Inside Scoop with Ramp's Head of Security Assurance


What started as a search to automate compliance initiatives quickly turned into a much larger security win for the security and IT teams at Ramp. Paul Yoo, the Head of Security Assurance at Ramp, sat down with us to give his honest feedback about Ramp’s journey in finding ConductorOne and how it has helped their company exceed their security and compliance goals.

The Beginning of Ramp’s Journey

Ramp is a finance automation company whose mission is to save businesses time and money. From their easy-to-use corporate card to their newer fast-growing products like Bill Pay and Flex, customers are now able to take control of their spending and maximize profitability through Ramp’s software and services. Currently, more than 12,000 businesses trust Ramp with their corporate spending and their business’s critical, financial workflows.

Paul’s team is responsible for projects related to security compliance, specifically the protection of all employee and customer data. These initiatives are a top priority as they demonstrate to Ramp’s customers and partners that the company has the right controls and processes in place to minimize the risk of a security incident. They realized how much manual time and effort was spent on access controls across hundreds of accounts and applications; their team lacked centralized visibility for access. Paul knew they needed to find a solution to help him and his team secure, manage, and audit access throughout the entire company.

Importance of Access Governance and Identity Security to Ramp

Ramp’s customers trust them with some of their most confidential data, such as bank accounts and other personal information, and maintaining that trust is one of their top priorities. “By achieving compliance, we can demonstrate to our customers that we are willing and we want to partner with our customers to secure their most sensitive data,” said Paul. Meeting compliance requirements, from SOC 2 to ISO and PCI, is necessary throughout each year and user access reviews are a form of standard access control that are completed each quarter by Paul’s team.

Completing these crucial steps to ensure the security of Ramp’s most sensitive data on average takes about 50 to 60 hours of manual touch points every quarter, from reaching out to system owners, collecting user listings, to putting it all into a Google sheet and sending it out again. Manual access controls and the lack of centralized visibility into existing users and permissions required more time and effort from the security team to ensure there was no over-privilege. These tedious steps led their team to look for a tool to help govern access to the systems that hold the most confidential data.

Automating User Access Reviews with ConductorOne

In Ramp’s search for an access management solution, they stumbled across ConductorOne.

“We found that as we’re working with ConductorOne, they were really great partners who are willing to collaborate with us and help us build the right solution to meet our needs, and really help us solve some of our most difficult challenges when it comes to access management across the company.” said Paul.

With ConductorOne, Ramp is now able to run fully automated user access review campaigns, saving thousands of hours per year for the security team, IT team, and application owners. Plus, Ramp now has one platform with centralized visibility for all access controls which greatly decreases the attack surface and risk for security breaches and other malicious activities. This “has been a huge security and also an IT win for us,” said Paul.

Shifting Left with Just-In-Time Access Requests

Ramp has also used ConductorOne’s system to automate their access requests. Now able to control and monitor how users are granted access, Ramp can get to the source, the root of their security and compliance issues. “Where user access reviews give us a retroactive look, controlling access requests really helps to shift left and get ahead of the problem, and really control how access is granted and our overall access strategy here at Ramp.” said Paul.

Through partnering with ConductorOne, Ramp has decreased their time and effort spent on campaigns and IT ticketing by 95% by automating their access reviews and access request processes. They have seamlessly integrated their most critical infrastructure with the application - including Ramp’s own software - and can control access from one centralized platform.

Ramp started their journey by looking for a tool to automate and meet compliance requirements, but it turned into so much more. With ConductorOne, they are able to not only run fully automated user access reviews and requests, they also now have a central platform with increased overall visibility to further security and compliance.