The Greenhouse InfoSec team used VPNs to segment networks across dev, staging prod. That approach was complex to manage and frustrated staff. In order to access any databases, internal web apps or k8s clusters, engineers had to run a startup script each time. It created a lot of friction for staff. Greenhouse replaced VPNs with strongDM for a more convenient approach to network segmentation that also enforced least privilege.
Less work for InfoSec: strongDM combines a VPN, role based access control for all database and server types and web apps as well as layer 7 auditing into one single solution. It eliminated the need to maintain 6 different tools. There was no need to maintain separate VPNs, bastion hosts, credentials, keys or whitelist IP addresses. strongDM unifies authentication and access in Greenhouse’s existing SSO and standardizes 2FA in order to access any database or server.
The challenge of a VPN based approach to segmentation means once on a VPN “you have full unfettered access to the network environment which opens up so many vulnerabilities. If the computer you’re using to access the database has been compromised by malware, there’s a possibility it could be used as a jump off point for the attacker to get into the network and then get to the data and systems.” Greenhouse adopted strongDM in order to enforce least privilege. strongDM allows them to grant read only access to specific databases or servers instead of the entire network. That way “in the situation that an attacker might have access to a computer, they have no way of breaking into the network through that computer. The only thing that’s actually processing the data is the strongDM proxy. There’s not the risk of having these computers attached via VPN to the production network.”
Improve Audit Trail
“Before strongDM, we were dependent on the database or application’s logs to provide us with the audit data we needed, which often was not enough. A lot of times most of the systems will tell you when something changes, but not when it was read or accessed. With strongDM we get full auditability into everything a person does — when they connect, what commands they type, what data they retrieve, we’re able to see everything."
After strongDM, we were able to cut their VPN access so they didn’t have that insecure access to the entire private network.