Demyst

Need: Security and Zero Trust Were in Place But Not Enough

As a service provider to household names in global finance, Demyst puts much importance on cloud security. The enterprise hosts all its solutions in an Amazon Web Services (AWS) environment with a complex technology stack spanning five global regions. In its effort to embrace zero trust principles, Demyst had implemented stringent encryption and network controls around all customer data, with the added guardrail of systematic access to the data. This advanced operational security maturity enables Demyst to engage clients that, due to internal policy or regulatory compliance needs, have stringent requirements around access to their data. For one important client, though, Demyst’s tight data perimeter wasn’t enough.

Challenge: Deliver Process-Driven Temporary Privileged Access in Their AWS Environment for a Leading Client

One of Demyst’s largest clients — a globally known bank — had a requirement that stipulated that its own internal approver had to approve any of its data viewed in another environment by a human user. To win the business opportunity, Demyst understood it needed to be able to provide the client with a level of privileged access management (PAM) in its own AWS environment. The client also required that the vendor — in this case, Demyst — establish its own internal routing process for vetting access before passing the approval request to the client’s approver. Furthermore, the access granted had to be strictly time bound.

The Demyst team researched solutions with cloud-based PAM capabilities yet found most to be overly broad in scope for its needs and/or too costly. The team members briefly considered building their own tool but experience and their environment's complexity made them prefer a commercial solution well-tailored for AWS.

Solution: Scalable Cloud Security with Just-in-Time (JIT) Access Management

For over a year, Demyst had wanted to better visualize and map access across its cloud IAM and resource policies, and had been evaluating solutions for this need. Then the business-critical access control use case came in. “We understood that Tenable could help with our AWS permissions need as well as our client’s temporary access use case – and a demo showed this to be true,” said Chris Hyde, CIO, Demyst. “Within an hour of starting our proof of concept we were able to confirm that the Tenable Cloud Security solution performed as promoted.”

Demyst chose Tenable for its overall cloud security capabilities and its cloud-based Just-in-Time (JIT) access management in particular. Tenable JIT for cloud provides temporary access control to resources in AWS, Microsoft Azure and Google Cloud Platform (GCP). “Today, we are using Tenable Cloud Security to deliver temporary access control to a key banking client, meeting our privileged access management cloud use case, and also to rationalize permissions and better control access in our complex AWS environment,” said Hyde.

Demyst’s Tenable Cloud Security JIT implementation

The Demyst team delivered automated JIT to the client as a three-step process that drives the required approvals and captures the details for future audit and reporting.

Highlights

• As per the client requirement, the process specifies three approvers: Two Demyst employees and one client employee
• The process involves close interplay between Tenable Cloud Security’s JIT mechanism and the AWS Key Management Service (KMS) access policy
• A temporary secure workspace is instantiated for the Demyst requester to do a final quality check before the data is delivered to the client
• Access to the data is time bound, with the client’s approval controlling the duration the data can be viewed

JIT workflow

1. A data analyst initiates a request for access
2. Approver 1 approves the request, triggering notification to Approver 2
3. Approver 2 approves the request, triggering notification to Approver 3
4. Approver 3 logs into Tenable and approves access to the data for the designated amount of time, after which the privileges expire automatically

How the JIT implementation works

• Tenable JIT gives access to a resource encrypted with a key managed within AWS KMS
• A Demyst key access policy in KMS allows the grant from Tenable to access the key
• Upon Tenable JIT approval, the Demyst policy enables the user to decrypt the resource using the key within the approved time period

Results: Successful Deployment Reduces Permissions Risk and Unlocks New Revenue

Demyst has used Tenable JIT in its production environment for over a year and continues to expand its use of the product. “Deployment was smooth and fast,” noted Hyde. “We deployed Tenable out of the box and are using it to provide a low-friction workflow for granting time bound permissions for accessing a key client’s sensitive data. We are also using Tenable to reduce permissions risk and enforce least privilege in our AWS environment.”

Explained Hyde, “For Demyst, the Tenable JIT use case was the final piece in the puzzle of unlocking revenue with a globally recognized bank — it got us across the finish line to start processing this data for them.“ Demyst sees its Tenable JIT capability as a business enabler. “Using our Tenable solution, we can commit to being able to provide enterprise clients with log feeds on what is happening to their data within the confines of the Demyst environment — we see this kind of access control requirement increasingly becoming a standard in enterprise contracts.”

Summarized Hyde, “We expect to replicate our Tenable JIT use case capability to unlock more revenue opportunities — we’ve already presented it to other clients who, due to privacy laws or regulatory mandates, have high sensitivity requirements that make them risk averse.”