Blend Uses Opal and Twingate for a Holistic Zero Trust Strategy

With Opal, we were able to shift our engineering team's time towards Blend's products and focus less on business processes for granting and calibrating access. With Opal's developer extensibility and intuitive user experience, we are able to scale our identity security strategy and ensure our users have the guardrails to be secure by default on our most sensitive systems


Blend Labs, Inc. ($BLND) engages in the provision of cloud-based software platform solutions for financial services firms in the United States. It operates in two segments, Blend Platform and Title365. The company's Blend Builder Platform offers a suite of products that powers digital-first consumer journeys for mortgages, home equity loans and lines of credit, vehicle loans, personal loans, credit cards, and deposit accounts; and offers mortgage products to facilitate the homeownership journey for consumers comprising close, income verification for mortgage, homeowners' insurance, and realty. It also offers verification components to automate confirmation tasks that are needed to underwrite a loan or approve the opening of a new deposit account; decisioning components to reduce the need for human intervention by automatically applying business rules throughout an application workflow configured by a financial services firm; workflow intelligence components to manage data collection and automate tasks throughout the loan origination process; and marketplace components to enable consumers to shop for products and services presented at the precise moment of need during an application for a loan. In addition, the company, through its subsidiary, offers title search procedures for title insurance policies, escrow, and other closing and settlement services, as well as other trustee services; and provides professional and consulting services. It serves banks, credit unions, financial technology companies, and non-bank mortgage lenders. Blend Labs, Inc. was incorporated in 2012 and is headquartered in San Francisco, California.

The Problem

Why did Blend adopt Opal

When Matthew Jackson, Security Operations and Architecture Manager, first joined Blend, there were about 100 employees. At that time, the Blend security team knew everyone at the company. However, as the company grew, both Blend’s headcount and number of applications scaled considerably. The security team increasingly ran into requests from new Blend employees seeking access or existing employees requesting applications the security team was not familiar with. It soon became extremely time-consuming for the security team to make well-informed decisions around access.

In response, Paul Guthrie, Information Security Officer, and Matthew Jackson implemented a bold and strategic vision to re-imagine employee access at Blend. From their experience, they knew that:

  1. Management needed to be delegated away from centralized security to teams who had more context
  2. Security teams needed to set automated guardrails
  3. Access needed to be self-service and easy to request

The goal was to improve security while reducing user friction. Using a metaphor, Blend was looking to build guardrails on a coastal highway: safety measures that don’t block the view, but instead protect users and enable teams to go faster than they would otherwise. From their perspective, the best security programs are the ones no one even knows are in place. Security is enforced behind the scenes, gently nudging users in the right direction without introducing friction.

One of the core problems that they faced was that provisioning access was a manual and expensive process. There was a lot of coordination required between centralized IT support teams and a host of different application owners and managers. This slowed down employees from getting access to the systems they needed. 

The Solution

"With Opal, we were able to shift our engineering team's time towards Blend's products and focus less on business processes for granting and calibrating access. With Opal's developer extensibility and intuitive user experience, we are able to scale our identity security strategy and ensure our users have the guardrails to be secure by default on our most sensitive systems."

Paul Guthrie

Information Security Officer

To solve this problem, Blend had initially built an internal tool so that end users could make access requests for SSH servers, databases, and IAM roles using Slack. This worked well but required constant attention and maintenance. Blend had an excellent group of security engineers who built amazing tools, but they needed to be focused on their own applications and intellectual properties.

By adopting Opal and deprecating their internal tool, Blend was able to shift their talented security engineers towards Blend’s product and trust Opal to build an industry-leading access management solution. With Opal, Blend employees can use a self-service app catalog to make requests. Admins can scale approvals and management through decentralization of system owners and managers. Lastly, the security team can configure resource-specific access policies based on the sensitivity of the resource.'

Why did Blend adopt Twingate

Ahead of adopting Twingate, the Blend team was managing multiple VPN solutions with inconsistent rules around who had access to what cloud resources. This meant that there was a lack of transparency and consistency around employee access controls which led to an increased workload on support and IT as their company scaled in size.

Given these pain points Paul and Matthew spun up efforts to simplify network access controls for users while also making the deployment process easier for their security team. They found both outcomes with Twingate and were drawn to the platform’s ability to seamlessly integrate with Okta and infrastructure orchestration platforms like Terraform and Opal.

How did Opal and Twingate Provide Value to Blend

With Twingate and Opal together, Blend is able to implement a zero trust architecture both inside its network and across its applications and infrastructure. Zero trust is a powerful concept in network security where, by default, no access is given and no source is trusted. Implementing zero trust is challenging but when done correctly, it fortifies organizations against attack by limiting their attack surface.

Both Twingate and Opal empower Blend to manage access granularly. With Twingate, Blend is able to grant very specific and short-lived network access. Once users receive network access, they can use Opal to request very specific infrastructure and cloud IAM access. Security can implement guardrails by configuring resource-specific access policies based on the sensitivity of the resource.

In addition, both Twingate and Opal reduce operational friction. In order for a security program to be successful, it must be easily and widely adopted. Employees should be able to use workflows for getting access without in-depth technical knowledge. With Twingate’s desktop application, application owners and users can deploy the solution without diving into the nitty-gritty of VPN workflows. In fact, end users barely know that Twingate is running, but it’s actually powering a lot of the background interactions. Similarly, with Opal, end users can leverage a simple, self-service app catalog to search and filter for the access they need. Opal also enables users to make and approve requests directly out of Slack or start sessions for RDS and SSH access using the command line interface.

By implementing zero trust across its network, applications and infrastructure, Twingate and Opal have helped Blend become secure by default. By leveraging the infrastructure that the security team has put in place, whether its defining Twingate resources or using Opal workflows, users are able to access the tools and systems they need in a secure manner.

The Impact

Interested in Opal?

Get in touch with our team to learn more!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.