How Cedar Secures their Data with Cyral

Cyral was the missing piece for us in access governance. It helps us tell a clear story of why a piece of data is protected, who accessed it, how they authenticated and what queries they ran.”

Aaron Zollman, CISO, Cedar

About Cedar

Cedar, who has raised over 350MM in funding, is a fast-growing healthcare financial engagement platform whose mission is to empower individuals to easily and affordably pursue the care they need. Cedar partners with leading hospitals, health systems, and physician groups to personalize and simplify the billing and payment experience for patients, ultimately improving financial results for providers. Using intuitive product design and advanced data science, Cedar is the only platform to facilitate patient-centric financial engagement across the care journey.

In an industry where traditional players cut releases once every 18 months, Cedar powers innovation with two deploys per day, across multiple product teams working independently. This fast cadence requires automation at all levels, including automatic enforcement of internal data access policies so development teams stay secure and maintain an audit trail, and real-time data activity monitoring in production systems so the team can spot potential threats immediately.

The Challenge

Cedar is growing rapidly and quickly onboarding new providers. To deliver a personalized end-to-end billing experience for patients and an easy implementation for providers, Cedar fully integrates with providers’ EHR and billing systems. However, every provider has an individualized approach, complicating unified management of health records and databases.

For Cedar’s CISO Aaron Zollman, the security of their customers’ data was of the utmost importance. Zollman had already implemented a robust security practice for all of Cedar’s clients. But as their numbers grew, he wanted to be sure they could maintain the same levels of security without slowing down performance and quality of service. 

Cedar sought to improve the following areas

• Better management of database credentials and access as team continues to grow
• Implement more robust alerting and blocking in case of potential data exfiltration of sensitive information
• Simplify manual and complex workflows that slow down engineering

Granular and centralized controls for database credentials and access privileges

Managing database credentials and access for a growing number of users was becoming an increasing priority. Cedar uses various developer-friendly databases that don’t support SAML authentication. Creating and regularly rotating database credentials for all users was inefficient but necessary.To help them overcome this challenge, Cyral integrated with Cedar’s Okta identity management instance to enable users to access data with their secure Okta credentials—not their database credentials. This allows for access governance at the granularity of Okta groups that map to the various database user personas (integration engineer, support engineer, data scientist), and the increased security associated with Okta’s authentication policies.

The logs show which Okta user has accessed each piece of data and centralized controls, alerts, and data access logging help Cedar easily review access certifications and demonstrate compliance. Every policy and permission change is tracked in version control, and every access to a particular set of data is tracked in centralized logs.

Enhanced security control and monitoring to protect PII against exfiltration

Cedar needed even more robust alerting and blocking capabilities to support the security team in case of potential attempts to exfiltrate sensitive information. Cedar already encrypts personally identifiable information (PII) at the application layer and in its data storage repositories, but monitoring all data interactions remained a top priority.

By continuously monitoring who is requesting which data, we make sure that we’re continuing to maintain protections as our code and schema evolve,” says Zollman.

With these initiatives in mind, Cedar needed to apply consistent security postures to data types at the same sensitivity level, regardless of how they’re accessed, which engineering team is responsible for the data, or which client the data came from.

With Cyral, Cedar was able to gain consistency across all types of data endpoints: repositories, pipelines, and warehouses. Data access and monitoring policies span all data storage locations and are keyed to the actual data being protected, rather than its location. 

Data flowing into Cedar’s environment goes through multiple stages and locations before being normalized and mapped against the production system. Cyral makes it easy to monitor sensitive data as it flows through the system. Cyral’s universal access policies mean access rules for an email address or a SSN are the same, no matter where in the process the data is. Cedar now has consistent data activity monitoring for all data and users with high-confidence audit logs that provide rich context for every data access event. 

According to Zollman, “Cyral was the missing piece for us in access governance. It helps us tell a clear story of why a piece of data is protected, who accessed it, how they authenticated and what queries they ran. Before this, we would’ve had to string together multiple database and infrastructure logs using fragile scripts, runbooks and alerting. Now, policy and permission changes in these databases can be managed with the right tools – source code version control and user directory – that are already familiar to security and platform engineers and which can be easily audited.”

Automated workflows and improved collaboration between security and DevOps

Cedar sought to gain Increased visibility into the data accesses made by users, without manual effort or complex workflows that would slow down integration engineers, support engineers, and data scientists.  Speed of innovation and daily deployments mean having independent data access control policies is particularly important..

Cyral’s Security as Code approach integrates with Cedar’s CI/CD pipeline and existing tools and workflows to keep up with the pace and needs of a forward-leaning engineering organization. The same CI/CD tools that enable fast, safe development are used to apply and audit data access policies. This enables security and DevOps teams to collaborate throughout the product life cycle. Zollmann says, “With DevOps and security operating as one team, there’s no lag in sharing designs and implementations, and that means fewer security surprises that might derail our release schedule.”

“We work with our partners to create a data-driven, personalized approach for patients. Since health and financial data are so important to patients, our clients, and our business, we’re constantly looking for ways to better protect that information. As we grew, it was critical that we be able to maintain speed, flexibility, and security without compromise.”

The Bottom Line

Any security organization can eventually track down a data access policy change, or drill down to find out which user ID was responsible for accessing a particular database, but for an organization operating at Cedar’s fast cadence, “eventually” is not acceptable. By adopting an automated, policy-driven approach to data access management, Zollman and his team can attribute data access events and policy changes in minutes, not hours, and with a high level of precision.

The bottom line: A secure organization can only run as fast as its security infrastructure allows, and by adopting Cyral and a Security as Code approach, Cedar is able to ensure data access governance and security at the speed of DevOps.