Protect against breaches with least privilege
Identity mismanagement is the leading cause of breaches. Opal helps enterprises reduce longstanding access to critical applications through granular just-in-time access and contextual revocations.
Detection and Response
At most companies, employee access is only additive and heavily over-provisioned. However, security teams don't have the necessary tools to manage or measure the problem.
Centralized visibility with prioritized risks
With Opal, security teams have an unified access graph, aggregating data across cloud, SaaS apps, and internal tools, that prioritizes risk, such as usage, anomalies, and access type.
Opal combines holistic visibility with remediation. In a few clicks, admins can remediate risks through revocations or time-bounded access.
Just-in-time access to production
With the explosion of the cloud, it’s easier than ever to create infrastructure, even for teams outside of software engineering. While this has enabled innovation, it also has also led to permission sprawl, increasing the risk of insider threats. However, reducing developer access can be damaging to productivity.
Secure by design
With native integrations to cloud infrastructure, Opal enables developers to request short-lived access to specific permissions. Admins can customize approval and security configurations based risk.
Built by developers for developers
Opal enables developers to request access via Slack, start sessions using the CLI, or dynamically create IAM roles.
Scale effortlessly across the organization
With robust APIs and a Terraform module, Opal enables security teams to manage access controls using Infrastructure-As-Code.
Customer Data Access
As companies grow, they often develop powerful admin tools so that customer-facing teams can support their users. Examples of these tools include impersonating customers and performing admin actions. While beneficial, these tools are also highly privileged.
Reduce risk with just-in-time access
Stop over-provisioned birthright access. Instead, use Opal to enable short-lived just-in-time access. This reduces risk as employee must gain explicit approvals for their requests. In addition, Opal can mandate that all approvers must complete a 2FA challenge.
Scope access using granular resources
Rather than being able to request access to admin tools in their entirety, Opal can scope access requests to specific users. This reduces the blast radius of a potential breach.
Instead of granting indefinite access, Opal can provision time-bounded access. For example, at Opal, employees can only request access to internal tools for maximum of 4 hours.
Opal natively integrates with cloud infrastructure, such as AWS and GCP. Rather than provisioning longstanding access, Opal can be used to grant just-in-time access to specific permissions. All access requests need to be explicitly made and approved by the appropriate owners. In addition, requests can be time or event-bounded, so they automatically expire.
Opal implements least privilege by ensuring that the right person has the right level of access for the right amount of time.
- To ensure that the right people have access, admins can configure visibility settings based on the requestor's department. For example, this prevents sales people from seeing production access in their app catalog.
- To ensure that the right level of access is granted, Opal imports fine-grained permissions rather than coarse-grained roles or application-level access.
- To ensure that people have access for the right amount of time, Opal uses time and event bounded access. Time-bounded access expires after a specific time period. Event-bounded access expires after events such as on-call rotations, IT tickets, and access reviews
Resources in Opal are specific permissions or entitlements. Here are some examples:
- AWS SSO / IAM Identity center permission sets
- ClusterAdmin for Kubernetes
- Developer role for GitLab project
- Owner role for GitLab Group
- Analytics Cloud Security User Profile for Salesforce
- Service Cloud Permission Set for Salesforce
Using Opal’s access graph, security teams can visualize who has access to what. More importantly, they can contextualize risk based on a variety of factors, such as access type, usage, role, and team.
Opal integrates with custom applications using our API. This enables Opal to grant granular and time-bounded access to internal applications. As an example, instead of granting the ability to impersonate all customers using the internal admin tool, Opal can be used to grant the ability to impersonate a single customer. Additionally, access can be set to automatically expire after a certain time period. This enables security teams to dramatically reduce the blast radius of potential breaches.
Opal covers a broad set of integrations including applications imported from identity providers, such as Okta, and native applications with cloud infrastructure, such as AWS, Github, GCP, and SaaS Applications, such as Salesforce. For the full list of connections, please go to https://opal.dev/integrations.
Don’t see one on the list? Opal has a custom apps API. Additionally, our engineering team can create connectors for you.