Jan 14, 2025
•
Case Study
With Opal, Obsidian significantly improved its user access security posture and significantly accelerated quarterly user access reviews.
Alfredo Hickman
CISO
150+
Employees
Private
Stage
Obsidian
Obsidian is a global leader in SaaS security on a mission to help businesses protect their cloud-based applications and make the impact of SaaS breaches a thing of the past.
As a cloud-native company, Obsidian has security in its DNA. The company was founded in 2017 by seasoned security professionals with a deep understanding of the importance of identity security. With its SaaS Security Posture Management (SSPM) and Identity Threat Detection and Response (ITDR) solutions, Obsidian provides enterprise customers with a complete SaaS security platform. Today, Fortune 1000 companies trust Obsidian to protect over 25 million users and a million connected apps.
The Challenge
Obsidian boasts a robust security culture — a necessity for an enterprise selling security solutions to its own customers. It has a responsibility to safeguard both its internal data and the sensitive data of its customers.
But even a company like Obsidian — with security experts on its leadership team, a healthy security posture, and well-trained employees — isn’t entirely immune to identity security gaps, due to the sheer scale of effort behind a manual user access management system. Regarding those controls, CISO Alfredo Hickman said, “It was essentially the Wild West.”
This is what he means: Before working with Opal, Obsidian’s system for managing, granting, and removing access to key company resources was fully manual. Gaining access to resources was a slow process: An employee needing resource access would have to go through IT to figure out the owner of that and determine if they could provide approval. Removing access was just as manual and error-prone. The security team spent up to three days each quarter manually reviewing user access via a spreadsheet and updating permissions.
Not only were these processes inefficient and frustrating, but they were also susceptible to human error, opening up Obsidian to increased cyber risk. “There were a lot of gut calls based on knowing the organization. We were making unilateral, arbitrary decisions whether to maintain or revoke access,” said Hickman. “The impact on our security posture was not ideal.”
The manual approach to access management had other downstream impacts, too. For example, workflows were disrupted when an employee who was a resource owner left the company. It wasn’t clear who should manage the resources next or how to gain admin controls to grant and revoke access in some cases.
When it came to dev environments like AWS and GitLab, the user access provisioning process was extremely opaque. With AWS, this ambiguity meant that employees didn’t understand which permissions were associated with which roles and were unsure which roles to request. With GitLab, this ambiguity resulted in overprovisioning of root-level access, meaning that everyone had access to everything — which was far from ideal for security.
As an innovative, forward-thinking team, Obsidian recognized the urgent need to shore up its defenses. They tried using an IAM tool, but it wasn’t sufficient. For example, it could not easily provision time-bound access. It didn’t provide proactive incident response either; if the team saw a new user accessing a specific resource, they couldn’t immediately identify the issue and cut off access.
The team needed a solution that removed the IT and security teams as the middlemen, eliminated the need for manually populated spreadsheets, and enabled access decisions based on identity rather than arbitrary guesses or gut feelings each quarter.
Obsidian Access Control Requirements At a Glance:
- Automated user access reviews (UARs)
- Time-bound access controls
- Granular access controls, especially in dev environments
- Responsive customer service
The Solution
Obsidian discovered Opal through a common board member at leading venture capital firm Greylock. After seeing Opal’s CEO, Umaimah Khan, speak at an industry event, Obsidian’s security team knew they wanted to work together. “It’s been a fantastic relationship since,” said Hickman.
Today, roughly 98% of Obsidian’s resources are connected to the Opal platform. Through Opal’s technology, access requests go directly to the resource owner — who is best equipped to know who requires access to that resource — rather than an already-overloaded security team. Thanks to Opal’s automation, those requests get approved much faster, typically taking a few hours (or less) instead of a week, as it did when approvals were handled manually.
In addition, every resource can have time-bound access, empowering managers to limit access to a week or a month at a time based on the sensitivity of that resource. Opal provides more granular access, too — which is especially critical in developer environments, where specific permissions (e.g., read/write) can be given to specific resources. The employee experience has significantly improved, too: If a request is approved, employees simply receive a notification via Slack and email.
Best of all, the time spent on user access reviews (UARs) has been condensed significantly. Thanks to the UAR automation that Opal provides, managers can get all their reviews done each quarter in minutes rather than the dreaded and labor-intensive manual review process that would take days. “I used to get butterflies in my stomach when it was time for UARs, but now it doesn’t even phase me,” commented Hickman. Best yet, due to the proactive reduction of overprovisioning, the security team has to remove less access from users during reviews.
Opal also generates an automatic PDF report of these access reviews, creating an audit trail and making it easy to share with governance, risk, and compliance (GRC) managers to demonstrate compliance for auditing purposes.
“Opal has improved everybody’s user experience when it comes to access provisioning and access reviews,” said Chris Kennington, Security Architect at Obsidian. “Not only has it sped up the process significantly for our end users, but it’s also easier for them to have that catalog of what they can get access to.”
“[User access reviews] used to take up to three days. Now, it takes three minutes.”
- Alfredo Hickman, CISO at Obsidian
“I get mine done in a couple clicks.”
- Chris Kennington, Security Architect at Obsidian
The Impact
Opal has significantly cut down Obsidian’s time spent on access approvals and UARs, and has made Obsidian more secure by reducing overprovisioning. But it’s also resulted in a “huge quality-of-life improvement,” said Kennington. Importantly, Opal has empowered Obsidian to democratize decisions about access, allowing functional leads who have the necessary context to make decisions in a faster and more accurate manner, all while keeping full visibility into the process.
Opal also provides efficient and personal customer service. Compared to other, larger vendors — whose size means that questions or concerns often go into a “black box” — Opal’s customer success team is highly responsive. “We very much value the responsiveness and the quality of the partnership,” said Hickman.
Obsidian is one of many cloud-native, B2B SaaS providers experiencing the same user access challenges. Together, Opal and Obsidian comprise a powerful security solution. Ultimately, the collaboration has transformed Obsidian’s approach to identity and access management, automated user access reviews—reducing cycles from days to minutes—and streamlined workflows for all employees. By minimizing overprovisioning, Obsidian can safeguard its operations and maintain the trust of its customers.