To combat increasing identity-based attacks, Coveo, a market-leading AI-powered relevance platform, has chosen StrongDM, the Dynamic Access Management Platform, to provide its teams enhanced efficiency by removing the stress and workload in requesting temporary access.
As Coveo scaled its stack to include new regions, services, and teams, the complexity to secure and audit access increased exponentially. With more data that is owned by more teams, stored in more places, and accessed by more people, Coveo’s Security team had to design an access control strategy that balanced the following requirements:
- Automates lifecycle management: eliminate any manual steps to ensure exceptions do not emerge as new resources or staff are onboarded.
- Zero standing privileges: all access to sensitive resources must be requested/approved just-in-time so that no permanent privileges are granted
- Complete coverage: enforced across Coveo’s entire stack without exception
- Ease-of-use: do not disrupt workflow for developers, IAM or Security teams
To accomplish that, Coveo’s Security team had to automate the lifecycle management for staff and resources so that:
- Any time a new hire is onboarded, changes roles or leaves the company, their permissions are automatically updated.
- Any time a new resource like a database or server is provisioned, the right permissions are created and inherited by the right roles.
Coveo designed an onboarding process for new hires called Coveo 90. This process assigns tasks and trainings to ensure that a new hires ramp successfully during their first 90 days. When tasks and trainings are completed, the process triggers automation to approve access to the appropriate systems.
This is accomplished by a centralized YAML file that defines:
- Teams
- Access levels in a team
- The targeted environment
- Requirements for that access level in that team in that environment
- Available temporary privileges for members of that team / access level when requirements are met
Based on the level of risk associated with each resource, the YAML file defines which requirements must be completed in order to request and receive access.
For example, the development environment is one where Coveo does not enforce strict requirements, to allow quick frictionless innovation. However, the production environment includes requirements like background check, supervisor approval, training and policy acknowledgement.
To do that required an integration with Coveo’s learning management system (LMS).
After completing a training, the access management system picks it up and unlocks new resources that the employee can request access to.
In order to enforce zero standing privileges, Coveo’s Security team needed to redefine its approach to access controls. Previously, the process followed two paths:
- A manager opened an IT request for an access management specialist to add the new hire in a given group.
- An IT person clones the new hire’s colleague groups
Both approaches risked creating frustrating delays and privilege creep over time.
Instead, Coveo adopted a new approach: Attributes Based Access Control (ABAC).
To adopt ABAC, Coveo had to first define:
- An access matrix of appropriate rights per resource
- Requirements that must be met in order to request access per resources
- Integration with the learning management systems (LMS)
Once those were in place, the next step in order to assign those rights was to deploy a cloud-native privilege access management solution – StrongDM.
StrongDM’s protocol aware proxy allows Coveo staff to authenticate to any database, server, Kubernetes cluster or website using their identity instead of sharing a credential, key or certificate.
Once training modules are complete, Python code using StrongDM’s Python SDK is triggered to enable the appropriate access for the new hire by using rules.
Inside its AWS accounts, the Coveo R&D has tag policies that tell engineers to set specific tags with a given set of allowed values.
When code registers a resource in StrongDM, the code assigns those tags.
Once tags are in place, rules can be authored like “a platform team engineer with the production_administrator access level can request an ssh access to instances of the prod environment where the instance team tag value matches platform, if all the requirements are met”.
The output is a catalog of requestable resources, personalized for each employee, based on where they are in their Coveo journey and what their manager allows.
In this UI, the employee can request access to a resource, define how long the grant should last, and input a reason for the request.
After the request is validated against the matrix and other systems, the access management system grants the access using the StrongDM SDK. The employee can fix the issue and they don’t have to wait for a long approbation process or page another colleague or manager.
When the temporary privilege is granted, if the privilege is for a sensitive resource the request creates an incident in Jira, on a board Coveo’s compliance team can review.
The next morning, the compliance team can review:
- The request reason
- Linked issues
- Sessions recordings in StrongDM
- The engineer’s next steps
To be effective, Coveo had to ensure that the access management solution they deployed:
- Integrates with all upstream and downstream systems like the SSO, LMS, ticketing tool, etc…
- Supports every protocol in Coveo’s stack, including all database management systems, Kubernetes, and Linux servers
- Does not require changes to developers’ workflow, tooling or automation
When evaluating vendors, only StrongDM fulfilled all three requirements.
If security teams make the process to request access too painful or slow, developers will find a way to bypass controls. During the vendor evaluation process, Coveo prioritized developer testing to validate that StrongDM supported developers’ preferred tooling, automation and processes.
The feedback was very positive and helped cement StrongDM as the vendor of choice.
With the new processes in place, Coveo can successfully manage access in an easy and scalable way, checking of critical requirements while also being easy for core teams and stakeholders to use.
