Obsidian Security Case Study

How Pomerium helps Obsidian Security enforce and scale internal access

Alfredo Hickman is the Staff Security Engineer at Obsidian Security. Alfredo has worked in the security space for over 17 years. His previous roles include technical services and leadership positions in the U.S. Department of Defense, leading security product engineering in a managed security services business, and founding and operating his own boutique security consultancy. Alfredo also served in the U.S. Marine Corps as an infantry sergeant and personal security detachment team leader.

Shreyas Karnik serves as a Software Engineering Lead at Obsidian Security. His role also includes DevOps and security responsibilities. Previously, Shreyas held several senior software engineer positions including stints at RetailMeNot and Hyperplane Research.

Company Background

Obsidian Security offers a threat-detection platform for software as a service (SaaS) products. With businesses increasingly moving critical systems to SaaS providers, Obsidian Security provides comprehensive and unified security in an otherwise fragmented ecosystem. Obsidian Security aims to give organizations the visibility and quick response time needed to effectively patch vulnerabilities and defend against bad actors.

Obsidian Security’s Challenges

The nature of Obsidian Security’s work requires robust security measures and risk analysis. Obsidian Security works with sensitive data and with regulated customers, requiring them to meet SOC 2 Type 2 compliance standards. Consequently, areas such as identity and access management (IAM), least-privilege access (LPA), and compliance obligations are always top of mind for their customers. Obsidian Security must be able to secure high-value assets and applications that do not have built-in, local authentication, and funnel that access control to their customer’s identity provider (IdP). From Alfredo’s perspective on the security side, increasing security, minimizing risk, and achieving automation and traceability are key considerations for any solution Obsidian Security thinks about implementing. From Shreyas’s perspective on the operations side, reducing friction in daily workflows, time-savings, and extensibility are the most critical factors. For Obsidian Security, Pomerium is a solution that delivers across all of their needs.

Why Pomerium?

Works with Multiple Clouds

Because Obsidian Security’s workloads are distributed across multiple cloud platforms, Shreyas explained that other identity-aware access proxies were not a great fit for their use-case. On the other hand, Pomerium works seamlessly in any environment. Whether a company’s architecture is hosted on Google’s Cloud Platform (GCP), Microsoft Azure, Amazon Web Services (AWS), on-premise, or a combination of on-prem and cloud, Pomerium can still authenticate and authorize every request.

Greater Trust with Open-Source

For Shreyas and the team at Obsidian Security, the more eyeballs on the source code the better. Before deciding on Pomerium, Obsidian Security was able to assess the code to ensure it met their standards of speed and scalability.

When things are open-source, it provides a different kind of trust vector because the code has a lot more rigor to it, and also a lot more people have looked at the code from various different angles.

Shreyas Karnik, Software Engineering Lead at Obsidian Security

Granular Identity and Access Management (IAM) Controls

Obsidian Security needed a solution that could integrate well with their current IAM controls, including Google Groups. Pomerium coupled with Google Groups allows Obsidian Security to have fine-grained control over their employees’ access permissions. However, for Alfredo, integration with Obsidian Security’s identity provider is only one part of the reason why they went with Pomerium: 

I wanted something that would make my life easier, something that would have an audit trail I could use for access reviews, something that I knew could hook into our identity provider… and then something that lended itself to blanket coverage and automation.

Alfredo Hickman, Staff Security Engineer at Obsidian Security

Effortless Deployment and Automation

Obsidian Security was able to quickly get Pomerium into their deployment cycle with HELM – a tool for streamlining the installation and management of Kubernetes applications. After that, Obsidian Security identified their internal applications without local authentication, configured Pomerium as an auth-proxy next to these apps, and tied Pomerium back to Google Groups for access controls.

Wherever they can, Obsidian Security likes to automate recurring processes. With Pomerium, Obsidian Security is one step closer to automating provisioning and de-provisioning of access controls for new employees, employees that are leaving, or employees who need special access for specific projects.

Traceability

Traceability is also a high priority for Obsidian Security because of their compliance obligations under SOC 2 and other security and risk management controls. The access logs Pomerium provides are critical to Obsidian Security’s ongoing compliance because SOC 2 requires companies to have access control mechanisms in place and LPA enforcement. In Alfredo’s words:

Anybody that has SOC 2, PCI, DSS, etc. They’re going to need to be able to prove proper access controls and perform access reviews, and if your tooling can make it easy that’s a big win.

Alfredo Hickman, Staff Security Engineer at Obsidian Security

Extensibility

Lastly, extensibility – the ability to reuse the same tool in as many places as possible – is key for Obsidian Security to ensure widespread adoption of new security measures. Now that Pomerium has been implemented successfully for several applications, whenever a new app or endpoint needs authentication and authorization it will be second nature for Obsidian Security to reach for Pomerium.

Looking Ahead

Shreyas summarizes the value Pomerium has provided to Obsidian Security well:

With Pomerium integrated, we now have a good handle on how to secure our internal apps and high-value assets if they don’t have their own auth capabilities.

Shreyas Karnik, Software Engineering Lead at Obsidian Security

Looking ahead, Obsidian Security is excited to see how Pomerium’s future enterprise features could provide even more value to their company. Capabilities like writing dynamic access policy, integrating with secret-management systems, incorporating device-context into authorization decisions, and a dashboard for audit logs all fit well into Obsidian Security’s security strategy. To learn about how your company can get involved with Obsidian Security, check out their website here.