Featured
B2B SAAS
Company: Chronosphere is a cloud-native observability platform that helps enterprises monitor, manage, and control telemetry at scale while optimizing costs. Chronosphere was founded in 2019, raised $342.5M, and sold to Palo Alto Networks for $3.35B.
Challenge: Tracking access requests for customer impersonation became a requirement as soon as Chronosphere started providing services to AI frontier labs: companies that train and serve frontier LLMs.
Solution: Chronosphere adopted Opal to eliminate standing access, automate UARs, set up time-bound access to sensitive resources, and more easily meet compliance requirements like SOC 2 and ISO 27001
Impact and Scope:
194 managed groups and 69 resources
Standing access to customer impersonation reduced from 170 employees to just-in-time access for 10-15 employees, depending on on-call schedules
100% of approved requests are time-bound
Over 98% of time bound requests are for less than a day
Operating Environment
Identity provider: Okta
Core systems: GCP, GitHub
Workforce: 300 Employees across 3 Continents
Deployment: SaaS
Challenge
As Chronosphere took on larger and larger customers, the ability of many Chronosphere employees, particularly on-call and customer facing engineers, to impersonate a customer to resolve support issues was perhaps convenient—but also left some room for improvement.
When AI frontier labs approached Chronosphere for container visibility services, the team knew that sensitive workloads would demand careful access policies. Chronosphere opted to further secure impersonation access, limiting it only to support and other critical personnel to proactively improve their security posture. The Chronosphere team ended up closing multiple deals with leading AI labs.
Goal
Chronosphere wanted an identity security platform that helped their team:
Scope and lock down impersonation access for employees
Unblock large deals with AI frontier research labs
Facilitate impersonation requests via Slack; expire access after 24 hours
Opal Solution
Chronosphere deployed Opal to reduce standing access to customer impersonation from 170 employees down to a slightly fluctuating average of 10-15 employees, including time-bound and “break-glass” access for on-call support engineers.
Key Results
Accelerated deployment velocity: Engineers now receive production access in minutes instead of hours or days
Least Privilege access to customer data: Customer data isn’t accessible to every employee in a standing fashion: it’s gated on manager approval, or break-glass access for on-call support engineers
Increased productivity: Mean time to approve or deny access requests decreased by 82%.
Strategic Impact
Opal became a key control for SOC 2 Type 2 and ISO 27001 compliance, which was useful for meeting customer governance and security requirements, and for passing vendor audits. In the future, Chronosphere’s security team plans to roll out Opal to more employees—not just to engineers needing access to GitHub repositories and Google Cloud resources, but also members of the GTM team needing Salesforce access, extending Opal’s scope to both technical and non-technical users.
This expansion in identity security scope not only improves Chronosphere’s overall security posture, but also unlocks access to bigger deals with a measurable impact on top line revenue. In sum, Opal enhanced Chronosphere’s ability to achieve Least Privilege, and also grew Chronosphere’s annualized revenue and customer base to include large frontier AI labs.