How Kameleoon Automated Enterprise SSH Access to Safeguard its Security Posture
Kameleoon is a powerful and easy-to-use A/I driven, A/B testing personalization platform helping 500+ brands across e-commerce, financial, and healthcare verticals, deliver exceptional digital experiences and products to their customers.
Jimmy Passemard, Kameleoon's Chief Information Security Officer, has embarked on a journey in the past 18 months to build a security program that will help the organization become SOC 2 certified after obtaining the ISO 27001 certification. Kameleoon's customers are in industries that require security and compliance within their business and across their partnerships. A SOC 2 certification will further assure customers that Kameleoon is safe, credible, and their data is being protected.
Kameleoon's Journey to SOC 2 Compliance
Prior to deploying Smallstep, Jimmy Passemard's greatest challenges were:
- Time spent managing user and server access
- Not having an efficient system to record keep
- Bringing awareness to audit risks in order to stay in line with ISO 27001 and SOC 2 compliant standards
Scattered and unmonitored SSH keys resulted in a lack of trust within the org's infrastructure; weakening Kameleoon's trust posture. This block impacted the audit process and initially hindered Kameleoon's goal in staying compliant.
It took Jimmy Passemard about 2-3 hours to manually audit each developer's session, meaning that Jimmy's team was constantly in reactive mode and not able to invest time into strategically improving Kameleoon's trust posture.
Smallstep's Role in Kameleoon's Infrastructure Transformation
Kameleoon sought out enterprise SSH access for its DevOps team, a solution that would enable the organization to eliminate the need for multiple credentials that were once being utilized by developers and personnel for root access to key systems. The first step to improving security is to eliminate the need for SSH keys.
With several hundred hosts machines that are accessible by systems and users via SSH, Smallstep's SSH Professional Principal feature, automated role based access for groups and users on machines. This implementation comes without compromising access to certain servers with the same access/privileges. In the event that an employee departs from the organization, Kameleoon now has a modernized approach to immediately rescind access, prevent operational overhead, and maintain a well-defined audit trail.
"Now it's a lot easier for me to at least set a policy," said Jimmy Passemard. "This population will have access to these resources or this server with or without root access. It's so easy for me to put people in the appropriate groups. Something we can do automatically. Something that is quite easy to keep track of and audit. I know at which point who has access to what server which I really liked, and my auditors liked," Jimmy Passemard continued.
I know who has access to any server, which I liked, and my auditors loved.
Smallstep's Impact on Kameleoon's Security and Audit Process
With Smallstep, Kameleoon has unlocked granular control and better visibility into its infrastructure. Jimmy Passemard, CISO, describes Smallstep as a "lightweight solution in terms of usage," that is closing potential security gaps to redefine a more safe and secure ecosystem. Since Kameleoon made the switch to Smallstep, the organization has stopped deploying SSH keys and adopted a seamless SSH certificate management process for its team of developers.
Smallstep SSH integrated easily with Kameleoon's IDE, which uses an FTP tunnel to access server resources. Smallstep SSH uses the standard OpenSSH software that developers are used to. It adds no extra web interfaces for users to learn, so no additional training or onboarding is required.
"[Smallstep] helped us build a lot of trust during the audit process. We were able to see so much progress and pay close attention to something that is at the core aspect of infrastructure security," said Jimmy Passemard. Jimmy Passemard recognized the Smallstep Platform as falling-in-line and encouraging the practice of the Zero Trust philosophy. However, this depth of trust is ultimately at the discretion of the organization. Our offering doesn't stop delivering at small, medium, or enterprise scale implementations and uses.
Refining processes and staying on top of best security practices without affecting the health of its infrastructure is currently top of mind at Kameleoon. Smallstep has and will continue to be "more sufficient and accomplish all our needs," Jimmy Passemard concluded.