Revolutionizing the Global Logistics Industry

Businesses are becoming data-driven. They want all their employees to make intelligent, well-informed decisions based on data. To accomplish this, employees must be enabled to access and work with data across multiple data sources and tools, irrespective of their technical know-how. This approach is called Data Democratization.

However, this data-driven approach creates new security challenges. Gone are the days when only a handful of people had access to a company’s on-prem data sources. Now that data sources are cloud-based, organizations are faced with new security challenges around access control, data loss, and business disruption – issues that can harm the business’s reputation and revenues.

We looked for a way to easily provide users with access to whatever data sources they need and do so in a secure, controlled, and auditable way. These data sources are in the cloud, not behind a firewall. We want to let employees access any data they need to do their job — at the same time, we need to enforce limits on access to sensitive data. Laws and regulations, such as GDPR and other privacy laws, typically require such limits.”

CISO at Global Logistics Company

In this dynamic data-driven environment, how can a business maintain the same level of protection that they had in the “old days” when the database was behind a firewall, accessed by only a handful of specialized DBAs?

“Everyone has this challenge the moment they use any cloud-based databases or BI tools, such as Snowflake or Amazon S3 and RDS”, says the Chief Information Security Officer at a company seeking to revolutionize the centuries-old global logistics industry.

He continued, “We looked for a way to easily provide users with access to whatever data sources they need and do so in a secure, controlled, and auditable way. These data sources are in the cloud, not behind a firewall. We want to let employees to access any data they need to do their job — at the same time, we need to enforce limits on access to sensitive data. Laws and regulations, such as GDPR and other privacy laws, typically require such limits.”

Fast growth in an old and fragmented industry

Our customer, one of the top global logistics companies in the world, is successfully tackling a challenging mission: to innovate and revolutionize the centuries-old global logistics industry. What does that mean? Look around your room. Everything you see was built all over the world. Yet we’re more connected than ever; our ability to ship, store, and trade goods has remained fragmented. It takes up to 20 companies to move one shipment, each with its own systems and processes. Our customer’s data-driven platform simplifies global trade by connecting everyone in the supply chain, setting a new standard for international trade. 

This multinational global logistics company saw over US$3 billion in revenues in 2021. The company continues growing rapidly, and its current employees serve over 10,000 clients and suppliers in 112 countries. 

“Many employees are focused on data. They are looking at raw data to make sense of it for their business function. We can have, for example, 1,000 employees that need access to a backend data source, be it Snowflake, Microsoft SQL server, MongoDB, or other databases and BI tools”, says the CISO, who wants to remain anonymous for competitive reasons. 

“I want to support Data Democratization and give everybody access to whatever they need, within reason. However, Data Democratization is not feasible without a manageable way to secure the data. So, for example, employees can access and see everything in a certain data source except for social security numbers. We want to know all the people that access different types of data sources and ensure that they’re doing the right things when they access those specific data sources. The challenge is how to achieve that.”

Data democratization requires an innovative security approach

Our customer looked for a security solution that answered multiple challenges, including:

• Providing a streamlined layer tied into a centralized authentication and authorization service. 
• Accomplishing real-time auditing of different types of data users access across various data sources on multiple clouds.
• Enforcing in-line control for all operations, leveraging Least Privilege and Zero Trust.

The CISO explains that they looked at various methods to solve these challenges. For example, using VPN to hide everything from the Internet and additional scenarios. “There are multiple options we could have chosen. However, all these old-fashioned methods don’t work well in the modern cloud-native world because they put serious limitations on both the business and its users.” 

For example, the CISO says that many security vendors are focused on data discovery, classification, etc., yet all that is done to data at rest. “I see many security vendors focused on data at rest. That’s great, but that data is going to move. When that data moves and people use it, how does that work? How do these solutions help me operationalize and secure the use of data in motion?”

“In addition, everyone wants ease of use. It’s critical to the business. I’m frequently asked, ‘How can IT Security help secure things and also be a business enabler?’ My response is that security can be an enabler through ease of use. However, traditional approaches and controls complicate things. For example, you can secure only at the database layer, at rest, and for that, you’d create replicas or materialized views. Then, you must refresh these materialized views frequently; new data is constantly added, and someone must physically take action at the data layer. Such a solution complicates things instead of making them easy.” 

“I needed a holistic solution. Something that I could use for PostgreSQL, Amazon S3, Snowflake, MongoDB, and other data sources – literally anything and anywhere. It had to be fairly simple.  With Cyral, we get that capability and visibility”, states the CISO. 

“We also want to prevent security threats in-line, so we don’t have to limit our security capabilities to only the data source. We want the security to also apply to data-in-motion. As data flows and is being transformed and used, we can apply that extra lever to ensure the right type of data is going to where it’s supposed to go or being accessed by whoever is allowed to access it. These are the capabilities that Cyral provides us.”

Our customer explains that when thinking about trusted access to data, three concepts must be combined within a security solution. 

The first is Zero Trust, meaning users must be authenticated when accessing the data. That user authentication is managed and can be revoked centrally.

The second capability is Ephemeral Access. This means secure access is granted for a limited time and automatically expires.

The third capability is Least Privilege, meaning a user is given minimum permissions needed to perform their job. So, for example, when a user gets access to a specific database, their access is limited to the fields they need to perform their job, not to the entire database.

“Zero Trust, Ephemeral Access, and Least Privilege were our vision to achieve Data Democratization securely. When we looked at the market, Cyral aligned well with our vision. Cyral is unique in its ability to enforce in-line control for all operations for various data sources. Whether the data is in motion through applications or users are accessing it – we can apply controls through Cyral.”

CISO at Global Logistics Company

How does that work in practice? “Say one of my engineers wants to look at the AWS S3 buckets. Why not allow that? It could not hurt us if he looked at them with read-only permission. It was authenticated, it was authorized, it’s ephemeral, and I’ve got full visibility of everything that happens. That’s my approach and what Cyral’s security solution supports – let users have what they need to do their job. Let’s democratize access to data in a time-bound way, have lots of visibility around it, and have confidence that access is only given to trusted users.”

How Cyral’s solution works

The CISO explains that after a lengthy process of analyzing various alternatives, they chose Cyral because it was the best solution for their needs. “Cyral is tied into identity verification and authorization, and the platform provides visibility into what everyone does. Cyral enables me to give everyone access to what they should see in each data source while filtering out specific fields they shouldn’t have access to – and do it all in a cloud-native environment in a way that makes things easier for everyone.”

Okta is our identity provider, and Cyral was the only solution that enabled leveraging Okta to authenticate our various data sources. After a lengthy review, we found Cyral to be the best solution to allow that direct level of authentication from Okta into an S3 bucket or from Okta into a database. Cyral is a critical security enhancement, the middleware that allows that to happen.”

CISO at Global Logistics Company

How does it work in practice, and how is Cyral integrated in this global logistics company’s security ecosystem?

The company leverages Okta as its SSO service, authenticating each user so they can access the services and tools allowed for them. Cyral serves as a middleware, ensuring everyone needing access to data sources can get it securely. Cyral enables federated authentication from Okta into specific data services (S3 buckets, databases, etc.), provides ephemeral access through SlackOps-based approval workflow, and audit logs with detailed, query-level visibility.