How DigitalOcean reduced identity security risk by automating user access reviews
Challenges
Hundreds of hours per quarter spent pulling data into spreadsheets, creating myriads of tickets, and pinging managers to approve access and permissions during user access reviews.
User access review campaigns were yielding low initial completion rates and required constant follow-ups
Needed a user access review solution that offers flexibility, automation, scalability, and security to meet compliance requirements and reduce manual toil
Results
Initial set of 1,200 access reviews across seven departments completed with 85% less effort compared to previous reviews
100% on-time employee completion rate due to an intuitive user experience for application owners and approvers
Increased productivity for the security team through automated integrations
Improved completeness & accuracy and easy auditor reporting
“ConductorOne is innovating in an area underserved by the technology industry, and solving problems a lot of teams have to do manually. That has a really big value for DigitalOcean.”
Heather Cannon
Infrastructure Security Manager at DigitalOcean
Scaling up to IPO & New Challenges
DigitalOcean is a cloud computing platform built for software developers, startups, and SMBs around the world. After its 10-year evolution from a privately owned company to IPO, DigitalOcean has grown to offer a range of services including virtual machines called Droplets, a Platform as a Service solution, Managed Kubernetes, storage, and more on a global scale.
As the company scaled, the security and governance, risk, and compliance (GRC) teams were finding that existing tools and processes were not scaling to support the needs of the business. One of these processes was enforcing least privilege through the use of periodic access reviews. Historically, the team conducted access reviews by pulling data into spreadsheets, creating myriads of tickets, and pinging managers to approve access and permissions. It was a manual process that took a fair amount of time to orchestrate a single set of reviews. When they went public in 2021, the security team at DigitalOcean wanted to find a more efficient process.
Searching for an Identity Security Platform
After spending over 15 years consulting, Tim Lisko, Director of Security Engineering at DigitalOcean, had seen a wide variety of homegrown and commercially available solutions for access governance. Heather Cannon, a member of the Security Engineering team and the Senior Manager of Infrastructure Security at DigitalOcean, had even built an in-house solution at her previous company. They were both well aware of the complexities and limitations of existing solutions, and the headache required to manage a homegrown solution in terms of maintenance and ongoing investment.
“None of the other options in the market were simple for us. ConductorOne had a vision that matched ours, they were incredibly inquisitive about our use cases, collaborative, iterative, and innovative.”
Tim Lisko
Director of Product and Infrastructure Security at DigitalOcean
While researching the market, DigitalOcean found the total cost of ownership of most solutions to be extremely high. Although the sticker price was one consideration, implementations were also very time and resource-intensive; customization and long drawn-out rollouts were the norm. Existing solutions were not cloud forward and were not built for a modern workforce. One of DigitalOcean’s core values is “Simplicity in all we do” and the Security team at DigitalOcean looked for a solution that could provide just that. The DigitalOcean team was excited to learn how ConductorOne was modernizing permission and access management.
DigitalOcean didn’t want to just automate access management processes, they also wanted to find a tool that was intuitive, user-friendly, and compatible with their existing systems. Heather envisioned a product that would take all of the manual steps out of the process: from integrating with their applications, to automatically sending reminders, to making it easy to review access–all delivered with a modern user experience and natively integrated into the collaboration tool they use the most, Slack.
“We knew that we wanted everything to be automated, we didn't want to do anything manually. That didn't exist anywhere in the market.”
Heather Cannon
Senior Manager of Infrastructure Security
Quick Implementation & a Strong Partnership
The culture of collaboration initiated by ConductorOne had a huge impact on DigitalOcean. Implementation was seamless–IT was looped in early in the process to gain access to the necessary API tokens and keys. Once the solution was live, the changes and customizations requested from DigitalOcean were instant. “The implementation process was fantastic. The speed and responsiveness of the C1 team to bugs, design pivots, or tiny improvements were impressive. The C1 team set the bar very high for what a healthy and collaborative partnership can look like.”
Tim Lisko, Director of Product and Infrastructure Security at DigitalOcean
Nik Sarosy, DigitalOcean’s Senior Trust & Governance Engineer, who had previously spent hours on manual access reviews, was impressed by the ease-of-use for both him and the system owners.
“The ease of everything is my favorite thing about ConductorOne. I discussed this with our CISO and when we talked about the user access reviews, he mentioned it looked like the easiest process. I was excited that everyone in the org was happy to use it.”
Nik Sarosy, Senior Trust and Governance Engineer
Enabling DigitalOcean to Focus on Strategic Security Initiatives
DigitalOcean rolled out ConductorOne in the first quarter of 2022 for critical access reviews related to their SOC2 and SOX controls. The trust and governance team conducted the campaign for two weeks including 1,200 reviews across seven departments and achieved a 100% reviewer completion rate. For DigitalOcean, simplified reporting made the biggest difference in his team’s productivity. Instead of compiling the results of hundreds of tickets for DigitalOcean’s auditors, their team now generates a single report in ConductorOne. By using ConductorOne’s real-time application integrations, DigitalOcean has also dramatically improved accuracy, which has been a game-changer for the security team.
“Having a tool that can do this in a timely fashion, iteratively and repeatedly, without manual inputs and outputs enables very real security control. This will improve our security posture at the end of the day.”
Tim Lisko
Director of Product and Infrastructure Security at DigitalOcean
The security team at DigitalOcean was also able to reinforce security protocols with the principle of least privilege, meaning that employees have access to only the tools needed to complete their tasks. DigitalOcean was able to identify one team that was not utilizing a particular tool and revoked access. Ensuring employees don’t have access to sensitive data when they should not help reduce the overall attack surface.
DigitalOcean’s managers and staff were particularly excited with the user experience due to its intuitiveness, flow, and simplicity–all designed to drive the user to the appropriate features and actions. Overall, DigitalOcean has saved 85% of the effort previously spent on access reviews, enabling the security teams to focus on their core job of maintaining the highest level of security.
About
DigitalOcean simplifies cloud computing so developers and businesses can spend more time building software that changes the world. With its mission-critical infrastructure and fully managed offerings, DigitalOcean helps developers, startups and small and medium-sized businesses (SMBs) rapidly build, deploy and scale applications to accelerate innovation and increase productivity and agility.
