Q&A with CEO of Opal: Scaling least privilege, the Zero Trust ecosystem, and the future of secure access management
At Twingate, we believe the ability to create dynamic least privilege access management workflows is important to maintaining a flexible zero trust framework.
Within our customer community, one company that’s mentioned as a catalyst for helping organizations adopt dynamic, least privileged models is Opal. Opal is an access management platform that helps enterprise companies scale least privilege with unified visualizations across the organization, productivity workflows, and accelerated user access reviews. With a desire to help organizations remain secure by default, Opal is the chosen access management platform for teams at Databricks, Blend, and Marqeta.
We sat down with the CEO and founder of Opal, Stephen Cobbe, to understand his vision for the platform he’s built while, also discussing how to best create a culture of least privilege in a world where giving too much access is the norm.
What advice do you have for organizations that are looking to adopt least-privileged access management but are put off by the amount of change that is needed to get there?
Fortunately, least-privileged access management can be implemented incrementally.
Start by identifying the most sensitive resources that your organization needs to regularly access, whether it’s databases, cloud provider roles, or identity provider groups. Where possible, substitute longstanding access with workflows for ephemeral and just-in-time access. Opal supports a variety of options for short-lived access including session, ticket, and schedule based workflows.
Next, conduct an access review of sensitive systems so that superfluous access is removed. Ideally, this is done periodically, such as once per quarter. Opal can help enforce review hygiene with automatic campaign scheduling and notifications.
Finally, audit your role definitions to see where unused permissions can be removed. Some systems such as AWS offer native support for usage-based role pruning but mostly this is a matter of trial and error.
Can you describe the most creative use of a tool like Opal that you’ve come across from your customers?
The most creative use-cases we’ve seen relate to how our customers have integrated Opal with their internal tooling.
Internal tools grant wide ranging access to sensitive assets such as user metadata. Granularly managing access to these assets is challenging to do at scale. By integrating with Opal’s API directly or via webhooks, our customers can expose their internal tool’s authorization model in Opal’s browsable catalog of access and leverage its powerful workflows.
Unlike identity providers which deal only in groups, Opal’s resource-based abstractions allow for more granular management. This allows our customers to implement policies such as requiring user metadata access be scoped to a particular user and tied to a support ticket that references the user by name.
As a least-privileged access management product, Opal helps organizations implement the defense-in-depth tenet of zero trust. In the event an account is compromised, the less access it has, the less damage is done. In the world of least privilege, all users are viewed as unvetted, and are granted only the access that is absolutely necessary. Opal supports setting policies at the resource and group level that require requests to be MFA gated, contain a support ticket, or receive manager approval.
The net result is users have only the access they need, and nothing more, which lessens an organization’s attack surface and compliance burden.
Why is it important for tools and platforms within the Zero Trust space to integrate with each other?
By introducing additional safeguards, a Zero Trust posture inherently adds friction to day-to-day operations, which hurts adoption. It’s important that different products within the Zero Trust space integrate with one another to offer a more seamless experience.
For instance, if I receive temporary access to a Kubernetes cluster via a workflow in Opal, it’s unwieldy to have a separate workflow for network access to the cluster. With a direct integration between Opal and Twingate, for instance, the two workflows can be streamlined.
Before adopting Opal, what have you seen organizations do to implement real-time access controls across their corporate resources?
Longstanding access still predominates, so the most common configuration we see is simply no real-time access controls.
However, the culture around access control is changing. There is a growing awareness of the need to limit access footprint, and real-time access controls are one of the most effective means of doing that. For those organizations that have implemented just-in-time controls, the most common solution is custom internal tooling, which is usually backed by Active Directory or Okta Groups. Internal tooling may be well customized to organization’s use-cases but it is difficult and expensive to maintain over time.
As companies get smarter and start to adopt both zero trust access tools as well as implement ephemeral access, how do you think cyber attackers will start to evolve to combat this?
For organizations that leverage zero trust tools and ephemeral access, attackers will have their work cut out for them. By tying access to a particular device, zero trust tools will require attackers to compromise devices in addition to account credentials. With ephemeral access controls, attackers will also need to compromise a larger number of accounts than before in order to offset the smaller access footprint of each account. The net result is attackers will have to lean more heavily into their preferred mode of attack: social engineering.