Olive gains superior access experience while elevating data layer security above compliance standards
Olive provides an artificial intelligence and process automation solution designed specifically for the healthcare industry. As the company grew, its processes for granting, managing, and auditing database access became cumbersome and unsustainable. As a cloud-first and HIPAA-compliant organization, Olive required robust auditability and controls across their entire stack. Additionally, Olive’s flexible workforce model, The Grid, gives employees the ultimate flexibility to work from anywhere - but also means the company needs stringent security and access controls to protect sensitive data. The Olive team knew they needed a modern and scalable approach for infrastructure access. Since adopting StrongDM, Olive has been able to accelerate on-boarding for new technical hires, deployed fast and auditable least-privileged access across their remote workforce, and achieved the “holy grail” of security postures—high-fidelity, query-by-query visibility into actions in databases and critical systems.
From a compliance point of view, I have no users in my data layer. It’s a phenomenal security posture. I can go with my head high to any healthcare organization in the world and tell them the data layer security is on par with and above most stringent regulatory requirements.
Vivek DesaiSVP Engineering at Olive
Custom workflows and insufficient controls create bottlenecks and compliance gaps
Olive, an artificial intelligence and process automation solution designed specifically for healthcare, serves over 40 healthcare organizations that encompass more than 600 hospitals in 41 states across the U.S.—including a growing number of health systems with AlphaSites (onsite centers for AI workforce operations). Olive helps healthcare systems like Tufts Medical Center automate patient pre-registration for COVID-19 tests, decreasing patient wait times and increasing testing capacity.
When Olive was launched, the company primarily managed database access with Ansible. The team constructed and maintained YAML files with lists of database users and their required access for databases, individual tables, entire clusters, and more. Then, they executed the appropriate Ansible playbooks to apply the changes to the clusters. Access to customer systems (RDP into Windows server) required connecting to Olive’s corporate VPN and then RDP’ing into a server via business-to-business (B2B) VPN tunnel. The team audited data access via custom scripts, usually written in Bash or Python.
“Granting, managing, and auditing bespoke database access was becoming very difficult,” says Infrastructure Engineer Kellen Anker. “Data access requests were usually snowflakes or one-offs.”
Olive’s existing standards and policies governing data and customer-system access needed to be updated to keep pace with the company’s hyper growth. Accessing Olive’s private databases required connecting to the corporate VPN and authenticating with individual user credentials. “User credentials were stored as encrypted Ansible variables,” says Anker. “It was difficult to keep track of who was already in our Ansible automations, and who was not, without decrypting and inspecting each of these config files. Managing usernames and passwords for Olive’s engineers quickly became unruly.” Furthermore, Olive’s corporate VPN had become a bottleneck for network performance for nearly every employee.
Accessing Olive’s customer systems required per-customer networking settings, in the form of AWS route tables and NACLs. This quickly led to a bloated cloud environment, and added unnecessary complexity to a system already plagued with scalability concerns. The Olive team also recognized an opportunity to improve auditability and controls around customer system access, which would come as a significant compliance win.
Olive’s CloudOps, Infrastructure, and DataOps teams faced challenges managing employee data access. The Security team didn’t have a complete understanding of the scope of employees’ access to data. IT had the headache of provisioning VPN accounts for one-off database access requests.
Saving Time by Standardizing Access Control Patterns
When Olive Senior Infrastructure Engineer Michael Plemmons suggested StrongDM as a potential solution, the team carefully evaluated StrongDM and another potential vendor. One reason the team chose StrongDM was because it supported Olive’s entire stack, including RDS, Redshift, DynamoDB, Athena, and RDP access to customer systems.
Olive’s Cloud Infrastructure team has found that the benefits of StrongDM include standardized, simplified access to databases, higher security, and uniquely responsive customer support.
“StrongDM has saved my team time by not having to create one-off users for each database and has allowed us to standardize our access control patterns,” says Anker. “It has also been time-saving for ramping up new engineers who need to access all our data sources. With one command, they can start contributing.”
Delivering a Seamless Access Experience for End-users
“strongDM’s vastly superior UX was a major factor in the decision,” says Anker, who successfully pitched the solution to Olive’s leadership with Senior Vice President of Engineering, Vivek Desai. “End users no longer need to worry about authentication to individual data sources, and requests for new data access are easier to fulfill. The UX for our customer support engineers—those who RDP into customer-hosted systems—has simplified tremendously for similar reasons. Managing up to dozens of login credentials for every server was unruly and error-prone; StrongDM has eliminated the need to manage these entirely.”
StrongDM has made it possible to get developers on-boarded and working on day-one, as they no longer have to wait for corporate VPN access and have a single, standard login with access to everything they need. It’s also possible to give developers read-only access to certain databases, which Desai says can help them become better engineers, by simply seeing how other teams and individuals organize their database schemas.
“StrongDM is an end-user-centric way of looking at accessing sensitive systems,” says Desai. “It puts the end user first and it also adds modern methodologies and deployment patterns into the mix.”
Attaining High-Fidelity Security & Confidence in Compliance
“From a compliance point of view, I have no users in my data layer,” says Desai. It’s a phenomenal security posture. I can go in with my head held high to any healthcare organization in the world and tell them the data layer security is on par with, and above, most regulatory requirements.
Previously, there would be up to 300 users in the database layer at any given time, but now everything is managed through strongDM.
“And from a security point of view, having the ability to have line-by-line, high-fidelity audit trail of all access to core databases, saved in an immutable infrastructure is a security and compliance person's Holy Grail, and we got that with StrongDM. On top of that, very critical systems are recorded in full fidelity. Having that streamlined into an easy-to-use, deployable product is awesome.”