The End of SaaS Management As You Know It
There’s a better, more compliant way to manage app- and permission-sprawl
We started Lumos in mid-2020 and stayed in stealth… Until now! In the last 18 months, we raised a total of +$30m from a16z, Neo, Lachy Groom and many others. Today, we are pulling back the curtains. In this article, you’ll learn about Lumos and our take on creating value for customers. In short, it’s all about building a story-led company. You might think: “Aren’t the best companies customer-centric?” We believe story-led is the next evolution of customer-centric. Let us introduce you to the story of Lumos.
400. That’s the number my password manager displayed. I am one Andrej offline but at least 400 Andrejs online. Too many.
Building a company is very similar to writing a book. It’s about telling a story. Leo, Alan and I met at Stanford to find a story worth telling. It was a spring afternoon in 2020. One of those beautiful days in which sun rays plug into your skin like a charger. They electrify you with energy. On such a day, a light bulb popped up above our heads. Did we just find the start of an interesting story?
Leo and I were sitting next to each other at the inspiring Stanford computer science class called “Ethics, Public Policy, and Technological Change.” Prof. Sahami was passionately telling us how we don’t really have control over our online identities. How many apps have you signed up for in your life? 10s? 100s? No clue, right? The class reminded me to re-download my password manager since I just got a new laptop.
400. That’s the number my password manager displayed. 400 passwords stored. Wow. I am one Andrej offline but at least 400 Andrejs online. Too many. I wanted to delete half of my accounts, change dozens of passwords and unsubscribe from multiple services. Impossible! It would have taken me days to complete the steps required, including sending emails to support.
We realized that we have a unified ways to sign into apps. However, it is impossible to create, delete and manage accounts from a single platform. There is no unified authorization layer.
Intrigued, Leo and I called our friend Alan. Alan was doing security work for Samsara at that time and did research under Stanford security brain Prof. Boneh before. Maybe he had an idea? After some back and forth and back and forth, Leo and Alan came to the following conclusion: there is a unified authentication layer for the web but not a unified authorization layer.
Huh? Yeah, I also scratched my head at first. What’s the difference between authentication and authorization? Assume that a hotel room is your app account, your online identity.
Authentication is the key to open and get access to that room again and again — the login button. Authorization is the receptionist who gives you the right key and takes it back once you don’t need it anymore — the registration & deletion buttons.
We realized that we have a unified way to sign into apps — Google Login for consumers, Okta SSO for enterprises. However, it is impossible to create, delete and manage accounts from a single platform. There is no unified authorization layer. The three of us nodded to each other and thought about the identity market for companies: “If we as individuals cannot get a handle of all our apps, picture now how many apps need to be managed in a 1,000 person company.”
Think about how we use apps at work. Not very different from the way we do it at home. At some point, we spot a cool new developer or collaboration tool and think, “I need that!” We pull out the company credit card (if needed), create an account and start using the app.
However, our company’s data now lives scattered on hundreds of platforms on the web. And, at some point, we leave the company or stop using the app once we get our job done. Similar to us as consumers, the company now wants to delete and unsubscribe from all these services.
Again, there is no unified authorization layer that makes it easy for employees to get what they need quickly, while enabling IT & security to manage all company apps and protect the enterprise.
We call this unsolved problem… the APPocalypse.
We found a huge problem that needs to be solved. That’s all you need to get started. But what is our philosophy behind building a company? How are we approaching this quest? And who would be the hero of our story?
Every good story has a Hero’s Journey. It’s the formula for a typical story where a hero goes on an adventure and comes home transformed. When building a company, your customer deserves a hero’s journey.
We are not selling a product but 1) a different way of doing things and 2) real value that results from following this new way!
If you focus on building a product, you find yourself comparing your solution to many others. If you focus on building a movement, you challenge others to think about solving their problem in a different way.
If you look at most company’s websites, they usually compare themselves against others: our product is faster, sexier, cheaper, safer, easier to use, top rated, … No matter how you use these phrases, you always fall into the ‘better’ trap. As long as you’re ‘better than X’, your identity is tied to that other entity. You’re defining yourself against the very thing you’re trying to separate from.
We are not selling a product but 1) a different way of doing things and 2) real value that results from following this new way!
1. A shifted perspective allows us to uncouple from all of the rules that put our competitors in the spotlight. Salesforce, with its “no software” mantra, created the beginning of cloud-based apps. At first, Salesforce was not necessarily better than Microsoft CRM. Salesforce was different because they were talking about moving business to the cloud. What is the larger cause that we stand for?
2. What we are selling is not the software product — the set of all the features. We are selling real value. Apple didn't sell a MP3 player with their iPod but the value of having 1000 songs in your pocket to consume any type of music anywhere.
At Lumos, we deeply believe that building a transformational product comes only with having a specific point of view. An opinion. A vision of the future. A way forward. A before and after.
The main questions we need to answer are: who do we want our customer to become? What’s the Hero’s Journey of our users? We need to describe the change we seek to bring about, why it’s important, and why people will benefit from it. In this way, we don’t sell the solution, but the problem. We don’t sell a product, but a different way of thinking. And, we don’t sell something better, but something different.
The IT & security industry has a huge story worth telling in a new way.
Alright, we talked about the two frameworks we have at Lumos to build a unique company with a meaningful story. I love applying both of those frameworks within industries that we might not think of when we say ‘innovation’.
For example, what comes to mind when you think of ‘government’? Old technology. Lots of red tape. Bad pay. Politics... However, the government has a huge impact on our lives. Under the right conditions, government plus technology can be innovative, challenging and impactful beyond comparison. My last company was a GovTech startup called DigitalService4Germany where we built a space that gives top technologists the opportunity to build modern tech for the government. The story resonated so much that the German Federal Chancellery (aka German White House) acquired us and we became the tech startup of the government.
Similarly, the IT & security industry has a huge story worth telling in a new way. According to Andy Raskin, every good company story has 4 components:
1. a big undeniable change
2. an enemy
3. a promised land
4. and a monster slayer.
Let’s apply that to Lumos.
1. The Big Undeniable Change • The APPocalypse
We talked about this in the teaser at the beginning. To build amazing things with powerful software, employees use over 650 apps in every company . And, the number is growing . There are apps here, there, everywhere — we call this new state of the world the APPocalypse. And, even though there is a unified way to log into our apps through Google Sign-In or Okta SSO, there is no unified way to manage, create and delete our accounts and data on the web.
2. The Enemy • The Support Ticket
You see the repercussions of the APPocalypse when you get bit in the SaaS. Maybe you couldn’t access your email because you got a new phone and didn’t have the 8-digit MFA recovery code at hand? Or, you finally signed into Salesforce but then — facepalm — didn’t have the right permissions? There are dozens of cases when you need to send a ticket to IT to save the day. While you’re stuck waiting, IT is trying to surf the huge wave of requests.
Have you ever stopped to think ‘why does it take so long for IT to handle my requests? That's the part of the story we rarely talk about. IT is getting crushed by admin busywork: they route your request to the right approver, ask the right app admin to fix the problem, often follow up multiple times when it doesn’t and, then, archive the support ticket properly for the next compliance audit. While productivity is important, compliance is a requirement.
The support ticket is this weird thing that tries to streamline help requests more efficiently across the company, while keeping the company compliant and safe. Somehow, it makes things worse for everyone. Employees are stuck waiting. Hundreds of employee days of productivity are lost from simply waiting to receive help. IT & Security isn’t better off either. Multiple times a year, they need to scan through hundreds of tickets, see whether employees still need access to the apps they received, remove access if they don’t and create thorough reports for auditors.
We can all agree that the world would be a better place without support tickets. And, that’s the big enemy we are trying to eliminate. Similar to Slack’s promise to kill email or Salesforce’s mission to remove on-prem software, we are inviting everyone to join the fight against the most nerve-racking thing in today’s business world: the support ticket. Speed is at odds with compliance & security.
3. The Promised Land • Self-Governance
Imagine a world where any app or permission that you as an employee could ever need was a click away – as easy as getting chocolate from a vending machine. And, imagine a world where admins have peace of mind because as soon as you don’t need the app anymore, you lose access. Imagine individuals becoming more productive by making the enterprise more compliant and safe.
The whole problem of the APPocalypse lies in the assumption that the problem can only be solved by centralizing help and oversight. That doesn’t scale with understaffed IT and security teams trying to not drown in dozens of requests, while making sure you get the right access for the right amount of time.
We’re all conditioned to DIY when it comes to buying apps, food, gas, and even checking in for a flight. You don’t give people fish but teach them how to fish. Decentralization is the answer. What if we enabled you to solve any app problem on your own in a compliant and safe way. We believe in a new way companies work internally: Self-Governance. Instead of asking for support, we can enable you to help yourself responsibly.
4. The Monster Slayer - The AppStore
Have you ever sent a support ticket to Apple, asking to download, say, Netflix? No, because the Apple App Store gives you the power to download apps yourself. Now, imagine Apple would auto-unsubscribe your account when you stop using Netflix to save you money. Or, they would ask you to deactivate location-sharing if Netflix continuously used it in the background for no good reason.
That’s what Lumos does for enterprises. Lumos is the first AppStore for Companies. You go to the Lumos AppStore, request an app, say GitHub, pick the repositories you need, your manager approves the request through Slack, and Lumos creates your GitHub account — instantly. Plus, IT and Security love it as well because they can configure Lumos to grant access to, say AWS Admin rights, for only a limited time or remove access when you stop using the app or change your role inside the company.
In this way, Lumos breaks the pattern that productivity can only be achieved in lieu of compliance. IT & Security can create a system of self-governance in which employees can help themselves quickly, while making sure security is baked into the process.
Apple changed our lives with their consumer App Store. And, the infrastructure is huge. Last year, the AppStore had +2m apps, +30bn downloads and +$85bn in revenues. Now, Lumos is creating the internal AppStore for Companies to create a unified authorization layer.
If you’ve enjoyed our story and want to learn more, please subscribe to this newsletter. And, if you’re ready to write the next chapter of your own story, please check out our careers page or ping me on LinkedIn.
Thank you for reading this. Sending lots of positive vibes,