How Valon Improved Security with Timed Access to Sensitive Permissions

Valon has an ambitious goal – reimagining mortgages from the ground up. The company services mortgage loans across all 50 states and DC and has more than 50 engineers. With the growing size of the engineering team and scale of the business, Valon knew that it needed to invest in state of the art access management controls to allow it to continue scaling with appropriate permissioning.

The platform engineering team knew that they needed the company’s access controls to reflect the maturity of the business. According to principles of least privilege – engineers should only get access to what they need to get their job done. The cornerstone of this strategy is providing just-in-time access; in other words, giving access only when they need it and no other time. This is a process that can become increasingly expensive with scale.

Overly restrictive controls could grind operational businesses to a halt. Paul knew that he could manually grant and revoke access using the internal IT team and google calendar reminders, but that would be an operational nightmare. Additionally, the mighty IT team of 3 supports over 250 employees and without a systematic approach it is difficult to understand and adjust employee access in real time.

‍

The platform team set up Opal with Google groups, Google Cloud Platform, and Slack in minutes. By importing and discovering all of Valon’s GCP infrastructure, Opal gave Valon the flexibility to determine which aspects of their infrastructure to lock down first.

Starting with the most sensitive resource, Google Secret Manager, Paul removed all long-standing access and required engineers to use Opal to request for just-in-time access. Since Opal has a native Slack integration, engineers didn’t have to learn a new user interface. The approvers were notified in Slack and could automatically provision access in one-click. Additionally, Paul implemented extra controls, such as mandating that all access expired automatically after 24 hours at the latest and that all requesters needed to verify identity through 2FA.

While Opal helped to elevate Valon’s security posture, it also helped to accelerate employee productivity. By using Opal to route requests to decentralized approvers and automate provisioning using Slack, Valon’s access requests went from 3 business days to around 5 minutes – a 288x increase!

The successful implementation of Opal enabled Paul to make secure by default feel effortless. Security didn’t need to be at odds with productivity. Naturally, the engineering team had a culture of locking sensitive access by default and using Opal was an intuitive and easy way to request access.