Written by Jason Garbis on July 06, 2018
How Datadog Achieved AWS Security and Improved Developer Experience
Datadog and AWS recently joined Cyxtera in a webinar to discuss user-based access to AWS networks. We’ve captured the essence of this conversation below, exploring how Datadog embraced a Zero-Trust model using the leading Software-Defined Perimeter solution, AppGate SDP.
Ryan Scott, Senior Software Engineer at Datadog discussed how the company secured access before and after AppGate SDP.
Datadog: Securing access to multi-accounts in AWS before AppGate SDP
Datadog is a monitoring service for hybrid cloud applications, assisting organizations in improving agility, increasing efficiency, and providing end-to-end visibility across the application and organization.
Datadog started with two AWS accounts divided up by business process – one account for the lower-risk environment and one account for the production environment. As the company grew, it found that it needed account separation for security controls. However, having so many teams and people working in parallel, Datadog ended up with 18 AWS accounts spread across a distributed team of more than 600 users in over 100 locations. Of these 18 accounts, there are specialized access needs.
- Multiple AWS accounts
- Distributed teams
- Specialized access needs
"A traditional VPN solution granted too-broad, always on access for the engineering staff and there were usability issues where developers continually switched between accounts resulting in an experience that wasn’t good."
"Controlling who could enter our security groups was not tenable in an operations model. We had some security concerns around that. The traditional model for VPN didn't allow us to enforce device validation. Users could install a VPN client on any machine, whether it was corporate-owned or a personal device," said Ryan.
Datadog: Secure access with AppGate SDP
Datadog wanted to adopt amodel by using a Software-Defined Perimeter. The company evaluated a number of solutions and selected .
Precise, fine-grained access control
AppGate SDP enables precise, fine-grained access control, while its unique multi-tunneling capability keeps developers productive by eliminating the disruptive act of account switching that is required while using traditional VPNs.
AppGate SDP allowed us to provide individual users with their own one-to-one network segment to AWS resources that they are allowed to access. It does this simultaneously across all of our locations and all of our AWS accounts – Ryan Scott, Senior Software Engineer at Datadog
"For example, a user in New York could have access to their development environment, but only their resources in that environment, their staging environment, their resources and then the resources they need in the production environment," said Ryan
Instead of users having access to an entire network segment (CIDR block) for staging or production VPC, they now only have access to their specific resources that they need. And this happens completely seamlessly – they have access to what they need. They don’t have access to anything else.
Transparent user experience
With AppGate SDP, each user has a one-to-one network segment that is not limited to a single network or a single account. Admins can easily set it all up so a single user has access to everything they need no matter what network or account it lives on. Users can connect using a single sign-on via an identity provider and have a seamless experience for accessing their dev and staging environment, production application, build jobs – whatever it is they need to access, they’ll have it.
Datadog has strong security controls now. Users only have access to what they need to do their job, and not only do they not have access to anything else, what’s off-limits isn’t even visible to them.
User access dynamically adjusts based on server tags
There are some challenges with VPNs and the cloud due to dynamic resources coming and going as instances are turned off or scale up or down. “We needed those resources to be the new instances available to users in a dynamic fashion without us having to operationally go in and update what users have access to,” stated Ryan.
AppGate SDP allows Datadog to do that based on metadata and tags. Users have access to their specific resources and then, if they scale up their application, they'll have access to the new versions, the new instances, and the new resources that are applied.
Lastly, AppGate SDP allows Datadog to take the Zero Trust model further by integrating with its device inventory system. AppGate SDP integrates with the backend system to validate the devices that are connecting to its Software-Defined Perimeter.
"We ensure devices are corporately managed devices registered in our inventory system. If a user’s credentials are compromised, they won’t be able to log into our Software-Defined Perimeter just based on that. The user would need all of their information, plus would need the valid hardware, as well, to be able to access our AWS instances," said Ryan
Datadog: Looking Forward
Datadog is increasing its change control and audit process by moving all of its AppGate SDP configuration items into Source Control. It’s also planning in the future to increase its end-to-end identity validation by enhancing workstation monitoring to provide better device validation rather than just a specific hardware profile.