How People.ai Has Future-Proofed Data Security with Zero Standing Privilege

We can’t rely solely on traditional MFA methods to prevent determined threat actors — whether they’re external or malicious insiders — from infiltrating our systems. Even if an access code is good for only 10 minutes, that’s typically ample time for a threat actor to access a system.

Aman Sirohi, VP - CISO & Platform, People.ai
July 25, 2024
Follow us on

When I first entered the workforce, sharing usernames and passwords was common practice. Credentials scribbled on sticky notes papered bullpens, even in areas within eyesight of visiting customers. Equally concerning, cloning users with the most privileged access was standard operating procedure for the hiring manager and the Helpdesk tech.

Flouting common sense data security practices was oddly acceptable. While all these approaches seem comical in hindsight, they were my first attempts to rein in data security at early-career employers. I started educating my colleagues on the enormous risk of their lax security habits and made steady progress in protecting critical systems.

Still, as my employers grew in size and our security methods and tech stacks matured, too many employees inevitably wound up with full administrative privileges to critical environments. Time and technology presented modest improvements like ACLs and RBAC, but the access lists grew too large, and employees were granted excessive roles.

Identity Security: The Neglected Perimeter

This excessive access problem has been top of mind for me over the last 15+ years, and it’s gained more prominence in the security arena as threat actors have adopted new attack methods that strong authentication alone cannot stop. Attackers are combining social engineering and AI to impersonate users and bypass authentication, including voice replication like we’re seeing in the current presidential campaign.

We can’t rely solely on traditional MFA methods to prevent determined threat actors — whether they’re external or malicious insiders — from infiltrating our systems. Even if an access code is good for only 10 minutes, that’s typically ample time for a threat actor to access a system.

Authentication and identity providers, firewalls, and malware protection are all table stakes, but even with these protections, breaches still happen. If an identity is compromised, the average permissions sprawl translates to an enormous blast radius, leaving highly sensitive customer and company data — including financial records, PII, and trade secrets — ripe for exfiltration.

Ransomware attacks once dominated the news, but threat actors are increasingly using identity attacks to obtain customer and employee data. Once an attacker gains access to a platform, lax authorization standards across connected systems enables them to access a large swath of data across the entire company. We’ve seen this exact scenario play out in several highly-publicized breaches in recent months. Data exposure of any kind damages a company’s brand and erodes trust with customers, partners, and in some cases, employees. Sometimes irreversibly.

Tackling More Stringent Access Management Manually Is Possible (But Unsustainable)

Given my mandate to future-proof People.ai’s data security and protect our reputation, solving the excess authorization problem became one of my top priorities. It boiled down to these key questions:

  • How can we grant employees access only when they need it, and only for how long they need it?
  • How can we build a dynamic system that recognizes justification for appropriate access rights?

High-profile attacks like the Cloudflare/Okta compromise and Microsoft’s Midnight Blizzard incident show adversaries are increasingly targeting sensitive information over source code once inside the network. With persistent internal access, entire directories are at risk if a single compromised account is not promptly remediated.

I envisioned a state where such an employee is granted limited, time-bound access based on a specific need to minimize damage in the event of breaches like these. Yet my initial search for such a dynamic access management solution provided no viable options beyond configuring it ourselves.

When a data scientist requested the same access rights as their group VP, simply because that’s who the data scientist reported to, we attempted to manually provide the least privileged access controls.

Data scientists, of course, need a broad range of data to do their jobs. My concern wasn’t at all rooted in a lack of trust in this data scientist. But such a broad access request compelled me to balance business needs with minimizing breach vulnerability. To that end, I arranged for an engineer with the proper access rights to run the data scientist’s script and store the results in an isolated environment. It was a scrappy solution that met business and security needs. But it wasn’t scalable, flexible, or in any way sustainable.

That experience renewed my search for an automated solution to eliminating standing access. That’s where SGNL comes in. I was beyond impressed to find a company that shares my philosophy of zero standing privilege and makes it a reality through their dynamic authorization technology.

Implementing Zero Standing Privilege for the Best Data Defense — And Unmatched Customer Experience

At People.ai, we ask customers to trust us with data directly related to their revenue and prospect relationships. It’s not enough to deliver “standard” data security when the stakes are that high. As part of our overarching defense-in-depth approach, our cyber security team strived to find a forward-looking data access security approach that would instill trust and provide the protection our customers deserve.

To achieve zero standing privilege across People.ai’s critical systems and data, I’ve partnered with SGNL, the only enterprise-scale and dynamic access management platform on the market. SGNL evaluates hundreds of attributes for each request from our systems of record like Salesforce, GitHub, AWS, and Databricks to understand why access is needed. The SGNL engine then determines the most secure authorization based on detailed policies my team has approved. SGNL then instructs our cloud and SaaS systems to grant, deny, or terminate access. Once the task is complete, access is immediately terminated. No manual interventions are required to change access, ensuring data is only accessed when required.

Now that we’ve fully implemented SGNL, no employee maintains persistent access to critical systems or customer data. SGNL has eliminated the need for access review requests that people managers historically loathe and rubber-stamp. More importantly, our Sales teams have built stronger relationships and closed more deals as they explain our unique data protection differentiation that goes beyond legacy identity solutions. Most customers have never seen anything like the zero-standing privilege SGNL has enabled us to achieve.

Our employees are thrilled to use a frictionless access-approval process. The data scientist has a finite window to access that wide range of data without any intervention from the engineer, or needing to clone access rights. We’re also extending SGNL to our development process so we can implement guardrails that will ensure no one is injecting code that’s not peer-reviewed. Authorization to push code to production won’t be granted until all the required stage gates are completed. Auditors, likewise, have shared they’ve never seen such a sophisticated method for the duration of the access, who had access, and why that access was granted at a particular time and for specific circumstances.

We’re able to securely innovate while protecting our customer data, shrinking our blast radius to a small fraction of the enterprise standard.

Upleveling to zero standing privilege has become a tremendous differentiator for People.ai. And all customers deserve this level of protection that will safeguard operations and their reputation for years to come.

Let us know what you think:

Best practices and the latest security trends delivered to your inbox