Orum and Sym: Implementing an Access Security Strategy Ahead of Growth

By
Sandy Kwon
December 7, 2022

About Orum

Orum enables payment innovation by powering faster payments and fully automated payment orchestration available 24/7/365 through an embeddable unified API.To date, they have raised over $82 million and operate a remote-first and geographically distributed team across the U.S.

Their investors and partners include some of the largest names in finance like Accel, SVB capital, Bain Capital Ventures, and American Express Ventures.

Meet the Team

Justin Hadley, Director of Information Security, has spent almost a decade developing and implementing security best practices and tooling for leading Healthcare and Fintech companies. In his role at Orum, he is responsible for partnering with Platform Engineering to deliver processes and systems that ensure the safety of a rapidly growing volume of immediate, 24/7 transactions.  

Dusty Gutzmann, Platform Engineer, has worked across industries, using his background in aerospace and systems engineering to develop a world-class, secure platform at Orum. He was the initial implementer of Sym, and works closely with Justin to make sure Orum’s best practices are being built and followed.  

The Problem: Facing Increased Regulatory and Reporting Pressure During Rapid Growth

Orum’s CTO, Silvino Barreiros, first connected with Sym shortly after the announcement of Orum’s $56M Series B raise. Silvino knew that following their raise, Orum would see rapid growth in:

  • Customers and customer transactions
  • Engineering team size and complexity
  • Regulatory pressure and scrutiny

In rapid growth, all three of these factors compound each other. More customers and rapid hiring can combine to put immense pressure on engineering bandwidth, right when complexities of team organization place further pressure on bandwidth to produce accurate audits for regulators.

Tomorrow’s Growth is Today’s Problem

Of course, it wasn’t only about getting ahead of growth; it was also about managing the risk that Orum faced today in a way that would reduce the risk they might face in 18-20 months if they didn’t begin implementing secure workflows to establish and demonstrate compliance. As a young company, quantifying this risk meant focusing on the cross section of real threats versus true vulnerabilities.

On day one, there were a handful of distinct scenarios that needed to be quickly addressed:

  1. Reducing broad AWS permissions for the engineering team by establishing tight controls around privileged environments
  2. Integrating with Okta to be able to reference dynamically changing user-group information
  3. Creating an automated request and approval experience that was frictionless and friendly for a growing group of engineers
  4. Capturing and storing evidence to support compliance audits as part of their certification requirements

Orum also had specific technical requirements that made it challenging to imagine any solution that wasn’t in-house development: they needed a tool that could slot into their ecosystem and existing group rules (AWS SSO managed via Okta groups), and they wanted to be able to build and maintain workflows in code for rapid iteration and flexibility. As an experienced purchaser, Silvino knew that readily available tools would not align with their development culture and most importantly, knew that they would face functional limitations. Most importantly, introducing yet another tool for future requesters to interact with presented the possibility of under-adoption or even worse, resistance.

To help untangle all this complexity while setting Orum up for secure success, Silvino brought in Sym, and handed the software to his team to implement.

The Solution: Using Sym’s Code-First Platform to Implement Secure Permissioning That Scales

Following the first onboarding call, Dusty was able to get a workflow set-up and a team onboarded in just 6 days. This initial workflow locked down default AWS SSO access for platform engineers, and placed all privileged escalations behind Sym, greatly reducing the risk surface area posed by broad standing access. Even with reduced permissions, engineers are able to easily request and gain approval for privileged permissions by requesting it directly in Slack using Sym’s Slack request bot. With the bot, they can request access, document their request, establish an access window, and have all of that intelligently routed to an approver or automatically approved pending predetermined logic.

In the background, Sym integrates with Okta to modify and elevate AWS permissions within a predefined window. After that time has passed, privileges are revoked and a normal access profile is restored to the user’s identity. For reporting, Orum sends all of the event data to Datadog via Sym’s AWS Kinesis integration so that there is an auditable data trail for every time a user makes an access request, is granted access, and is revoked of their elevated permissions.

As far as meeting the technical tooling requirements, Sym’s flexible SDK meant that the Orum engineering team could easily iterate on the existing flow and create new workflows at a fraction of the cost, complexity, and maintenance overhead of building a bespoke system from the ground up.

 Knowing that what we have is based in code and that we’re not buying an appliance and can configure workflows with variability and customizability cements Sym as part of the roadmap on what we can use and can use to scale. We can do things differently than what I’ve done in the past and what I’ve seen in the past. We have the ability to customize our own business logic and not be reliant on limitations of just another IAM appliance  

-- Justin

The Result: 1500+ Secure Access Runs for AWS and Databricks

In just 6 days, the Orum team was able to significantly reduce the scope of access granted to engineers by default without adding manual processes that slow the team down.

The workflow that was put into place scaled seamlessly and has been in place ever since. Users have commented on the ease of use and the elegance of the system, both for requesting or approving access in Slack and for generating new workflows. Members of the team have subsequently created additional workflows to place safer guardrails around specific AWS environments and to manage access to Databricks environments.

Taking it one step further, Orum has been able to translate that secure access into easily auditable records using Sym alongside Vanta and Datadog. According to Hadley, using all three services in conjunction “gives us the ease of use of capturing the evidence, as well as the ease of sharing with an external auditor when that time comes.” He went on to say, “this gives us the confidence that our controls are in place and continue to work. We’re not only worried about an external audit, but also internally from a security standpoint.”

 Using Sym with Vanta and Datadog gives us the ease of use of capturing the evidence, as well as the ease of sharing with an external auditor when that time comes.  

-- Justin

Once Orum’s immediate access requirements were met, Dusty reached out with an idea for using the Sym SDK to create another valuable workflow: intelligently-routed approvals for continuous deployments via CircleCI. Working closely with Dusty, Sym expanded their platform capabilities to support approvals via public API, and built a CircleCI integration and Orb. Now, the same platform that helps Orum’s engineering teams protect privileged resources is able to  centrally route and record approvals for application and infrastructure deployments.

As of implementation, there are 27 engineers using Sym to access all AWS environments. Sym has helped Orum execute 1500+ user access runs and has safely protected Test and Production environments across their entire infrastructure and data stack.

 Using Sym to implement just-in-time access for us is great. Not having engineers that have stagnant or over privileged AWS policies assigned within their accounts or different environments 24x7 makes me sleep a little bit better at night.  

-- Justin

Recommended Posts