top of page

Companies Can Simplify Their Access Management—Without Compromising on Security

How leading enterprise AI-search solution Coveo used StrongDM, the dynamic access company, to transform its approach to privileged access management

In the world of cybersecurity, few issues are more pressing right now than preventing a data breach. As a recent report from Verizon found, 82% of data breaches are caused by compromised credentials, whether through credential theft, employee misuse, or even internal sabotage. The common element across all those attack vectors is people.

The problem is that traditional security tools were designed for a different era in which useability was an afterthought. When security tools make life so difficult that it becomes easier to find workarounds than adopt. The end result undermines their intention and impedes adoption without mitigating the actual risk of a breach.

In this interview, we’ll hear how the Coveo team changed their approach to privileged access management and the results it drove.

We spoke with Jean-Philippe Lachance, Team Leader, Staff Security Developer at Coveo, a market-leading AI-powered relevance platform, about how the company struggled to enforce least privileged access as they scaled and how StrongDM’s privileged access management (PAM) solution helped.

Maybe you can start by sketching out the current access management landscape. Why was it so hard to actually enforce least privilege before deploying StrongDM?

When our company started using the Cloud around 2013, we had one database in one region. Defining who should have access to what was relatively straightforward at that scale. A manager could confidently make that call on their own. As the company grew, that just wasn’t possible anymore. By 2019, that number increased to 20 databases per environment per region, with multiple regions. But we still relied on access management tactics from our earlier days.

Just to give you a sense of the scale of the problem: one highly privileged employee at our company might have over a hundred unique usernames and passwords for the hundred databases they needed to access. Passwords were stored in a password management tool—but between software updates and routine password changes, the stored passwords were often out of date.

That approach had serious operational consequences. Frequently, members of our R&D department found themselves locked out of systems they needed quick access to, as they waited for on-call access management people to grant their access requests. Employees were unhappy and problems were going unresolved for longer than they should have been. Something needed to change.

Plenty of companies experience similar breaking points. They were quick to embrace the cloud, leveraged on-demand infrastructure and automation to scale, but continued to apply privileged access management processes that were designed for a different era and can’t handle cloud-scale. That ends up frustrating everyone: Security, DevOps, and Developers. Security teams can’t be confident their policies are being enforced. DevOps teams have to break their automation to try to enforce Security’s policies. And Developers are stuck waiting too long to get the access they need.

The future of privileged access management is about taking a different approach. As an industry we need to prioritize the end user experience in order to automated detection, remediation and best practices without interrupting the user experience for either administrators or end users.

Can you describe some of the ways you tried solving these issues before StrongDM?

We tried a number of solutions over the years. First we tried to solve the problem in-house; With a lot of Python code and time, Coveo built an access management system that can scale with the Cloud. That solution was functional, but created too many distinct accounts per developer, like stated before.

The fun fact was that Coveo tried strongDM as early as 2018, while StrongDM was a young startup. At that time, StrongDM was compared with the in-house solution. We compared the features, the cost of using StrongDM, and the cost of making the in-house solution (what we thought) as good as StrongDM. At that point in time, the decision was made to continue with our in-house solution.

By the end of 2019, the Coveo infrastructure size more than doubled, the complexity of the in-house system increased, and the usability of the in-house system decreased a lot. Therefore, mid 2020, we went back to StrongDM, acknowledged that solving access management on our own was ambitious.

In January 2021, we did our go-live with StrongDM, and very quickly the permission problems that had plagued us for years more or less evaporated.

Basically, we integrated everything into StrongDM. Our data sources, our servers, our Kubernetes clusters—everything. And suddenly our developers had a single simple tool they could use to connect and have access to what they own. Instead of dealing with one hundred passwords, each of our employees now could use a single credential to access every needed resource, regardless of location or protocol.

What have been some of the positive benefits of using StrongDM for access management?

For one thing, the amount of admin work that our DevOps teams have had to deal with has decreased significantly since we signed up with StrongDM. Whenever new infrastructure is provisioned, all permissions are automatically assigned through StrongDM and Terraform and the StrongDM API. StrongDM also eliminates the administrative work of fielding lost password requests, by unifying all infrastructure access in their SSO. This frees our team up for more important matters.

Most importantly, though, StrongDM provides us with an audit trail. It's hard to overstate just how important an audit trail is—for security analysis, for SOC 2, for HIPAA compliance. We need nothing less than total awareness of everything that happens inside our environments. We need to be able to go back and see what happened in a specific instance, or what was queried on a specific day. StrongDM provides that functionality.



bottom of page