Case Study: OrderGrid
Learn how OrderGrid is using Tenable Cloud Security for their IAM zero trust strategy and to keep their security headcount lean and mean
OrderGrid At a Glance
Download the case study here or read below.
OrderGrid provides cloud-native services and software for e-commerce fulfillment and inventory management, with focus on regulated food, beverage, consumer health and beauty products. It has warehouse fulfillment operations in North America, Latin America, the UK and Europe.
Founded during the pandemic, OrderGrid has no physical office space – all employees work remotely. Its IT operation is also fully remote and distributed, and runs on AWS. Explained Wes Sheppard, Chief Information & Intelligence Officer, OrderGrid, “With all our personnel remote, a threat actor can literally be anywhere, pretending to be from our company. Securing an enterprise like ours is a unique proposition because none of the rules work, and most tools aren’t a good fit. Our goal is to find the best combination of security tools, tactics and techniques while not overlapping too much in the service provider landscape.”
“My team manages data loss prevention, cyber security and IT – and most of our AWS infrastructure,” explained Wes. “We're a smaller team trying to do our best; efficiency is critical.” The organization has a yin-yang of cloud environments to secure: their production environment, used by customers, and their internal, cloud-native distributed environments, used by employees.
OrderGrid sought to create and maintain a stateless zero trust environment in which they assumed trust but verified minimum access and least privilege at all levels. Explained Wes, “We use the identity services of our cloud service providers – this creates a mesh architecture of trust that is very complicated to get right. Our greatest challenge was getting control over our identity services, including credentials; our cloud security process needed to be identity first.”
Recalled Wes, “Someone reached out, explaining that Ermetic [now Tenable Cloud Security] is an identity-first cloud security platform. Already in the discovery call we saw that Ermetic was the right solution, and the right people, at the right time – incredible serendipity. The Ermetic platform aligns perfectly with our zero trust approach.” Without engaging the Ermetic team, the OrderGrid team did a proof of concept. Said Wes, “Doing the PoC on our own speaks to the clarity of the Ermetic UX and documentation.”
Onboarding and Usage
Nicole Girouard, Security Operations Engineer, OrderGrid: “Ermetic was one of the first third-party tools we onboarded. We quickly saw that Ermetic was going to work for us. I integrated the Ermetic platform in our entire cloud environment in two hours – some solutions take 12-24 hours – and the data began flowing almost immediately. We could see everything – it was amazing, and validated that we’d done the integration correctly.”
Nicole continued: “The Ermetic platform is easy, clear and intuitive, and the guidance is accurate. I've yet to get information in Ermetic that doesn’t apply – and that moves us forward.”
Added Wes, “Ermetic has enabled us to get 80%-90% of the way to implementing zero trust for IAM. We now have clarity about who everyone is, who or what needs access and what they have access to, so can now focus on hardening our architecture. If we remediate something, Ermetic pops up to let us know where and why.”
OrderGrid strives for the highest levels of compliance and is using Ermetic to meet their compliance certification goals. Explained Nicole: “Ermetic was instrumental in completing our ISO/IEC 27001:2013 and SOC2 type 2 certifications and is key as we work on the AWS Well-Architected Framework and its benchmarks. We are tracking and spotting gaps quickly, and trending upward every month, which is very encouraging.” Ermetic reports are helping OrderGrid communicate with auditors.
Prioritization and Remediation
A primary focus for OrderGrid has been removing critical risks and keeping their zero trust strategy on point. Explained Nicole, “Ermetic has enabled us to focus where needed rather than face a mountain of findings we don’t have the breadth to tackle. OrderGrid's security team handles Ermetic findings that involve architecture or least privilege, such as reining in public access. When a finding involves a code fix, the security team uses the platform's Jira integration to pass it to the developers for addressing in the relevant sprint based on Ermetic's prioritization.
“Ermetic remediation workflows are easy to follow,” said Nicole, “and really help us with least privilege. Ermetic shows if a user or programmatic access hasn't touched a resource in 90 days and provides a JSON script that eliminates the excessive privileges almost immediately. As our environment grows and tracking access risk becomes more complex, I know the Ermetic recommendations on my dashboard won’t need second-guessing.”
ROI and Other Benefits
OrderGrid cites savings, expertise and collaboration among the benefits of their use of the Ermetic platform.
"Like fire insurance." Explained Wes: “Our ability with Ermetic to escalate and resolve residual access risks correctly, and give evidence that we have, links directly back to the business. We’re too young to survive the cost of a data breach; Ermetic is like fire insurance, helping prevent the impact upon a data breach.”
Reduced headcount need, lower-cost skills. Said Wes, “Instead of three security engineers, with Ermetic, we’re managing with one. When we do add headcount this year it will be at reduced technical requirements so at a lower cost and easier to source. And Ermetic is so well-designed you can use it to close skill gaps and bring more people into the cloud security community.”
Actionable insights. Said Nicole, “Ermetic shows you innovative ways to fix things. Its remediation guidance actually teaches you how to use the cloud.” Added Wes, “Ermetic’s correlated insights is unique, showing how all problems connect to your architecture and configuration state – and reveals all exploits of a compromised resource.”
24/7 partnership. Explained Nicole, “The Ermetic developers and customer success team are always ready to jump on a call; I can message with them almost any time and get anything fixed. Having such a close relationship and getting rapid feedback is huge for us.”
Everyone on board on cloud security. Noted Wes. “I go into executive meetings, point at the Ermetic dashboard, and everyone gets it. It’s a window into cloud complexity that conveys the technical perspective and at the same time easily communicates on cloud security posture – you don’t need industry expertise to understand what's going on.”
Noted Wes, “Many cloud security tools push real time monitoring – in reality, for most organizations, it’s hard to do and an expensive lift. Ermetic has managed to make something just as effective, at a more reasonable cost and much more robust value proposition. The Ermetic platform is amazing, enabling us to make intense progress on our zero trust strategy and has increased productivity for our highly capable teams.”