Traditional perimeter-based security is no longer enough as most applications reside in the cloud. At Sequoia, we’ve implemented a defense-in-depth strategy for securing access to our SaaS applications through layers of controls. We’ve implemented two types of controls, one focusing on foundational access and safeguards, and the second focusing on targeted protections for high-risk systems.

Layer 1: The Foundation of Zero Trust

These controls apply to all users and applications, ensuring baseline security is present before granting access. All users must successfully pass all requirements to access our applications.

Identity – User access is challenged by controls like Multi-Factor Authentication (MFA) and continuous authentication is applied by performing session integrity checks and behavior analytics.

Secured Device – Users must use a secure and managed device to access our applications. This step ensures that security controls like Endpoint Detection and Response (EDR) and Cloud Access Security Broker (CASB) tools are in place to provide visibility and a protected workspace when access is granted. We continuously monitor the health of our devices to ensure that they are not just managed, but we also validate that all the controls are functioning, and systems are up to date.

VPN and Enterprise Browser – Besides verifying the identity and using a secured device in the previous controls, we require our users to connect to a Virtual Private Network (VPN) and to use a secure enterprise browser when accessing applications. These solutions provide granular access policies, and enhanced security controls and monitoring. Both VPN and enterprise browser do not inherently trust the device and perform continuous Host Information Profile (HIP) checks to verify that the device is secure and compliant.

Layer 2: Enhanced Access Controls – Locking Down Crown-Jewel Applications

For sensitive systems, we add enhanced access controls to further reduce risk. These controls are designed and evaluated for each specific application and can vary based on the complexity or sensitivity.

Production Access Requests (PAR) – In order to be granted access, we follow a strict workflow that requires approvals from both the application owner and the security team. These requests are audited to ensure that no access was granted without the proper approvals.

Just-In-Time (JIT) Provisioning – Once a user has been approved by the previous step, they don’t automatically receive standing access to the application. Instead, they must initiate a JIT request to be granted access for a limited period. Once the time expires, their session is revoked and they lose their privileged access.

Data Access and Protection – We limit access by creating roles based on least privileged principals and require additional access controls by enforcing the use of virtual desktops or enterprise browser policies to restrict users from downloading or copying data out of their sessions.

Why This Matters

These enhanced access controls ensure that even authorized users can’t overstep their permissions and by combining PAR, JIT, and data access controls, we minimize the attack surface for high-value assets.

We continuously engage in Red Team exercises on data and access controls to identify vulnerabilities and test if our access controls can withstand adversarial attempts to gain unauthorized access.

Real-World Example: Zero Trust in Practice

Imagine that you’re a platform engineer requiring privileged access to a resource in a production environment:

  1. You sign into your secured laptop by validating the identity controls including MFA, connect to VPN, and use the enterprise browser to access the ticketing system.
  2. You submit a PAR ticket, which is reviewed and approved by the application owner and the security team.
  3. Once approved, you submit a JIT ticket that grants you elevated privileges for two hours.
  4. To access the production resource, you must log in via the secured and isolated virtual desktop, which prevents you from downloading sensitive data to your laptop.
  5. Post-session, your privileges auto-revoke, and activity logs are kept for auditing.

This workflow ensures accountability while preventing standing privileges from being exploited.

Gatis Skele — Gatis is a Senior Security Engineer at Sequoia, who brings extensive expertise in developing security solutions, providing technical support, and implementing cybersecurity controls. By collaborating closely with business units across Sequoia, Gatis plays a pivotal role in enhancing security measures and deploying robust, secure systems.