Optoro Case Study

How Pomerium enables Optoro to scale global logistics and assert compliance

Zach Dunn is the Senior Director of Platform Operations and CISO at Optoro. Previously, Zach has held positions as a web support engineer, site reliability engineer, Linux systems engineer, manager systems operations, and director of DevOps.

Spencer Gilbert is an Infrastructure Engineer on the Devops team at Optoro. His primary responsibilities include handling on-premise hardware, cloud infrastructure, and Kubernetes clusters.

Company Background

Optoro is a returns technology company that connects a seamless online returns experience with efficient supply chain processing and resale. Optoro’s mission is to make retail more sustainable by eliminating all waste from returns.

Optoro’s Challenges

Optoro needed an access solution that could replace the functionality of their VPN, while also improving their employee’s user experience and flexibility. It was also important to Optoro to find a tool with extensive audit logs that would provide the evidence needed to meet compliance standards like SOC 2.

Migrating to Kubernetes: Leaving the VPN behind

Optoro began migrating to Kubernetes a year ago, which prompted them to start looking for alternatives to their VPN. Optoro needed an access solution they could easily integrate into Google’s GSuite—their identity provider (IdP) of choice—to make authentication and authorization consistent across all of their applications. In Zach’s words:

What really drove our adoption of Pomerium was our migration to Kubernetes…what we were trying to do is divorce the idea of needing to have a VPN for privileged access.

Zach Dunn, CISO at Optoro

While searching for the right identity-aware access proxy, Optoro experimented with BuzzFeed’s SSO project, which aims to provide a secure, single sign-on (SSO) experience for internal web apps. However, Optoro ran into several issues with setting up authorization based on Google Groups and also realized BuzzFeed’s product did not provide the fine-grained authorization control they were looking for. After switching to Pomerium, Optoro now has granular authorization controls that integrate with their existing Google Groups.

SOC 2 Compliance & Pomerium

Another core driver for Optoro’s migration to Kubernetes and adoption of Pomerium is SOC 2 compliance. Optoro is currently working towards SOC 2 certification, and according to Zach, Pomerium has played a critical role:

We can confidently tell clients and auditors: “we only give people access to the things they need.” How we prove that is we can pull up the Pomerium configuration and say… “this team has access to these resources.”

Zach Dunn, CISO at Optoro

Pomerium helps Optoro achieve transparency and accountability in their security practices. By enforcing least-privileged access, Optoro can rest assured knowing that employees will only be authorized to see the applications and data necessary for their individual role. In the future, Optoro is excited to see how Pomerium can tighten their compliance further as more robust auditing features are added to the product.

Looking Ahead

Optoro’s long term goal is to have true centralized access across all of their endpoints, whether internal or external. By adopting Pomerium as their context-aware access proxy of choice for authentication and authorization, Optoro is one step closer to that vision. It is rewarding for Pomerium to play even a small part in ensuring Optoro’s success in making retail more sustainable. To learn how your company can get involved with Optoro, check out their website here.

Optoro’s Tech Stack

  • Infrastructure: Ubuntu on Bare Metal
  • Platform: RKE (Rancher Kubernetes Engine)
  • Proxies: NGINX
  • Provisioning: RackN Digital Rebar
  • Security Management: Lacework
  • DNS: CoreDNS
  • Service Discovery: Kubernetes Service Discovery
  • Database: PostgreSQL, MySQL
  • Raw Data / Semi-Structured Data Storage: ZFS, OpenEBS ZFS-LocalPV
  • CI / CD Pipelines: GitLab CI, Argo CD
  • Batch Job Scheduler: Airflow
  • Logging & Monitoring: Elasticsearch, Kibana, Prometheus, Grafana