Sophos Scales Phishing-Resistant MFA and Just-in-Time Access with Opal

Sophos previously had a robust identity program based on a traditional IGA tool. It worked well for a small number of AWS accounts but couldn't scale to the level Sophos needed to support hundreds of accounts and a large development organization of over 1,500 highly skilled developers. The company’s previous solution lacked features like just-in-time access and peer approval workflows at scale, and the process of expanding it appeared to be inefficient.

"Our IGA tool was designed for an era of a smaller number of AWS accounts," said Rajeev Kapur, VP of IT Infrastructure at Sophos. "To do this on our existing tooling would have been a significant project in terms of expense and consultancy. We took that as far as we could take it."

Additionally, Sophos wanted to introduce an independent, phishing-resistant MFA for the company’s cloud environment to mitigate the risk of compromised credentials in its primary identity provider. "We need modern, phishing-resistant MFA that we can inject into the process," Kapur said.

Sophos needed a solution that could be deployed by a small team without adding headcount, while also being user-friendly for their diverse set of AWS users. "Developers just want to do their job," said Guy Davies, Principal Cloud Architect at Sophos. "Other solutions required a lot of clicks and were kind of arcane."

Sophos Requirements At a Glance:

• Scalable just-in-time access
• Scalable peer approval workflows
• Phishing-resistant MFA for cloud environment
• Developer friendly
• IaC-Driven Workflow

Sophos evaluated several solutions and chose Opal for its unique combination of phishing-resistant MFA, just-in-time access, friendly user experience, and IaC integration. "Opal enabled us to get this phishing-resistant MFA, which was a top priority for us, and gave us the ability to move toward more of a just-in-time model, but also was sufficiently friendly for our developers," Davies said.

Opal's infrastructure-as-code (IaC) support, particularly the Terraform provider, was critical for Sophos to manage its environment at scale without increasing its team size. "It's a mix of the developer experience, the Infrastructure as Code — which meant we could scale this without additional heads — and the time to implement," Kapur noted.

The Sophos team integrated Opal into its AWS account creation process using GitHub workflows, automatically configuring new accounts with necessary roles and permissions. With Opal, Sophos generates Terraform configurations programmatically, allowing the company to manage access and approvals through simple changes in YAML files.

Using Opal, the Sophos team:

• Validates access against a separate, phishing-resistant MFA, ensuring security even if the company’s primary identity provider is compromised.
• Scales its environment to support hundreds of accounts and thousands of roles without increasing headcount, thanks to Opal's IaC support. 
• Streamlines access requests and approvals with flexible workflows that have the least possible impact on developer productivity.

"Five years ago, we had nothing. It was painful," Kapur recalled. "Then we implemented self-service and went from bad to good. But this is a good-to-great story for us."

Since implementing Opal, Sophos has been able to support "thousands of users with hundreds of accounts and thousands of roles in total," according to Davies. The team has reaped the benefits of having built out the infrastructure that generates the IaC in an extensible way, allowing them to change roles, policies, and account settings merely by submitting a pull request. "From our point of view, there's a net increase in productivity there," Davies said.

While introducing the new phishing-resistant MFA required some adjustments for developers, Opal provided the most user-friendly experience among the solutions Sophos evaluated. "From what we've implemented, from the controls, with the visibility we now have, this has the minimum impact on developers," Kapur said.

Davies reflected that Sophos reaped the benefits of having built out a program that generates the IaC in an extensible way. He remarked that the team “can change a role, change policies on roles, change stuff in accounts merely by submitting a pull request.”

Working with Opal enabled Sophos to achieve phishing-resistant MFA at scale while minimizing disruption to developers' workflows. By leveraging Opal's user-friendly interface, flexible approval flows, and powerful infrastructure-as-code capabilities, Sophos was able to overcome the limitations of its previous identity governance solution and implement a modern, zero trust security model across its rapidly growing AWS environment.