In a recent interview with SafetyDetectives, Rom Carmel, Co-Founder and CEO of Apono, shares his journey from the Israeli Intelligence Corps to leading a cutting-edge cybersecurity startup. Rom discusses the challenges he observed in managing cloud access and permissions, which led to the creation of Apono. He highlights how Apono differentiates itself in the crowded cybersecurity market through its Just-In-Time Access Management platform, which offers more efficient and secure access to cloud resources. Rom also addresses the evolving threats to cloud infrastructures, the complexities of integrating AI-driven solutions into cybersecurity frameworks, and the future trends in cloud access management. Throughout the conversation, he emphasizes the critical role of automation, AI, and dynamic access policies in enhancing security and compliance in today’s complex cloud environments.
Can you tell us about your journey in the cybersecurity industry and what led you to co-found Apono?
My journey in the cybersecurity industry began with my early role in the Israeli Intelligence Corps, where I served as a Security R&D Course Instructor and later as a Security Software Engineer for the Israel Defense Forces (IDF). These experiences provided me with a solid foundation in cybersecurity and exposed me to the complexities of securing sensitive information. Following my time in the IDF, I joined the Cyber Division at the Israel Prime Minister’s Office, where I held various roles, including Security Researcher, Security R&D Team Lead, and Security R&D Course Director. These positions allowed me to delve deeper into advanced cybersecurity research and development, further honing my skills and understanding of the evolving threat landscape.
In 2020, I participated in the FedTech Startup Studio, where I collaborated with Oakridge National Lab to commercialize technology through the Tech Transfer Office. This experience, combined with my MBA studies at Tel Aviv University and Venture Initiation Program at The Wharton School, broadened my perspective on technology innovation and entrepreneurship.
The idea for Apono emerged from a clear pain point I observed in the industry: the need for a more efficient and secure way to manage permissions and access to cloud assets and data repositories. Traditional privileged access management solutions were not keeping pace with the demands of modern businesses, especially in the context of cloud security. My co-founder, Ofir Stein, and I believe that business productivity should not come at the cost of security, nor should security come at the cost of productivity. Together, we set out to create a solution that would empower DevOps teams to provide frictionless access while maintaining robust security and compliance.
How does Apono differentiate itself in a crowded market of cybersecurity and cloud access management solutions?
Apono differentiates itself by offering just-in-time access to cloud resources, ensuring access is granted only when needed and automatically revoked afterward. Our competitors focus on managing role assignments and group membership, which forces their customers to build policy within their tools and at the Cloud IAM level. Cloud IAM policy is notoriously complicated and differs across clouds, requiring deep specialization and a ton of manual work to configure and maintain in a secure way.
With Apono, teams can provision access directly at the resource level, consolidating policy management across the entire customer environment to a single platform. This leads to faster deployment, less management overhead and far more granular control. Additionally, Apono’s patented hybrid-SaaS architecture leverages a deployed “connector” which does not store or cache sensitive information and insulates customer environments from Apono itself, drastically reducing the risk and potential impact of vendor compromise. Our focus on compliance and audit readiness, along with comprehensive logging of user activities, ensures organizations can meet regulatory standards with ease. These features collectively position Apono as a leader in secure, efficient, and compliant access management.
How has cloud access management evolved in recent years, particularly in response to the increasing complexity of cloud environments?
The rise of the global remote workforce has introduced new complexities for businesses, particularly as they increasingly adopt cloud technologies. This shift has significantly altered the way organizations approach risk management. In this evolving landscape, identity risks have become the primary cause of most data breaches, including several high-profile incidents in 2024.
Security leaders now face the challenge of managing Identity and Access Management (IAM) across multiple cloud providers while supporting business objectives that emphasize agility and rapid technology adoption. Traditional, legacy security solutions are proving inadequate for meeting these modern demands. As a result, many organizations are turning to automated solutions that enable principles of least privilege and, more specifically, just-in-time access. These advanced solutions are crucial for effectively managing cloud access needs and addressing the increased complexity of today’s security environments.
What are some emerging cybersecurity threats targeting cloud infrastructures that organizations should be aware of?
Identity risks are the starting point for most data breaches worldwide, with cloud exploits being a primary concern. Forrester found that identity and privileged access credentials now account for 61% of all data breaches. Meanwhile, IBM’s “2024 Cost of a Data Breach Report” found that 80% of breaches involve data stored in the cloud.
Organizations are taking notice of these risks and implementing changes within their networks. The Identity Defined Security Alliance’s 2024 Trends in Identity Security Report found that 41% of respondents have implemented some kind of system for granting privileged access in line with Least Privilege, while another 40% say that they are currently in the process.
That said, organizations that are in the process of implementing these changes, as well as those that have not yet begun, are still lagging behind today’s threat actors. Rolling out these new systems takes time. As organizations strive to catch up with the current threat landscape, we anticipate that identity-related attacks will remain front and center for the foreseeable future.
What challenges do organizations face when integrating AI-driven solutions into their existing cybersecurity frameworks?
Depending on the context and the stakeholders involved, each AI/ML-driven solution can impact an organization’s cybersecurity framework differently and may present unique challenges for integration. In the case of access management, one of the most significant obstacles is achieving buy-in across an organization. While security leaders often understand the critical importance of access management, other team members may be reluctant to adopt technology they perceive as a hindrance to their workflow. This challenge existed with access management even before AI/ML, and the novelty of AI/ML technology only further complicates gaining widespread acceptance within a company.
In our experience, taking a proactive approach is the best way to overcome this obstacle. While security leaders may recognize the value early on, their advocacy is crucial for achieving buy-in from management. We have found that a team-by-team approach, with grace periods for team members to learn about the technology, reduces the immediate burden and fosters confidence. In the case of Apono, once team members see how Just-in-Time Access enhances agility to access necessary materials while maintaining security across the organization, achieving buy-in becomes significantly easier.
Can you share examples of how Apono utilizes automation and AI to enhance security for its clients?
Automation is at the center of Apono’s Just-In-Time, Just-Enough Privilege Management Platform. The Apono Platform simplifies cloud access management delivering frictionless and automated access management experience for users.
Apono allows users to automate previously static access policies within their cloud environments and turn these policies into declarative, dynamic Access Flows. Access Flows, developed within Apono, dynamically adapt permissions based on a user’s context, providing a rapid and secure automated process for permission management across an organization. This eliminates both the risk of standing privileges and the bottlenecks caused by manual permission management. Apono also leverages AI to analyze user behavior, resource sensitivity and existing access flows to alert anomalous or risky access requests and provide smart “right-sizing” recommendations. These features help make sure least-privilege is enforced at both policy level and in real-time.
We are proud to deploy Apono’s Just-In-Time (JIT) and Just-Enough (JE) Access Management solutions within our customers’ cloud environments, delivering the automated access management solutions their organizations need.
What do you see as the next big trend in cloud access management?
The impact of cloud adoption on how organizations approach risk cannot be overstated. Today’s security leaders must manage access across complex, multi-cloud environments while maintaining the agility required to keep pace with the speed of business. Success in this new landscape requires aligning with the objectives of various departments, including security, IT, and engineering. Traditional access frameworks, like Role-Based Access Control (RBAC), struggle to keep up with the dynamic needs of modern cloud environments and engineering teams and driving the convergence of previously siloed disciplines such as Privileged Access Management
Apono’s Just-in-Time, Just-Enough Access Management is ideally suited to help organizations navigate the evolving identity landscape. By centralizing access management into a single, user-friendly platform, Apono promotes interdepartmental collaboration through its emphasis on simplicity and flexibility. As a lean startup specifically designed to tackle the modern challenges driving these changes, Apono is uniquely positioned to leverage current trends and set new standards for evaluating vendors in this space.