Product OVERVIEW
Protect against breaches with least privilege
Identity mismanagement is the leading cause of breaches. Opal helps enterprises reduce longstanding access to critical applications through granular just-in-time access and contextual revocations.
Request a demo in under a minute.
75% of security failures
result from inadequate management of identities
$4.35M
is the average cost of breaches
90% of identities
use less than 5% of permissions granted
At Scale, we believe Opal is the right way to do least privilege. As a Terraform shop, it's important for us to be able to use our current workflows to implement privileged access management on resources with robust security and approval policies.
Loui Barrett
Lead Product Security Engineer
Use Case
Threat
Detection and Response
Challenge
Growing identity attack surface + access sprawl = your business at risk. Security teams need visibility and one-click remediation.
Centralized visibility with prioritized risks
Opal's platform offers a consolidated view and control of your whole identity-risk ecosystem.
One-click remediations
Opal combines holistic visibility with remediation. In a few clicks, admins can remediate risks through revocations or time-bounded access.
Use Case
Just-in-time access to production
Challenge
With the explosion of the cloud, it’s easier than ever to create infrastructure, even for teams outside of software engineering. While this has enabled innovation, it also has also led to permission sprawl, increasing the risk of insider threats. However, reducing developer access can be damaging to productivity.
Secure by design
With native integrations to cloud infrastructure, Opal enables developers to request short-lived access to specific permissions. Admins can customize approval and security configurations based risk.
Built by developers for developers
Opal enables developers to request access via Slack, start sessions using the CLI, or dynamically create IAM roles.
Scale effortlessly across the organization
With robust APIs and a Terraform module, Opal enables security teams to manage access controls using Infrastructure-As-Code.
Use Case
Protect
Customer Data Access
Challenge
As companies grow, they often develop powerful admin tools so that customer-facing teams can support their users. Examples of these tools include impersonating customers and performing admin actions. While beneficial, these tools are also highly privileged.
Reduce risk with just-in-time access
Stop over-provisioned birthright access. Instead, use Opal to enable short-lived just-in-time access. This reduces risk as employee must gain explicit approvals for their requests. In addition, Opal can mandate that all approvers must complete a 2FA challenge.
Scope access using granular resources
Rather than being able to request access to admin tools in their entirety, Opal can scope access requests to specific users. This reduces the blast radius of a potential breach.
Time-bounded access
Instead of granting indefinite access, Opal can provision time-bounded access. For example, at Opal, employees can only request access to internal tools for maximum of 4 hours.
FAQs
How does Opal offer just-in-time access to production (AWS and GCP)?
Opal natively integrates with cloud infrastructure, such as AWS and GCP. Rather than provisioning longstanding access, Opal can be used to grant just-in-time access to specific permissions. All access requests need to be explicitly made and approved by the appropriate owners. In addition, requests can be time or event-bounded, so they automatically expire.
How does Opal implement least privilege?
Opal implements least privilege by ensuring that the right person has the right level of access for the right amount of time.
- To ensure that the right people have access, admins can configure visibility settings based on the requestor's department. For example, this prevents sales people from seeing production access in their app catalog.
- To ensure that the right level of access is granted, Opal imports fine-grained permissions rather than coarse-grained roles or application-level access.
- To ensure that people have access for the right amount of time, Opal uses time and event bounded access. Time-bounded access expires after a specific time period. Event-bounded access expires after events such as on-call rotations, IT tickets, and access reviews
What are resources in Opal?
Resources in Opal are specific permissions or entitlements. Here are some examples:
AWS
- AWS SSO / IAM Identity center permission sets
- ClusterAdmin for Kubernetes
GitLab
- Developer role for GitLab project
- Owner role for GitLab Group
Salesforce
- Analytics Cloud Security User Profile for Salesforce
- Service Cloud Permission Set for Salesforce
How does Opal identify risks in identity?
Using Opal’s access graph, security teams can visualize who has access to what. More importantly, they can contextualize risk based on a variety of factors, such as access type, usage, role, and team.
How does Opal integrate with custom applications?
Opal integrates with custom applications using our API. This enables Opal to grant granular and time-bounded access to internal applications. As an example, instead of granting the ability to impersonate all customers using the internal admin tool, Opal can be used to grant the ability to impersonate a single customer. Additionally, access can be set to automatically expire after a certain time period. This enables security teams to dramatically reduce the blast radius of potential breaches.
What does Opal integrate with?
Opal covers a broad set of integrations including applications imported from identity providers, such as Okta, and native applications with cloud infrastructure, such as AWS, Github, GCP, and SaaS Applications, such as Salesforce. For the full list of connections, please go to https://opal.dev/integrations.
Don’t see one on the list? Opal has a custom apps API. Additionally, our engineering team can create connectors for you.
