Blend Uses Opal and Twingate for a Holistic Zero Trust Strategy

The Overview

Featuring:

When Matthew Jackson, Security Operations and Architecture Manager, first joined Blend, there were about 100 employees. At that time, the Blend security team knew everyone at the company. However, as the company grew, both Blend’s headcount and number of applications scaled considerably. The security team increasingly ran into requests from new Blend employees seeking access or existing employees requesting applications the security team was not familiar with. It soon became extremely time-consuming for the security team to make well-informed decisions around access.

In response, Paul Guthrie, Information Security Officer, and Matthew Jackson implemented a bold and strategic vision to re-imagine employee access at Blend. From their experience, they knew that:

  1. Management needed to be delegated away from centralized security to teams who had more context
  2. Security teams needed to set automated guardrails
  3. Access needed to be self-service and easy to request

The goal was to improve security while reducing user friction. Using a metaphor, Blend was looking to build guardrails on a coastal highway: safety measures that don’t block the view, but instead protect users and enable teams to go faster than they would otherwise. From their perspective, the best security programs are the ones no one even knows are in place. Security is enforced behind the scenes, gently nudging users in the right direction without introducing friction.

One of the core problems that they faced was that provisioning access was a manual and expensive process. There was a lot of coordination required between centralized IT support teams and a host of different application owners and managers. This slowed down employees from getting access to the systems they needed. 

The Problem

Why did Blend adopt Opal

To solve this problem, Blend had initially built an internal tool so that end users could make access requests for SSH servers, databases, and IAM roles using Slack. This worked well but required constant attention and maintenance. Blend had an excellent group of security engineers who built amazing tools, but they needed to be focused on their own applications and intellectual properties.

By adopting Opal and deprecating their internal tool, Blend was able to shift their talented security engineers towards Blend’s product and trust Opal to build an industry-leading access management solution. With Opal, Blend employees can use a self-service app catalog to make requests. Admins can scale approvals and management through decentralization of system owners and managers. Lastly, the security team can configure resource-specific access policies based on the sensitivity of the resource.'

Why did Blend adopt Twingate

Ahead of adopting Twingate, the Blend team was managing multiple VPN solutions with inconsistent rules around who had access to what cloud resources. This meant that there was a lack of transparency and consistency around employee access controls which led to an increased workload on support and IT as their company scaled in size.

Given these pain points Paul and Matthew spun up efforts to simplify network access controls for users while also making the deployment process easier for their security team. They found both outcomes with Twingate and were drawn to the platform’s ability to seamlessly integrate with Okta and infrastructure orchestration platforms like Terraform and Opal.

"By adopting Opal and deprecating our internal tool, Blend was able to shift our talented security engineers towards Blend’s product and trust Opal to build an industry-leading access management solution"

Paul Guthrie

Information Security Officer

The Solution

How did Opal and Twingate Provide Value to Blend

With Twingate and Opal together, Blend is able to implement a zero trust architecture both inside its network and across its applications and infrastructure. Zero trust is a powerful concept in network security where, by default, no access is given and no source is trusted. Implementing zero trust is challenging but when done correctly, it fortifies organizations against attack by limiting their attack surface.

Both Twingate and Opal empower Blend to manage access granularly. With Twingate, Blend is able to grant very specific and short-lived network access. Once users receive network access, they can use Opal to request very specific infrastructure and cloud IAM access. Security can implement guardrails by configuring resource-specific access policies based on the sensitivity of the resource.

In addition, both Twingate and Opal reduce operational friction. In order for a security program to be successful, it must be easily and widely adopted. Employees should be able to use workflows for getting access without in-depth technical knowledge. With Twingate’s desktop application, application owners and users can deploy the solution without diving into the nitty-gritty of VPN workflows. In fact, end users barely know that Twingate is running, but it’s actually powering a lot of the background interactions. Similarly, with Opal, end users can leverage a simple, self-service app catalog to search and filter for the access they need. Opal also enables users to make and approve requests directly out of Slack or start sessions for RDS and SSH access using the command line interface.

By implementing zero trust across its network, applications and infrastructure, Twingate and Opal have helped Blend become secure by default. By leveraging the infrastructure that the security team has put in place, whether its defining Twingate resources or using Opal workflows, users are able to access the tools and systems they need in a secure manner.