Lumos 2.0 - Revenge of the APPocalypse
Apps are here, there, everywhere.
This story is part of Security Essentials, the IT Vault’s practical advice for getting the most out of your security team.
Nowadays, the web is the portal to all our superpowers. Internal Lumos data shows that organizations use +600 apps on average. We used to use the Microsoft Suite for almost everything. Now, we’ve replaced Excel with Airtable and Word with Notion. Rex Woodbury calls this the “unbundling of software.” However, the macroeconomic changes and security breaches in 2022 have kicked off a new period in tech history: “the rebundling era.”
Today, we are launching Lumos 2.0 — one platform to govern cloud and app access and slash software costs, eliminate IT tickets, and enforce least privilege. Before diving into Lumos, I’d like to share some background why 2023 is such a pivotal year and how IT and security teams can be key in this new environment.
The Golden Triangle: Cost, Security & Automation
Instead of the ‘growth at all costs’ mantra that plagued most companies the past few years, the mandate now is closer to ‘growth-at-almost-no-cost’. In other words… Efficient. Intentional. Proven. 2023 is about reducing business risks — from a cost, security and operational perspective.
1. Capital Efficiency — Consolidation of Apps & Licenses
Companies aren't just cutting software budgets. IT and Finance have the mandate to transform the company’s growth-oriented SaaS stack to a capital-efficient one. With immense growth in the previous years, we have brought on any tool possible to make us work faster. This has led to a proliferation of corporate apps and licenses. Many of our customers used Jira, Asana, ClickUp and Monday at the same time. Plus, they purchase more licenses than necessary — 25% of all licenses are unused. Now, we see how IT leaders have a mandate to consolidate their software stack and reduce licenses.
2. Security — Least-Privilege
The last 12 months have been full of breaches. Okta, Twilio, LastPass, Uber, CircleCI, … In the CircleCI example, a hacker stole a developer’s SSO session cookie, used them to impersonate the engineer who had production access and stole sensitive data like customer keys. Zero Trust has been a buzzword for the longest time but it continues to stay extremely relevant. First, never trust, always verify access at all time and for all resources. Second, limit the blast radius with least privilege, i.e. giving access to the minimum capability required to perform the task. 2022 has proven that companies cannot cut on security.
3. Operational Efficiency — Do More with Less
Often, teams like IT and Security object that they are not as well funded as other departments, which makes them move slower than they actually want to. However, 2023 is all about doing more with less. It’s not a scalable solution to simply grow admin headcount with the number of apps and access in a company. IT and Security will need to focus on both hyper-automating and making their workforce more productive — especially in an environment of constrained resources.
Engineering Principles as a Model for IT and Security
Achieving the golden triangle of cost, security, and automation is an effort requiring huge orchestration. Imagine that apps are food ingredients. Managing 50 ingredients is doable for one chef. But now we’re moving up in the restaurant world and we’ve got 600 ingredients roaming around the kitchen. One chef can’t do it all alone. You need many cooks to make a Michelin Star 5-course meal work. IT and Security need the help of the whole company. And, to execute that well, companies need to approach it from an engineering perspective.
If we go back to the roots, IT and Security originated in circles full of tinkerers — people that loved to break networks or hack together complex scripts to solve their problems. They had to. There was no tooling that could help them. Then, vendors came around and promised peace of mind with “we’ll create a ticket when employees need help” or “we’ll detect bad things and alert you in time.” Since that seemed so simple, companies started hiring IT analysts to resolve IT tickets and security analysts to monitor alerts. Today, we see that this doesn’t work anymore. There are too many apps, too much access and too many stakeholders involved. Taking an engineering approach to IT and security means building an infrastructure for others to leverage.
What DevOps is to Developers, IT & Security needs to be to the whole Company. A DevOps engineer focuses on building infrastructure that enables fullstack teams to develop apps. Similarly, IT and Security should see themselves as foundational infrastructure that powers a company with technology. The fullstack teams in this case are the company teams like marketing or finance that manage their own apps. IT and Security leaders need to think more about how to enable when it comes to software and access governance. For example, I heard from many department heads how they are trying to streamline their budgets by streamlining their number of licenses. IT can provide the infrastructure for every team to become more capital efficient.
IT and Security usually centralize oversight to mitigate software cost and security risks. The logic is sound, in that employees shouldn’t just purchase duplicate software or receive excessive admin permissions. However, reviewing hundreds of apps and thousands of accounts is not scalable with a centralized approach — it creates leaky buckets. In the end, employees will almost always take the easiest path to value — even if it’s costly or borderline secure. In order for many individuals to act responsibly, the compliant path needs to become the most convenient path. Apart from building infrastructure, IT and Security need to focus on encoding the system in the right. For example, you can only request access to licenses that cost more than $1,000 for max. 90 days and then you need approval again. Similar to software engineers, IT and Security need to leverage their architecting skills to achieve all their goals in 2023.
The Rebundling Era
The golden question to achieving the golden triangle is…how? Usually, a company would get a SaaS Management vendor to save on software spend, an Identity Governance Administration vendor (IGA) to drive compliance and operational efficiency, and a Privileged Access Management vendor (PAM) to enforce least privilege.
However, the overarching mission at Lumos is not to build a product that fits a certain market niche. It’s to solve software administration problems holistically. So, we built a platform that combines all of that in one. Why would you pay $10 per employee per month for five different tools ($50) if there is a comparable offering in a single bundle for $15?
At first sight, you might ask whether Lumos is a SaaS Management tool like Zylo or an IGA tool like SailPoint. Lumos checks both the SaaS Management and IGA boxes, but the overall platform cannot be described by a single software category. It is a cohesive experience of different applications to solve your software administration problems.
Suddenly, companies that find themselves with smaller budgets happily realize they can achieve all their objectives while saving money. Bundling tools also allows you to build as you go - start with one piece of the platform and add on as your business needs dictate, rather than buying multiple tools that don’t quite cover what you need yet charge you as if they do.
I agree with John Luttig here: “Incrementalism is squandering Silicon Valley’s potential. Many of the nation’s most talented people are iterating on a tiny product surface area." 2023 is about moving from unbundling your software stack to rebundling it.
Lumos 2.0 - One Platform to Govern It All
Lumos 2.0 is the exact antidote needed to manage the APPocalypse with a consolidated approach. Lumos is the first app governance platform that automates access requests, enforces least privilege, speeds up user access reviews, and eliminates extra SaaS app spending. With Lumos, you have visibility into app usage, entitlements and spending - and the infrastructure to take action on that data. The impact? Disappearing IT support costs. Just-in-time access. No audit spreadsheets and VLookups. Guaranteed software savings.
Your objection might be how can a startup build such an extensive platform without compromising on quality. If you look at each of the use cases Lumos supports, they are built on top of the same building blocks.
Let’s take a physics analogy here. An atom in Lumos is an entitlement, e.g. you can have admin, member or guest permissions in Asana. A molecule defines a user’s general app access with multiple entitlements, e.g. you have Asana access with an enterprise license and admin permissions. A cell is a vendor that combines multiple users with some sort of access, e.g. 50 users have access to Asana and it costs $10,000 per year. The protons and electrons holding everything together are actions on top of the data, e.g. you can add or remove entitlements and access.
Building such a generalizable core infrastructure makes it possible for Lumos to serve so many use cases as well as provide a cohesive experience. Lumos can remove a SaaS license to drive cost efficiency and at the same time remove an AWS admin permission to boost a company’s security posture. That is also the reason we stayed in stealth for two years. It took time to build an infrastructure to, then, be able to quickly build products that rely on the same core concept.
1. IT Automation — Driving Operational Efficiency
Consider the Lumos AppStore as the AppStore for your company. Employees can discover and request apps and access both in Slack and on the web. How can you administer all of that? We believe in decentralized app management. With Lumos, you can build an infrastructure that enables app admins to set up approval rules, streamline their software budgets and reclaim unused licenses.
2. Compliance — Mastering Audits
To be fully compliant, Lumos logs every request and admin change and can push this information to a SIEM like Splunk. In fact, Lumos is your source-of-truth for access data ingesting both SSO groups from your identity provider and deep permission data for corporate and cloud apps. With that, you can perform user access reviews, privileged access reviews, and cloud entitlement reviews. Auditors will love it.
3. Least Privilege — Boosting Security
So, how do I protect myself? With time-based access you can grant temporary access for when it’s needed, reducing unused access. Or, automatically reclaim unused licenses through Slack workflows. Lumos believes in building an extensible governance infrastructure. So, you can leverage webhooks to provision users into internal tools. Or, create custom approval rules to pre-approve access based on, say, the existence of a ticket or completion of a security training.
4. Cost — Ensuring Capital Efficiency
Last, Lumos can centralize all your vendor data across shadow IT, software spend, license information and app usage in one platform by ingesting data from SSO providers such as Okta, invoice systems such as NetSuite, CLMs such as IronClad, and many more. When a renewal comes up, you can enable app owners to proactively negotiate renewals with better insight into app usage and future needs. Plus, you can grant time-based access or auto-reclaim licenses when no usage is detected to prevent true-up from happening throughout the year.
Take Two Lumos and Call Us in the Morning
While we can’t kill the APPocalypse (it’s a natural part of our technology evolution), we can manage it to power workforces with technology. Throw me a line on LinkedIn or grab a slot on our calendar to book a demo.
Welcome to Lumos 2.0.
With positive vibes,