How Merge is Adopting the Future of Access Management

Trusted with the data of hundreds of customers, Merge takes their permissions management to the next level.

The Overview

The average B2B company requires integrations with 90+ vendors, each one being critical for growth. Integrations are one of those "cost of doing business" line items—developer's precious time is spent on tangential business outcomes, like maintaining and integrating a teetering stack of APIs. That's where Merge comes in. With their "integrate once" philosophy, they do the heavy lifting of normalizing data from over 60+ integrations in HR, payroll, and recruiting. Merge adds new integrations weekly, and prides itself on high quality data and intuitive UX.

With great power, however, comes great responsibility. Since the beginning, Merge has focused on security, making SOC2 Type II certification an early priority. They now also comply with GDPR, continuing to keep a close eye on security so they have an enterprise-ready solution their customers can be confident in.

The Problem

Merge, having access to lots of sensitive data, wanted to ensure top-shelf security for their customers. To follow good security practices, they regularly expired tokens every three months, and access to production was only given to experienced back-end developers. For on-call rotations, Merge provided privileged access and manually revoked them.

Merge realized they could redefine what was possible, exceeding good security practice to become best-in-class. Using Opal, an automated access management platform, Merge created a new standard of security in their category.

"As Merge continues to scale, it's important our security scales with it. By partnering with Opal, we don't have to worry about access controls anymore. We can focus on our mission to reshape the way businesses integrate."

Gil Feig

CTO at Merge

The Solution

Merge is now adopting cutting-edge best practices for access management. Using Opal, what was once unimaginable due to the sheer manual effort required, is now easily achieved.

  1. Merge rotates keys every 15 minutes now instead of every 3 months. When engineers request access to a resource, Opal generates a personalized credential for the request. This unique and just-in-time credential automatically expires every 15 minutes, dramatically reducing the attack surface of long standing access.
  2. At Merge, no one has access to production or sensitive customer data unless, of course, they need it. To get access to this high-stakes data, employees can either request for it on a case-by-case scenario, or they will automatically get the right permissions when they go on-call with Opal's PagerDuty integration.
  3. Onboarding is quick and easy, with new hires getting permissions automatically. Using Opal, Merge uses role-based access to assign custom permission sets. No more manual check lists.

As a growing startup, Merge continues prioritizing security without sacrificing productivity. On average, privileged access requests went from 17 hours to 3 minutes. New hires can now hit the ground running without wasting any time. And last, with Opal's cloud-first approach, Merge successfully integrated with their AWS managed services, configuring the solution in only 1.5 weeks.