Ermetic Case Study: Latch
Find out how Latch is using Ermetic to improve their security posture.
Latch is maker of a full-building enterprise software-as-a-service (SaaS) platform designed to help owners, residents and third parties seamlessly experience the modern building through integrated products, software and services.
The Challenge
As a cloud-native enterprise, Latch is bent on honing its cloud infrastructure for development efficiency, smooth operation and security. Latch’s cloud security and site reliability engineering (SRE) teams, working in lock-step, wanted to reduce risky access -- and bake least privilege into their environment early on.
Latch had started building a cloud identities program, federating users from Okta. Dom Zanardi, Software Engineer, Security Automation, Latch, explained their dilemma: “We knew Okta on its own couldn’t give us sufficient cloud granularity. We have a team of engineers needing privileged access and we don't have PAM: how do you minimize privileges without disrupting work?” Latch wanted awareness and analysis of their machine identities as well, to ensure resources did not have excessive or risky privileges that could increase the blast surface in case of a breach.
The Latch team began researching cloud identity tools. They wanted to be able to drill down on permissions, answer who can access what and make informed access decisions. “It’s a real challenge to find cloud-native security solutions that really work -- so many tools just mimic on prem. They are bulky, require too much effort or lack a maintenance commitment.
The Solution
“I came across Ermetic online,” recalled Dom. “I reached out to my head of security and told him Ermetic is exactly what we need -- there aren’t a lot of products that act like an access advisor, advising what to do. By the third phone call and a demo, he realized Ermetic can do lots of things AWS can’t.”
Why not DIY.
Dom continued, “In fact, Amazon is philosophically quite committed, offering tools for tracking entitlements -- but with a lousy experience. We’re mostly AWS native in managing our environment so can definitely build an identity risk solution ourselves but it’s just not the right use of our time.”
Latch is using Ermetic as a strategic lifecycle tool for improving their security posture, reactively and proactively. Said Dom, “We're using Ermetic to see access risk factors early and understand what our identities are touching. Ermetic takes the ‘what the hell is going on’ component out of IAM. And that’s good, because I want my engineers to spend as little time as possible on IAM.”
Drop and play.
Latch is also leveraging Ermetic auto-generated policies, which are based on the permissions the identity is actually using, to drop code snippets into their TerraForm pipelines and workflows, improving their infrastructure as code (IaC) templates. Explained Zack Stayman, Senior Site Reliability Engineer, Latch, “We’re using Ermetic to strategically push least privilege best practice as far left as we can. Ermetic automation is helping us reduce errors and inter team dependencies -- it’s win win for our SRE and security teams, and is fortifying our cloud infrastructure against risk.”
Show and tell.
Added Dom: “By the way, I love the reports. For compliance, we need to show vulnerabilities in a specific time frame; the Ermetic reports make for very effective reporting up to my management.” “Let me tell you how Ermetic distinguishes itself, why it’s strategic,” summarized Dom. “There are 10,000 tools out there that can tell me what's wrong; Ermetic makes it easy to fix it. That’s what sold me on Ermetic.”