How Merge is Adopting the Future of Access Management

Merge, having access to lots of sensitive data, wanted to ensure top-shelf security for their customers. To follow good security practices, they regularly expired tokens every three months, and access to production was only given to experienced back-end developers. For on-call rotations, Merge provided privileged access and manually revoked them.

Merge realized they could redefine what was possible, exceeding good security practice to become best-in-class. Using Opal, an automated access management platform, Merge created a new standard of security in their category.

Merge is now adopting cutting-edge best practices for access management. Using Opal, what was once unimaginable due to the sheer manual effort required, is now easily achieved.

1. Merge rotates keys every 15 minutes now instead of every 3 months. When engineers request access to a resource, Opal generates a personalized credential for the request. This unique and just-in-time credential automatically expires every 15 minutes, dramatically reducing the attack surface of long standing access.
2. At Merge, no one has access to production or sensitive customer data unless, of course, they need it. To get access to this high-stakes data, employees can either request for it on a case-by-case scenario, or they will automatically get the right permissions when they go on-call with Opal's PagerDuty integration.
3. Onboarding is quick and easy, with new hires getting permissions automatically. Using Opal, Merge uses role-based access to assign custom permission sets. No more manual check lists.

As a growing startup, Merge continues prioritizing security without sacrificing productivity. On average, privileged access requests went from 17 hours to 3 minutes. New hires can now hit the ground running without wasting any time. And last, with Opal's cloud-first approach, Merge successfully integrated with their AWS managed services, configuring the solution in only 1.5 weeks.