Auth0 helps enterprise companies solve the most complex, large-scale identity use cases with its extensible and developer-friendly solution. To get to that level of scale and safeguard billions of login transactions each month, they have grown their cloud and cyber assets significantly to meet customer needs.
Auth0 Security Engineering Team Story
The Auth0 product team built an in-house solution on AWS Neptune to understand their growing number of cyber assets. They needed a solution that could help them understand the relationships between those assets and possible vulnerabilities. This was an extremely challenging and time-intensive project. Ultimately, the Auth0 team decided to look for an alternative solution to help manage their growing cloud asset complexity. Their choice of platforms was JupiterOne
George Vauter, Staff Security Engineer at Auth0 shared, “From a cloud security perspective, JupiterOne is the primary platform we use to anchor our asset management program now. JupiterOne brings all of our cloud assets, their configurations, and vulnerabilities into one platform. The team can prioritize issues and understand the impact quickly across all of our assets.”
Auth0 Security Challenges
Auth0's security engineering team focused on three priorities.
1) Visibility and response
Siloed vulnerability management tools hampered visibility and response
2) Vulnerability inheritance
Limited understanding of the impact of vulnerability inheritance
3) Third-party risks and permissions
Unknown third-party risks and permissions to their AWS environment
Auth0 results with JupiterOne
Complete understanding and ability to prioritize issues across their assets.
With the consolidated view of their disparate security and IT tools, they were able to load context from their vulnerability assessment tools (AWS, Rapid7, GuardDuty, Bugcrowd, and more) into JupiterOne’s Graph View, a graph-based visualization tool showing connections and context between all cyber assets. The security team was able to see issues sooner and take actions in a more pragmatic approach.
Reduced third-party asset exposure across their entire cloud environment.
Vauter shared that, “All our third-party entities and potential risks were discovered by JupiterOne.” The Auth0 team created J1QL queries to analyze all AWS IAM roles used by third parties. They were able to answer questions such as, "Do we unknowingly grant outside entities (e.g., third-party consultants, partners, etc.) access to our AWS environment? Who are the third parties that have access to our environment?"
Building in-house solutions to manage the complexity of modern cybersecurity issues is difficult. Keeping up with technology expansion and tracking vulnerabilities within those systems takes a full time staff of knowledge experts and engineers. After trying to “roll their own” solution, Auth0 chose the JupiterOne platform because of the ability it provides to automate the finding, tracking, monitoring, and prioritization of issues across all their cyber assets.