From Microsoft to Startups: Lessons on Building Market-Changing Categories with Omri Gazitt

Omri Gazitt, co-founder of Aserto, shares his journey from Microsoft to launching a startup tackling the unsolved problem of cloud-native authorization. Learn how he’s redefining enterprise security in the SaaS age.

Written By: supervisor

0

From Microsoft to Startups: Lessons on Building Market-Changing Categories with Omri Gazitt

The following interview is a conversation we had with Omri Gazitt, CEO & Co-Founder at Aserto, on our podcast Category Visionaries. You can view the full episode here: $5 Million Raised to Build the Future of Authorization.

Omri Gazitt
Great to be here. 

 
Brett
Rhett so before we begin talking about what you’re building, can we just start with a quick summary of who you are and a little bit more about your background?

Omri Gazitt
Sure. The kiss. I’m a little bit of an elder statesman these days. I started my career back in the early 90s building. I was, I guess, a founding engineer of a startup called Neon Systems. Back in Houston, we built middleware that connected the emerging world of Windows and client server applications with enterprise data sources and went public in 99. So I call that my rose color tour through startup dumb. And I’ve been kind of going back between large companies and small companies ever since. Joined Microsoft in 98 and was lucky enough to be part of Net and Azure, helped start both of those projects. Was the general manager for the Azure Application Server Division and helped start what became Azure Active Directory. While Microsoft left Microsoft about ten years ago, I was really frustrated we didn’t get open source, and so I really wanted to sink my teeth into that. 

 
Omri Gazitt
And so helped build things like OpenStack and Cloud Foundry and Docker and Kubernetes while I was at HP running the Cloud division over there. And then most recently was the chief Product officer of Puppet. And two years ago now, a little over two years ago, decided to start my third startup, Certo to focus on Authorization. Wow.

Brett
Very cool. So a few follow up questions then from that. So you spent was it, 13 years at Microsoft? That’s a long time to be there. If you had to choose one big takeaway that you walked away with, what would that be?

Omri Gazitt
Microsoft is a very well run company. I’ve worked at a few companies during my 30 plus years of my career, and it’s a very well run company. One of the things that you get to do is influence the lives of a lot of people. One of the things that you also start realizing is nothing you do matters. You could basically take a bunch of most of the engineers out of Microsoft and the company would still run the way it does. It would take years for the company to kind of feel that. And that’s one of the reasons why it’s frustrating to work at a big company. It’s because connecting the work that you do to the progress that the company is making is just nearly impossible to do. You kind of feel like a cognitive machine.

Brett
Yeah, and that’s what I hear from a lot of the founders who’ve been on the podcast. They share a very similar experience when they’re one of 100,000 employees. It’s hard to really find meaningful work when you’re really just one of a very large number of people.

Omri Gazitt
Yeah, and I would say just to add to that, even like I had a deal with myself, I would stay at Microsoft as long as I felt like I was learning and growing. And I did for a while. But 810 years in, you start realizing what is actually making you valuable to the company is the fact that you know how to do business within the company. You know who it is that you need to talk to. Like, you’re growing your career, you’re growing in terms of your scope and your title and all that stuff, but there’s a little bit more that you want, and I think those are the types of people that need big companies and start smart startups.

Brett
Now, how would you compare your time at HP compared to Microsoft? Obviously, those are both very big companies, but I’m guessing they’re also quite a bit different as well. So what would be some of those big differences that you saw?

Omri Gazitt
Yeah, I would say Microsoft that I joined was still led by Bill. And Bill’s a very impressive guy. He was visionary enough to create what I would call the software category back before there was such a thing. He definitely did it before VC became an industry. And he had a profitable company pretty much from day one, which you don’t really see today. So I’d say the company was very much still at the top of its game, even not quite when I left, but definitely when I joined. When I left, it felt like it had lost its way a little bit. It was an enormous company that was used to being a dominating power in pretty much everything that it did. But there were definitely a few things that we missed, like Mobile clearly missed Cloud. We were kind of about to miss, although we started Azure and that ended up being successful. 

 
Omri Gazitt
And so HP, I would say, was in a completely different mode. When I first joined, I got a chance to also work with Meg and she was not confused at all. The company was in a turnaround and she wanted people who were not afraid to roll up their sleeves and help with the turnaround. And the company honestly was at that point much weakened compared to how it was in its heyday in the even the 90s, where it was a real force. It was an engineer’s company, and I would say in the it really stopped being an engineers company. And so that was an enormous difference because the company of Microsoft that I knew and loved was very focused on product and engineering. The company that I joined with HP was Engineering had definitely taken a backseat, which was almost stunning considering the fact that HP was the original Garage. 

 
Omri Gazitt
Right.

Brett
And you mentioned something there that I have to ask further about. So Microsoft creating the software category. From your perspective when you were sitting there 1998, were you very well aware that was the company’s mission? And was that talked about internally that you guys were creating a category and trying to create a category in those early days?

Omri Gazitt
Do you remember? Well, I think Microsoft started with the premise of creating that category in 1975 and by 85 was really clear that was working, that Microsoft was growing quickly as a company and did not need to create hardware. The prevailing wisdom at the time, in 1975 to 1985 really was that you needed to build the hardware and software together. And Microsoft clearly proved with Dos and some of its early applications by 19, I think it was 87 when Microsoft went public, it was a rocket. And so when I joined in 98, that rocket was already like kind of in stage two or stage three. And at that time it was clear that our mission had gone beyond a computer on every desk and in every home. And were trying to become the dominant force in server software, like starting break into the enterprise and things like that. 


Omri Gazitt
So I think that it had essentially reinvented itself in 95 or 96. I think Gates realized that the Internet was a thing and that Microsoft was slow to it and mobilized the entire company to basically rebuild the company as an internet company. And that was, I would say, heroic for its time. And the company tried to do the same thing in the didn’t really stumbled and then it wasn’t until Satya came in and we focused the company on cloud and devices and really on Azure that it took off again.

Brett
Wow, super fascinating. Now two questions we like to ask just to better understand what makes you tick as a founder and entrepreneur. So apart from Bill Gates, what CEO do you admire the most and what have you learned from them?

Omri Gazitt
Well, Gates is I would say probably tops on my list because I’ve had the pleasure of being able to interact with them at Microsoft and work with them a little bit. I think Jobs is up there for me as well. Very different person, but in particular I would say his Stanford commencement address, the 2005 speech that he gave if you only had one day to live was a huge influence on me at the time. I felt like that was one of the reasons why I left Microsoft was to stay hungry and stayed foolish as we said in that speech, wow, that.

Brett
Would have made Steve Jobs happy. His speech was able to convince you to quit Microsoft?

Omri Gazitt
Yeah, Microsoft was like a one bath, I realized, and it’s easy to stay in. But at some point it probably helped that I was about to turn 40 back when I left around 2011. But I asked myself, do I want to die here? And the answer was clearly no. So it was time to go do something different and jump in the deep end of the pool again. 

 
Brett
That’s awesome. What about books? Is there a specific book that’s had a major impact on you as a founder? And this can be a business book or it can be a personal book that just influenced how you view the world?

Omri Gazitt
Well, I’ll go with a theme and I read the biography, the Walter Isaacson biography of Jobs, and I think at the time certainly helped me cement that conviction that I needed to leave lots of business books that I think are really good. Claim Christians’s book on disruptive innovation was kind of required reading, I would say, while I was at Microsoft and certainly afterwards, just to kind of understand the dynamics of why startups can actually beat larger companies. I think without having a framework like that, you kind of have to be insane to leave a large company to start a new company and think that you have a chance in heck of actually making it. But with kind of this notion of disruptive innovation, I think the dynamics of that make a lot more sense. The Lean Startup Eric Reese I would say back when I left Microsoft again, that was a pretty influential book on how to kind of reduce the time from when you start to when you actually derisk some of the biggest risks that you face.

Omri Gazitt
Some of those risks are maybe can I build it? But most of those risks are about will anybody buy it? And that, I think, made a huge difference too.

Brett
Yeah, those are some great call outs. This show is brought to you by Frontlines Media Podcast production studio that helps B2B founders launch, manage and grow their own podcast. Now, if you’re a founder, you may be thinking, I don’t have time to host a podcast. I’ve got a company to build. Well, that’s exactly what we built our service to do. You show up and host and we handle literally everything else. To set up a call to discuss launching your own podcast, visit frontlines. IO podcast. Now back today’s episode. Now let’s switch gears here and let’s talk about aserto and dig a bit deeper. So can you just take us back and tell us about the origin story behind the company?

Omri Gazitt
Yeah, we can go back about 15 years when I started working on what became Azure Active Directory. I was the general manager for that. What was the Azure Access Control service and at the time, we basically had kind of two directories in the world, LDAP, which was the Linux directory, and then Microsoft’s Active Directory. Active Directory had like 90 or 95% market share and it was like the linchpin of the Windows Server franchise. But at the same time we realized all the new apps were going to be written, the SAS apps. That was pretty clear even in 2007, 2008. And so they needed to be able to log in and they also needed to figure out what the user could do. So authentication authorization, we’re going to have to move to the cloud because there’s no operating system asked. And so my team ended up working alongside the rest of the industry on all sorts of standards like OAuth Two and OpenID Connect and Sam’l and JWT.

Omri Gazitt
And ten or 15 years later, now no one thinks twice about authentication, right? It’s like a solved problem. You basically have Okta if you want to do single sign on the web or off Zero or many other providers of developer tools for building authentication. But the downstream process, authorization is a problem that is far from solved. Authorization is, now that you’re logged in, what can you do with my tool? And that hasn’t really moved forward at all. And so my co founder and I worked together on Microsoft on that after Active Directory project and in a lot of other companies like HP and Puppet. And in 2020 we kind of asked. 

 
Brett
Ourselves what’s still hard to do as a developer?

Omri Gazitt
And we immediately went back to that problem for authorization. So we felt like that was just as important and we could spend the next 510 years just working on that. So that’s how the sort of was born. 

 
Brett
And why do you think the authorization problem has not been solved yet?

Omri Gazitt
Well, first of all, I would say it’s a more domain specific problem. So while authentication, there’s basically only so many ways of doing it. You may have IDs and passwords, or single sign on or magic links or other password lists, two factor, but the protocols underneath are all mostly the same. But authorization is domain specific. So if you have a candidate tracking system, you want to be able to define a set of roles and permissions that are specific to that application. And the application has different types of objects, like candidate tracking system may have an applicant and a role or a job. And so you want to be able to allocate permissions for particular people or groups on particular object types in the system. And so there aren’t really any standards for that. And we’re just at the beginning of the process where we start as an industry making off the shelf solutions available to that problem.

Omri Gazitt
So far there haven’t been any. So everybody’s had to build it and reinvent the wheel. But as an industry, we’re kind of constant move towards taking all of these all this undifferentiated heavy listing off of developers hands and creating these developer services that make it easy to do it. And so Authorization is one of those areas.

Brett
And I was reading on your website about the principles of Authorization. Could you talk us through some of those?

Omri Gazitt
Yeah, so we coined that phrase. We have a set of patterns and principles that we’ve observed from a lot of people who have solved the Authorization problem publicly. If you look at Google, they wrote a paper called Zanzibar Intuit, has a system called Oxy. Carta has one airbnb. Netflix. They all kind of wrote publicly about how they did things. And there are really five patterns that we think are super important. One is building Authorization as a distributed system, as a separate microservice, and with a distributed systems architecture, because Authorization has to be done locally, right next to the application. You don’t want to have to call a web API that’s sitting 100 milliseconds away from your application because Authorization is in the critical path of every application request. So that authorizer has to run locally. But you want to manage all of the artifacts used for Authorization, like users and resources and relationships and policies, you want to manage all those centrally.

Omri Gazitt
So you need a distributed systems architecture. That’s also one of the reasons why Authorization is much harder to do and why it hasn’t been solved. You also want to kind of move from coarse grained roles to fine grained permissions. So it’s not enough to say that I’m a viewer on this tenant, I may want to be a viewer on this particular folder or this particular document. I want to be able to assign the lowest level of permissions that I can and no more than that. That’s what we call the principle of least privilege in the security circles. You also want to be able to extract Authorization logic out of the application and store it and version it separately as code. So if you look at the Open Policy Agent Project out of the Cloud Native Computing Foundation, that’s kind of our latest, best kind of way of doing that as an open source project.

Omri Gazitt
And we’re heavy users of OPA, and you also want to be able to perform Authorization in real time. So there’s anti pattern in the world where you basically have the permissions associated with a user baked into an access token that’s minted by the authentication system. And it’s usually good for hours or days, but that’s a terrible practice because you may have wanted to revoke those permissions, but you can’t until that token expires. And so that’s a very insecure method of authentication. And we’re moving to a much more of a fine grained authorization model where you make a call to an authorizer with a user context and the resource context and get answer in real time whether this user bread has the viewer permission on this document.

Brett
And could you talk to us about adoption and traction and just any numbers that you can share. 

 
Omri Gazitt
So I would say we don’t share numbers, but we have many customers in production right now. And I would say there are two categories of organizations that find us valuable. The first is B2B SaaS vendors that want to move from a coarse grained authentication model like the one that I was talking about, to a fine grained authorization model. So basically typically their customers come in and say, hey, you have an admin role and that’s no good for me because I have 100 Widgets and 50 of them are owned by this department, 25 by this department, and then I have 17 other departments that own the rest, right? And so I don’t want one super admin on everything, I want an admin only on those things that are kind of like scope to that department. And so that vendor looks at that requirement and goes, okay, well we could go rebuild our authorization system or maybe we could look around and see what’s available and that’s when they find us and they realize, yeah, I don’t want to have to go build and rebuild this all myself.

Omri Gazitt
Every time I have a new requirement, I want to actually go use something that helps me do all the heavy lifting. The other category I would say is enterprises that want to create a common authorization control plane for a number of their internal applications. So they basically have a constant set of users and groups and they just want to be able to assign permissions and roles to these users across a number of applications that they build in a common way. And today every application kind of builds their own permissions, their own RBAC model and so it’s impossible for them to manage that. It’s like a combinatoric problem, right? So they have end users and N applications and they have to manage the cross product of those entitlements which is just like manning, it’s like an enormous management burden for them and so they want to simplify that and have a single place where they manage all those entitlements.

Omri Gazitt
And those are the two scenarios that customers most commonly bring server line for. 

 
Brett
And then does it feel like you’ve reached product Market Fit yet? Or how far away do you think you are from reaching Product Market Fit? Or how would you just describe the general state of product market Fit today?

Omri Gazitt
Yeah, I would say we’re not quite there. We have a lot of good early indications that the problem that we are solving resonates and resonates strongly. But for product Market Fit, like the way I think it’s traditionally defined, you really want there to be strong pull from the market on your solution. And that is typically a function of how awareness and how mature your category is in our categories or subcategories. Still quite immature, I would say there’s a growing set of vendors, I would say we’ve gone from zero when we first started to about ten companies that are doing roughly what we’re doing, which is a blessing and a curse. The blessing part of it is that more and more people now know that there is a solution that they can kind of bring in as opposed to have to build it all themselves. And the minus is that there was a lot of noise and so none of the vendors in this category, the cheap product market, fit, we’re all working to get there.

Omri Gazitt
And the irony is at some level we want to kind of jointly create a category because that floats a lot of boats. On the other hand, software is typically a winner takes most type of endeavor. And so out of the ten or twelve companies that exist, probably one or two or three will remain. Typically there’s more than one, but three Ish will become huge companies.

Brett
And what’s the subcategory called or what’s the category term?

Omri Gazitt
So I would say I am Is or Identity and Access Management is the broad category and I am existed forever, right, like I would say since the 80s. But I Am has kind of had a lot of disruption to it. So first the move from software to SaaS, that’s an obvious one. So the notion of customer identity management, so what’s called Siam, which is what, auth zero is that’s kind of a category that’s only been, let’s call it ten years old, right? And I would call ours it doesn’t even have a name yet, but I would call it Cloud Native Authorization. Most vendors kind of use that term, cloud Native authorization. And so that’s a brand new Nascent subcategory, so to speak. And it’s going to displace a lot of the existing ways of doing authorization, which kind of are old tooth at this point.

Brett
And what are you doing in terms of collaboration or what are you doing, if anything, I should say in terms of collaboration with competitors to try to further that agenda around the need for this new market category and getting clear on what that definition would be and trying to define what some of that criteria would be for what a platform should look like.

Omri Gazitt
Yeah, it’s a fascinating question and I’d say probably not enough. But one question we always ask ourselves is where does our audience, where do our users, where do the buyers hang out and can we actually go and talk to them? Where do they hang out, what conferences we go to, what groups are they part of, and things like that. So I would say we’re starting to see more and more of these companies in the same conferences and talking about authorization as an unsolved problem. And Cloud Native Authorization, the thing that there’s a conference that we’re doing in Europe called EIC, where we actually have another authorization company that is joining us and we’re going to do a panel together and we’ll see if we can invite more people. Another good example is the Cloud Native Computing Foundation, the same organization that’s behind Kubernetes and other cloud native projects like Open Policy Agents.

Omri Gazitt
They are a pretty good place where some of these companies can start interacting. And so the irony here is you want to find the right balance between commonality and standards and then differentiation. So I’m old enough to go back to the days of databases, presquel and pre ODBC. This was back in the late eighty s and you had the database category, but it didn’t really take off until you had a common language SQL, ANC like SQL 92 I think it was called, that basically standardized a lot of the language elements. And then you had this standard set of interfaces called Open Database Connectivity that really kind of took that problem of connecting data applications with M like databases and transforming that into just like you just have to write to a single interface ODBC using one language, SQL. And so that’s a long way of saying there’s huge value to standards and they end up floating a lot of votes.

Omri Gazitt
You don’t want to kind of go in too early because kind of prestandardizing things before you actually have some market pool is dangerous. But for this to really grow as a category that’s as big or bigger than the SSO category, that Okta dominates today, and I truly believe it can be as big or bigger a category that we’ll have to go create some standards and then compete within those standard frameworks.

Brett
Fascinating, that makes a lot of sense. Now, I’m sure you’ve experienced a couple of challenges as you’ve brought this product to market, but if you had to pick one that you experienced and overcame, what would that be and how’d you overcome it?

Omri Gazitt
Well, I would say the biggest problem is not necessarily the tech, it’s always how are you going to take it to market, who is the user, who’s the buyer, who are the people that are going to have the biggest pain, what types of problems they have? How do you find those people or how do you help them find you at the exact moment that they have the problem and how do you convince them that you can help them? Starting that from zero is really difficult, especially if you’ve never kind of worked in a zero to one type of environment. Working in a big company like Microsoft, there’s so much awareness of what Microsoft does and new things and there’s so many channels that are already established. Oftentimes bringing something new to market involves how do you actually make it work within the company’s existing channels to market, whereas as a startup you just have to build that from zero.

Omri Gazitt
And I would say that’s just as hard, if not harder to do than actually building product.

Brett
And last question here for you. Let’s zoom out three years from today, what does a serial look like?

Omri Gazitt
So our vision is to basically be the enterprise control plane for authorization in the age of SaaS and Cloud. And so that means transforming that end times end problem to an end plus end problem, like allowing these companies to have a single place where they can manage permissions and roles across all of their users and all their applications. So I don’t know if that’s three years or five years, probably more like the latter than the former, but in three years, I definitely want to be well on our way there where no one is confused about authorization as something that they have to go build on their own. In fact, they don’t want to because that means that their application is going to be a snowflake. And between SaaS companies and buyers of SaaS, they all know that they want to converge on the standard way of building authorization and that we’re the leading, if not one of the top two or three leading companies to be able to get them there.

Brett
Wow, super exciting. I’d love to keep you on and ask you another 50 questions here, but unfortunately we are up on time, so we’re going to have to wrap before we do wrap up. If people want to follow along with your journey as you continue to build, where’s the best place for them to go?

Omri Gazitt
Yeah, our website is sorto.com. I’m omari at the sirdo.com omri. And I’m omari G-O-M-R-I-G on twitter. We’re sorto.com on Twitter as well, so that’s a great place to follow us.

Brett
Amazing. Omari, thanks so much for taking the time to share your story and talk about what you’re building. This is all super exciting and hope to have you back on in three to five years to talk about all the success you’ve had.

Omri Gazitt
Thanks so much, Brett. Much appreciated.

Brett
All right, keep in touch. Our channel. 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Write a comment...