team because they just need to agree on, like this team didn’t consume data on this Snowflake table for the last three weeks; therefore, we should block access to this table.
Yes or no, right? Instead of the security team having to try to implement all those policies across different applications and tools, they can just deploy Formal one time, make sure that the data flows through Formal, and then Formal will start enforcing least privilege policies automatically.
[Howard Holton] So, let’s say I agree with you. I agree that least privilege is required, I agree that my company needs a solution, I agree that we really haven’t done a good job of managing that through the life of the company. What are some takeaways that you can give me that I can go to my leadership and say, “You need to think about this because…” Right?
What are some takeaways you can give me for that?
[Mokhtar Bacha] Yeah, I think probably one of the takeaway will be most data breaches or data leaks comes from overprivilege and ICANN takeovers. And so, therefore, if you don’t want to be the next company on the front cover of the New York Times for the wrong reason, you probably want to address that issue as soon as possible.
Especially if you’re in a larger organization. I think if you’re in a smaller organization, it’s maybe not as important, but like if you’re a financial institution or a healthcare organization of a certain size, you definitely want to make sure that you have good privileged access management policies in place.
And so, whether you use Formal or not, you should definitely take care of this.
What I will say is that if you’re trying to invest in AI, the number of identities is going to explode with AI. You are going to see a lot more AI agents coming up and running in the enterprise, and you really want to make sure that those AI agents don’t have access to more than what they need.
It’s going to be harder and harder to do as the AI agents become smarter and smarter. Therefore, you want to put in place the right guardrails, and I think right now we’re at this tipping point where we’re just managing humans. So, it’s kind of hard already, but it’s not impossible, and I think in the next 2, 5, or 10 years, when we’re going to 10X and 1,000X the number of identities, if you don’t have the right foundation in place, your organization is going to be in a very, very bad place from a privilege and security standpoint.
[Arvin Bansal] And that’s a great view. We’re going to have tons and tons of IDs being created and it’s better to be in front of the problem than trying to fix it later. And speaking of current state, we have on-prem, we have SaaS solutions, we have public platforms.
That’s where we are storing tons of our applications, data, and access across these different vendors. You have Oracle instance, Google instance, Azure, AWS, you’ve got Salesforce, M365. How do you help across on-prem, cloud platform, and SaaS solutions from identity perspective, privilege access?
[Mokhtar Bacha] So, basically our product is, the core of our product, right, is a proxy. So, it’s a single binary that you can deploy. And so, this binary is a tiny statically linked binary. You can put it anywhere you want – on-prem, in the cloud, Azure, GCP, AWS.
Because we understand every wire protocol for all the systems, you basically can see our product as an abstraction layer on top of all the infrastructure, right? So, instead of trying to secure each of the systems individually and basically speak the language of each of the systems, you can just deploy our proxy in front of the systems and then use our one policy language.
So, our proxy has a policy language to basically unfold those policies across your entire infrastructure. And so, it’s a one place to almost like rule them all in some way. And not only it helps you make that a lot simpler because you have one place to manage things and have your observability, but it also gives you more control, right?
Like the ability to filter specific customers’ data, the ability to redact data directly on the wire, the ability to block specific actions or anomalies. That is not possible to do with the native controls that are provided by those platforms.
[Rich Stroffolino] We have time for one more question.
[Howard Holton] What is the most common mistake you see customers make after deploying PAM?
[Mokhtar Bacha] I think the lesson I’ve learned is a lot of security in the way that they approach things is they basically do projects. Like this quarter, we’re going to focus on secrets management, and next quarter, we’re going to focus on AppSec, and then the next quarter we’ll focus on container security, and then vulnerability management.
And I think a lot of security teams, the way they want to do things, they want to either build a tool or buy a tool and then set it and forget it, and the problem is it’s actually a continuous walk if you want to make sure that the tools provide the most effective.
And I think that was true until now. I think actually with AI, we might have the opportunity of building tools that are truly set and forget.
That’s what we want to do with Formal. I don’t think we will be able to change the way that security teams work because I think it’s like structural. They have a lot of work on their plate. There’s always an incident that change the priorities. There’s so much stuff that’s all going on for security team that it’s hard to change the way that they operate.
And so, we just want to meet the customer where they are, and that’s why we’re trying to build basically this automated policy agent so that customers will just deploy us, will auto-discover all the infrastructure, and automatically create policies that enforce least privilege without the customer literally having to do anything.
That’s the future where we want to be, and we are working very hard to reach that future.
[Rich Stroffolino] All right, Mokhtar, what’s one thing we didn’t ask about that we need to know?
[Mokhtar Bacha] Maybe the one thing that we didn’t ask about is more like around the competition and the market. The way we’re looking at the market is that there was incubants that were traded like 25 years ago, and those products are not scaling, and they’re not AI-ready.
And even though like Palo Alto, for example, recently bought CyberArk, we don’t believe at Formal that those products will actually be able to solve the trend that’s coming with AI because they actually didn’t solve the problem with the cloud. Most of those products don’t work well in the cloud, and we actually have a lot of customers that are turning from those vendors to us because we’re cloud native.
I think the future of PAM is going to be an AI-native PAM provider, and that’s who we are at Formal.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to formal.ai, and if you have any feedback about this show or any questions for Mokhtar, send them over to us at feedback@ciso-dev.davidspark.dcgws.com.
A huge thank you to Howard Holton and Arvin Bansal for helping us learn more about Formal, and a huge thanks to Mokhtar Basha for your time and being game to answer all of these questions. Thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.