How Spotnana moved critical systems to just-in-time access to secure its scaling business

Establishing a strong identity security posture amid rapid-fire growth

Spotnana’s cloud-based Travel-as-a-Service platform is modernizing the infrastructure of the travel industry and powering a new generation of travel experiences for corporations, leisure travelers, and travel sellers. The company, founded in 2020, has seen lightning-fast growth through direct sales of travel solutions to Fortune 100 companies as well as channel partnerships with Brex, Qantas Airlines, Direct Travel, and more.

Travelers trust Spotnana to handle their sensitive personal information, and the company’s platform integrates deeply with a wide range of systems, so data protection is a business-critical priority. Spotnana’s co-founder and CTO, Shikhar Agarwal, recognized early in the company’s journey that strong data security would be essential to its ability to succeed in the travel industry. Spotnana’s swift expansion was accompanied by rapid adoption of SaaS apps and exploding numbers of IaaS accounts, all of which needed to be managed and secured. So in mid 2022, Shikhar brought on Ashish Popli, CISO, and Ben Godard, Director of Security Engineering, to improve permission management and establish a security framework that could scale.

Reining in standing access

“From the very first day, it was clear to Ashish and I that one of the biggest issues we needed to address was identity access management,” recalls Ben. Having worked as an ethical hacker in the past, running pentests and red team attacks to determine how and where companies’ data could be compromised, Ben understands firsthand the importance of identity security. “I can only count on one hand the number of times I got in through a bug or flaw in someone’s code. By far the most common way I got in was through normal access channels. I would either get access to valid credentials or get code running on a user’s  machine that allowed me to just be them.”

Thinking like an attacker, Ben’s first two security questions were 1) Where are the doors? and 2) Who has the keys? At Spotnana, more employees could log into sensitive company resources than were strictly needed. Spotnana’s IT team controlled the keys to those doors, but too many users were granted standing access privileges—especially in the case of AWS, Spotnana’s most critical resource.

Spotnana already had numerous AWS accounts, each managed by individual owners who followed their own conventions when defining groups and permission sets. The IT team followed the principle of least privilege when processing access requests, but in order to not block engineers from getting their work done, IT often granted standing admin privileges in AWS. 

As things stood when Ben and Ashish came on, if an attacker got hold of the identity of just one of Spotnana’s many overprovisioned AWS users, even for a short period of time, they could get access to the company’s entire production environment.

Connecting the dots between JumpCloud and AWS

Spotnana first upgraded the company’s identity provider to JumpCloud, which was more secure than their previous IdP and allowed them to enforce SSO and MFA for AWS. But the move created a new challenge. To provision AWS groups through JumpCloud, IT would have to be given standing JumpCloud admin privileges, which wasn’t a huge improvement over having standing admin access in AWS. 

Ben, Ashish, and the IT team brainstormed ways to build a solution in-house that would connect the dots between JumpCloud and AWS, allowing the creation of approval workflows between the two. They wanted to push access approvals to the people who could make the most informed decisions—the account owners—and get a record of who’d approved the access and why. 

They discovered some outside vendors who claimed to be able to make the connection they needed, but the options were limited. Most solutions either only worked with a small set of IdPs or only offered access review capabilities. Integration with JumpCloud was critical for Spotnana. And while automated reviews were a nice-to-have, the team’s priority was to set up foundational access controls. 

Ben’s ideal solution would go even further, enabling Spotnana to implement true just-in-time (JIT) access to AWS. “We needed a way to do self-service JIT that just worked,” he says. “So someone could ask for access, the right person could approve that access, and the right amount of access could be granted for however long it was needed. Then it would go away. That was way more important than access reviews or all the other bells and whistles.”

We needed a way to do self-service JIT that just worked. So someone could ask for access, the right person could approve that access, and the right amount of access could be granted for however long it was needed.

Ben Godard

Director of Security Engineering

Partnering with ConductorOne to build a solution

When the Spotnana team found ConductorOne, “everything just lit up,” says Ben. “ConductorOne supported JumpCloud and connected to the infrastructure and apps we cared about, like AWS and GitHub.” 

Even if ConductorOne were only able to help them build a workflow for AWS access approval, the Spotnana team would have been interested. But, “ConductorOne could also make access changes as part of the workflow,” Ben says, “which is what got us really excited.” They decided to bring on ConductorOne and test moving AWS users to groups in JumpCloud, which then synced to groups in AWS. “And it just worked,” Ben recalls.

Scaling was also important to the Spotnana team. They knew they would be adding more AWS accounts, which, with the way they had things set up, was going to require a lot of group management. Because ConductorOne can provision access for applications that support group management, they knew they would be able to continue to create AWS groups in JumpCloud—they would just need to make sure they kept a consistent naming convention. 

Implementing ConductorOne moved Spotnana closer to where they wanted to be, and the ConductorOne team was eager to solve their full JIT use case. ConductorOne got right to work building an updated AWS connector that could directly provision to AWS, bypassing JumpCloud altogether. The new connector provisioned not only to groups but to permission sets, which was a huge win for the Spotnana team—now instead of managing an abundance of groups in JumpCloud, they could provision from one point of entry. This removes the likelihood of an employee being granted access outside of the new approval process and puts the onus on the team members equipped to make the right provisioning decision.  

“ConductorOne chains everything together. JumpCloud handles SSO for AWS, and ConductorOne handles provisioning,” explains Ben. “It’s the best of both worlds.” Now anyone in the company can request access to AWS using JumpCloud, and instead of IT, it’s the AWS account owners—who know best which permissions will match the requested access—who determine what access is granted and for how long. 

There is always a balance to be struck between reducing friction for employees who need to get access in a timely manner to do their jobs and making sure the right procedures are followed for procuring access. With ConductorOne’s Slack application, Spotnana employees can simply request the access they need directly from Slack, triggering a corresponding Slack notification to the approver. This meets them where they are and removes the need for Spotnana’s team to train multiple staff on new software—all the information they need to complete the request and approval process lives in one, already-familiar location.  Ben’s a big fan of the Slack integration. “Everything we do is in Slack and the fact that approvers get a Slack message and an email… It’s pretty much impossible to miss it and it gives them all the context.”

Securing Spotnana’s future

“The sweet spot for me has always been ‘secure by default,’” says Ben. Meaning that when the most secure action is also the most convenient action, users will be more inclined to take it. Spotnana has been able to move toward making zero standing privileges the default in AWS because they’ve automated JIT access using ConductorOne. They’ve made it convenient for engineers to self-service request privileged access that can be approved, provisioned, and deprovisioned automatically. 

“Access can also be extended easily,” Ben explains. “It can be granted for a short period of time, and if that’s not enough to get your job done, you can just ask for it again.” Because users can get the access they need whenever they need it, they don’t mind giving it up when it’s no longer necessary. In fact, they prefer it. “The entire infrastructure team got really excited when we presented this to them,” Ben says. “At the end of the day, people don’t want standing access if they don’t need it; they just want the access they need, when they need it, to get their work done, and to not have to think about it the rest of the time.” ConductorOne has made the process of getting temporary access frictionless—secure by default.  

With ConductorOne, Spotnana has also been able to move to a self-managed groups model, which Ben is super excited about. “We can now control group membership and democratize access control. Self-managed groups manage who their members are and approve or deny access as a group. Technically you never even have to elevate to an owner of the group. No one person gets to decide on a whim who gets access—it’s a group decision enabled by a ConductorOne workflow.” 

Self-managed groups create a multiparty approval process without slowing things down, which is a huge security win. “I think of it like the two keys in the submarine for nuclear missiles,” explains Ben. “It’s just more secure having multiple people in the loop.” 

The team is now implementing workflows in ConductorOne that will automate on-call JIT access for AWS tied to PagerDuty. The workflows will enable automatic provisioning of on-call and break-glass access where appropriate and create an audit trail of that access. 

Next, they’ll be setting up GitHub groups in ConductorOne, and then integrating the company’s other apps. They expect to get a flood of integration requests from across the business as teams learn how easy it is to manage access through ConductorOne. 

Ben’s looking forward to fulfilling those integration requests and getting more of the company’s systems into ConductorOne. “With ConductorOne, we know that only the people who need access to our doors have the keys, and only while they need that access. And requesting access is a much better experience with ConductorOne than it was before, which ensures our employees will follow best practices—because that’s the easiest thing to do. We don’t have to sacrifice productivity for security, and that makes everyone breathe easier.” 

With ConductorOne, we don't have to sacrifice productivity for security, and that makes everyone breathe easier.

Ben Godard

Director of Security Engineering