How Ramp implemented least privilege access

Building the new standard in fintech

Ramp is a finance automation company whose mission is to help businesses save time and money. Starting with their easy-to-use corporate card to newer fast-growing products like Bill Pay and Flex, customers are using Ramp’s software and services to take control of their spending and maximize profitability.

Since launching its first product in 2020, Ramp has seen remarkable growth: it reached a $100 million annualized revenue before its third birthday, saved its customers $300 million to date, and doubled its workforce last year. Today, more than 12,000 businesses trust Ramp with their corporate spending and business critical workflows.

Securing sensitive data and ensuring compliance

Paul Yoo leads Ramp’s Security Assurance program and his team is responsible for protecting employee and customer data. “One of our biggest focus areas is data and access governance, or how we’re using data and managing overall access to the data we collect,” says Paul.

Customers trust Ramp with their confidential data and maintaining that trust is paramount to Ramp’s success. “Different systems hold different types of data and in turn require different ways to secure access. Not everything works the same – you can’t apply the same solution everywhere.” Manual access controls and the lack of centralized visibility into existing users and permissions meant more time and effort for the security team to ensure there was no over-privilege.

Paul’s team is also responsible for all projects related to security compliance. Compliance initiatives are a top priority because they demonstrate to Ramp’s customers and partners that the company has the right controls and processes in place to minimize the risk of a security incident.

For Paul, the key was finding a solution to help his team secure, manage, and audit access across hundreds of resources and applications.

The search for an extensible solution

In the search for a better way to govern access, Paul and his team evaluated several solutions. They were looking for:

1. Interoperability with Ramp’s IdP and gated SCIM applications;
2. Integrations with SAML applications that may not be gated behind their IdP; and
3. Lastly, the ability to integrate and provide visibility into users, roles, and permissions into systems that live outside of their IdP entirely

They discovered that ConductorOne was the vendor that could support all three requirements. In the end, Ramp chose ConductorOne. “I found that ConductorOne to be the most willing to partner with us, to understand what we wanted to solve for, and to help get us where we need to be,” said Paul.

With audits for SOC 2, ISO, and PCI top of mind, Paul and his team immediately set out to implement ConductorOne for user access reviews, just in time provisioning, and access requests for the broader organization.

A successful implementation

“The onboarding process was smooth. We were able to get our systems integrated within three weeks thanks to great documentation,” Paul shares. “Two of our biggest wins were implementing access controls for AWS and Github, our engineering systems that hold critical information. Getting our own Ramp application integrated – which is used by our customers and by us internally – was a big win, too.”

Previously, Paul estimates that it would take between 40 to 50 hours to manually collect the data needed for every user access review campaign and for reviewers to complete their assigned tasks. “It’s a massive effort.” With ConductorOne, Paul can launch reviews within a few hours.

“Another huge win for me is the overall visibility. It’s so helpful to have one place to check access across hundreds of systems,” Paul expresses. “I don’t have to log into ten different places to figure out who has access to what – I can just go to ConductorOne.”

Paul credits much of the success so far to great communication and partnership. “My favorite thing about ConductorOne is the willingness of the team to help fix any blockers or challenges that we might run into.” He adds, “The team cares about our success and how we’re using the product.”

Beyond access governance: Least privilege in practice

As Paul and his team explored access governance solutions, they were also looking ahead to how they could better enable the company to adhere to the principles of least privilege.

“We want to make sure that we give users only the access they need and to find a solution that could help us get to where we need to be – which is having least privilege wherever we can.” Paul adds, “The fewer people who have access to customer data and the less time they have to access that data, the more that our customers can trust that their data is secure.”

The team also needed a solution that can keep up with the rapid growth the company was experiencing. Paul says, “There’s a lot of manual effort where the IT team has to take in hundreds of tickets requesting access to our different systems that aren’t all managed from our IdP.” In addition to the IT overhead, “there’s also the security issue of: How are people actually getting access? Who has access to these systems? And should they even have access in the first place?”

Just in time access is a key component to implementing least privilege for Ramp. Paul explains, “For critical infrastructure systems like AWS, our engineers don’t necessarily need standing access. We want to grant access only for a set period as they need for their role.”

“Let’s say someone requests access to an AWS group; a reviewer may not know exactly what permissions that group has. We also want to give the approver more context on the level of access that’s being requested.” This level of detail helps end users make more informed decisions on whether an access request is appropriate or not.

Using ConductorOne, Ramp’s employees can easily request access from the web dashboard or via Slack and it is automatically routed to the appropriate approver. “Our IT team can build in other areas because they don’t have to focus so much on answering access request tickets day after day.” Paul adds, “We’re able to minimize the number of users with access to critical systems at a given time. That’s a big security win for us across the board.”

“We’re able to minimize the number of users with access to critical systems at a given time. That’s a big security win for us across the board.”

Paul Yoo

Head of Security Assurance

With ConductorOne to manage access to SaaS and homegrown applications, Ramp’s workforce can access resources that they need to do their job for no longer than they need it. This means that Paul and his team can scale identity and access controls as the company grows, protect their customers’ data, and preserve their trust. “ConductorOne is focused on making us successful and providing results at a clip that matches the velocity that Ramp is moving – which is pretty quick.”

For Paul, ConductorOne has helped Ramp grow more securely by making least privilege and automated access controls a reality. “It’s extremely important, no matter what size company you are. Because the earlier you think about it, the earlier you can get ahead of securing the data that sits behind those access controls.”