Sophos Scales Phishing-Resistant MFA and Just-in-Time Access with Opal

Sophos enhanced its cloud security with Opal's user-friendly, phishing-resistant MFA and just-in-time access to protect its AWS environment at scale.

Guy Davies

Principal Cloud Architect

4700

Employees

Private

Stage

Sophos is a global leader and innovator of advanced security solutions that defeat cyberattacks, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies.

As a company measured against a high bar for security, Sophos has a strong focus on identity and was an early adopter of zero trust principles. Sophos delivers a broad portfolio of advanced products and services to secure users, networks, and endpoints against a wide range of cyberattacks, including ransomware, malware, exploits, and phishing. Sophos empowers organizations to build comprehensive and tailored security solutions that meet varying business needs. With a strong focus on user-friendly experiences and reducing friction for customers' business and development teams, Sophos delivers powerful security solutions that maintain productivity while ensuring the highest level of protection.

Sophos previously had a robust identity program based on a traditional IGA tool. It worked well for a small number of AWS accounts but couldn't scale to the level Sophos needed to support hundreds of accounts and a large development organization of over 1,500 highly skilled developers. The company’s previous solution lacked features like just-in-time access and peer approval workflows at scale, and the process of expanding it appeared to be inefficient.

"Our IGA tool was designed for an era of a smaller number of AWS accounts," said Rajeev Kapur, VP of IT Infrastructure at Sophos. "To do this on our existing tooling would have been a significant project in terms of expense and consultancy. We took that as far as we could take it."

Additionally, Sophos wanted to introduce an independent, phishing-resistant MFA for the company’s cloud environment to mitigate the risk of compromised credentials in its primary identity provider. "We need modern, phishing-resistant MFA that we can inject into the process," Kapur said.

Sophos needed a solution that could be deployed by a small team without adding headcount, while also being user-friendly for their diverse set of AWS users. "Developers just want to do their job," said Guy Davies, Principal Cloud Architect at Sophos. "Other solutions required a lot of clicks and were kind of arcane."

Sophos Requirements At a Glance:

Scalable just-in-time access
Scalable peer approval workflows
Phishing-resistant MFA for cloud environment
Developer friendly
IaC-Driven Workflow

"Opal fills the sweet spot of being a developer-friendly tool that we can drive solely through APIs and the Terraform provider, while giving us the features we need."

Sophos evaluated several solutions and chose Opal for its unique combination of phishing-resistant MFA, just-in-time access, friendly user experience, and IaC integration. "Opal enabled us to get this phishing-resistant MFA, which was a top priority for us, and gave us the ability to move toward more of a just-in-time model, but also was sufficiently friendly for our developers," Davies said.

Opal's infrastructure-as-code (IaC) support, particularly the Terraform provider, was critical for Sophos to manage its environment at scale without increasing its team size. "It's a mix of the developer experience, the Infrastructure as Code — which meant we could scale this without additional heads — and the time to implement," Kapur noted.

The Sophos team integrated Opal into its AWS account creation process using GitHub workflows, automatically configuring new accounts with necessary roles and permissions. With Opal, Sophos generates Terraform configurations programmatically, allowing the company to manage access and approvals through simple changes in YAML files.

Using Opal, the Sophos team:

Validates access against a separate, phishing-resistant MFA, ensuring security even if the company’s primary identity provider is compromised.
Scales its environment to support hundreds of accounts and thousands of roles without increasing headcount, thanks to Opal's IaC support.
Streamlines access requests and approvals with flexible workflows that have the least possible impact on developer productivity.

"Five years ago, we had nothing. It was painful," Kapur recalled. "Then we implemented self-service and went from bad to good. But this is a good-to-great story for us."