Ambita Maryland-based security startup focused on helping DevOps and security teams manage how federated workloads communicate with each other, officially launches its service today, announcing a $16.6 million seed funding round from Ballistic Ventures and Ten Elven Ventures.

Essentially, Aembit’s workload identity and access management service applies industry expertise from managing user and device access to cloud workloads such as APIs, databases and other cloud resources – all without developers having to make changes to their code.

Image Credits: Ambit

The co-founders, David Goldschlag and Kevin Sapp, have worked together for the past 17 years. Among other things, they co-founded the zero trust platform New Edge Labswhich was acquired by Netskope, and the mobile device management platform Trust Digital, which was acquired by McAfee.

“Meanwhile, people were always asking us, what about application-level access from workload to workload? It’s always been this thing that’s there and that’s important, but we hadn’t addressed it,” explains Goldschlag. When the founders left Netskope in the summer of 2021, they finally decided to take on this challenge. “It was important because all these things happened in the ecosystem, right? You had all these APIs becoming part of people’s applications,” he noted. “If you think about open source a few years ago, people were building apps by adding open source. Today, people build apps by including databases and APIs – and now you need to enable secure access between them.

Aembit co-founders David Goldschlag (l) and Kevin Sapp (r). Image Credits: Ambit

He noted that Aembit’s mission is different from API gateways and security services. These services live before the API and help developers build them securely and make them available to internal and external developers. But Aembit’s focus is on the customer accessing the API and making sure that customer is authorized to access it. He compared it to how today’s identity management systems help companies to authorize their users. For example, when a user uses Okta to sign in to Microsoft 365, that user communicates with Okta and then gets the credential to access the service.

To do all this, Aembit also needs to become the registrar not only for all these workload identities, but for the workloads themselves (and these days those workloads are often ephemeral, making this an even more difficult problem).

Image Credits: Ambit

“You want to start with the basic level, which is that you have identities and policies. You give access and log this. But you probably want to discover more and more workloads from all these fragmented places – and then you might want to discover access patterns,” Goldschlag explains. tell us what accesses are taking place.”

Then using this as a roadmap makes it much easier to see how these workloads typically interact – and to take action when something changes.

“Companies have spent significant resources securing the connections between people and the software they use. However, as companies move to the cloud, a new and rapidly expanding attack surface has emerged,” said Jake Seid, co-founder and general partner of Ballistic Ventures. “The loopholes of workload-to-workload connections that arise when software communicates with other software need to be identified, secured and managed. Ambit defines this new category of Workload IAM to protect enterprise’s most critical digital assets. It was an honor to work with the Ambit founders since day 1 and to continue to support them on their journey.”

Aembit currently has 11 full-time employees, almost all of them in engineering. With the new funding, the company plans to expand its marketing team and build out its product. In particular, Aembit, which is doing well in sales to large enterprises, plans to launch a self-service product soon, which will allow it to expand to more small and medium-sized businesses as well.