Online restaurant-reservation service gains cloud visibility and a least-privilege identity strategy.
Services: Advisory Services
Solution: Ermetic, Google Cloud Platform, CIEM
Our client had no visibility within their google cloud platform environment and needed to implement a least-privilege strategy.
Our client, one of the most well-known online restaurant-reservation services, had no visibility or controls around employees accessing their cloud environment.
Every employee accessing GCP was granted full administrative access to the environment by default, causing significant security risks and increased costs to those leveraging their data lake for reporting, analytics, order processing, and application testing.
The Business Impact
Over-privileged accounts and lack of visibility lead to increased security risk and possible cloud costs.
Employees had full access to every element of GCP. But without visibility, the business was unable to decipher what projects were or weren’t being used, who was using the data, what data was being accessed, and the levels of access people had to the data.
Risks to the business increased because accounts could be compromised without the business’s knowledge and over-privileged accounts could freely enable costly workload and queries without limitations.
MajorKey leveraged Ermetic to conduct an assessment of their GCP environment to uncover control violations and provide recommendations.
MajorKey’s Solution Advisor team provided a prescriptive analysis of their GCP environment and recommended a roadmap for implementation. Analysis included how to implement least privilege, how to segregate GCP from the Google Workspace, and best practices for setting up logging and reporting to enable rapid deactivation in case of bad actors.
In addition, CIS Critical Security Controls were mapped to NIST 800-53 and managed keys were automatically rotated. Advisors also recommended a CIEM solution based as the foundation for their cloud security model.
The MajorKey Approach
Our unique approach gave our client the confidence and direction they needed.
Our approach is encompassed by the following values:
- Process-focused, not tool-focused. We are a vendor-agnostic provider. In other words, when working with clients we focus on business processes and outcomes rather than pushing a specific tool.
- Structured project management. We rarely miss deadlines and always stay under budget.
- Organizational change management. We dedicate significant time to helping the organization work through new policies and procedures associated with a migration. This includes end user training by roles and responsibilities, assistance with sponsorship adoption and roll out procedures, communication templates for deployment, and more.
- Agile development style. Our developers seek client feedback early and often throughout the life of a project to ensure client satisfaction after deployment.
- User acceptance training. We have a highly structured, clearly defined process for making sure the tool is driving value for the business users. This reduces post-live issues and encourages tool utilization after deployment.
- Post-live and managed services. We provide 24x7 on-call support for the most critical issues that may arise following a deployment.