For Human Interest to Shake Up the Retirement Industry, It Had to Secure Its Customers’ Data

Human Interest was founded in 2015 with the idea of providing affordable, zero-transaction fee 401(k) plans for small and medium-sized businesses which, historically, never had access to these types of investment and tax-benefit retirement vehicles. Human Interest set out to shake up the retirement industry by making employer and employee retirement savings more intuitive, affordable, and inclusive. Human Interest today provides retirement services for thousands of businesses and hundreds of thousands of participants.

Providing 401(k) management also means that Human Interest operates in the highly regulated financial services industry. As such, it needs to comply with various laws and regulations that typically add operational costs. Moreover, 401(k) management involves handling highly sensitive customer data – participants’ social security numbers, compensation data, full names, addresses, birth dates, and more. 

Human Interest’s Goals

Human Interest’s objective is to comply with all applicable regulatory frameworks and provide a great service to its customers – both businesses and participants (the businesses’ employees) – without adding huge costs to its ongoing operations as a cloud-native, DevOps-focused company. Moreover, the company needs to enable such ongoing operations and still protect sensitive customer data. Hence, Human Interest’s leadership has defined several goals for its Engineering and Security teams – goals that support the company’s vision, mission, and fast growth:

• Data Democratization: Most of Human Interest’s employees need access to data to perform their jobs. Data Democratization means that everyone in the organization has access to data so they can make data-based decisions in their daily work; when Data Democratization is enacted, there are no gatekeepers who create bottlenecks in the access to data. Still, not every individual is privileged to access every type of data; for example, employees don’t need to see participants’ social security numbers and other sensitive data. Thus, to enable the Data Democratization vision, Human Interest also needs to guarantee secure access to its data.
• Secure Access to Data: There are three security principles that, when implemented together, achieve secure access to data: (1) Least Privilege Access, where a user is given the minimum access or permissions needed to perform their job; (2) Zero Trust, meaning everyone is continuously validated, and no person or device is automatically trusted; and (3) Ephemeral Access, in which secure access is given for a specific, limited period of time. Cyral’s security solution provides all of these.
• Federated Identity: Employees of Human Interest need to access multiple systems and data sources as part of their daily work. Federated Identity allows authorized users to access multiple applications and domains using a single set of credentials, and quickly and efficiently move between different systems while maintaining security. Human Interest uses Okta as their provider of federated identity and access management, with Cyral’s security solution interfacing with Okta to provide secure access to data stores and databases.
• Audit: As a provider of financial services, Human Interest operates under a strict regulatory standard. Compliance with SEC and SOC2 regulations requires robust layers of defense and protection, as well as full audit logging of all data access. Cyral enables Human Interest to generate a complete audit trail for all application and user activity against their PostgreSQL database. With Cyral audit logs in place, Human Interest can go back in time and see exactly what happened and who accessed which exact type of data, should such a review be needed in the future.
• Automation: In its effort to disrupt an entrenched, legacy industry, Human Interest needs to be nimble and innovative, and relies heavily on automation to achieve that. It is imperative that any security solution they use must also be easy to automate to keep their security posture up-to-date and current at all times. Cyral’s security solution is operationally efficient, integrates with existing tools and workflows, and does not require any application or code changes, nor any agents installed.

Human Interest chooses Cyral to protect its customer data

Human Interest set out on a search to find a security partner that would help it protect its customer data. The search for a security solution quickly led it to Cyral, which had developed a revolutionary security solution to protect data stores and databases. Cyral’s solution enables critical security principles such as Least Privilege Access, Zero Trust, and Ephemeral Access, coupled with Cyral’s policies and identity mappings to tie these measures together. With these capabilities, a company can confidently give an employee access to data repositories, while knowing they will not be able to access specific types of sensitive data not needed for the employee’s work.

Let’s use an analogy to explain the technology. Instead of a datastore or a database, imagine that you have a huge Excel file with information about thousands of people, or even hundreds of thousands of people. Each row represents a certain person, with all of the available information about that person – name, social security number, salary, birth date, full address, and many more historical data pieces. 

Typically, when you grant someone access to view an Excel sheet, they can see all the information within that sheet – each and every row, column, and cell. You can prevent a user from downloading or printing that information, but you cannot prevent them from seeing specific cells within the sheet.

Cyral’s technology, in analogy, enables creating a policy that gives someone (Person A) access to the full Excel sheet, but blocks certain rows, columns, and/or cells. For example, Person A will be able to see the full sheet, but without column D which contains the social security number for each customer. 

Now, let’s assume there’s a different employee, Person B, who should have access to the full Excel file, but they should not be able to see columns A, D, I, and M-P (which, for the sake of our example, are Last Name, Social Security Number, Salary, and Address columns). All you need to do is create a new policy with the Cyral tool to block these columns – and Person B will have access to everything else.

Going back to data stores and databases – Cyral’s technology allows you to implement the exact same restrictions on specific data within a database. No more giving everyone their own credentials to the database, which is not a secure method and opens up multiple avenues of attack; or even worse, using shared accounts (which is a bigger issue leading to data leakage). Instead, the secure approach is to apply a comprehensive solution that guarantees each individual only gets access to the data they need.

In essence, Human Interest leverages Cyral as a middleware, guaranteeing that everyone who needs access to data sources can get it securely. Cyral enables federated authentication from Okta into specific data services (S3 buckets, databases, etc.), and gives employees a way to ask for and receive ephemeral access (short-term access). Cyral’s technology enables Human Interest to implement data democratization by setting up policies that allow each employee to access all data except for sensitive data they’re not supposed to see.

“As a company that provides 401(k) services for hundreds of thousands of participants, Human Interest has a lot of highly sensitive data. That data includes participants’ social security numbers, names, addresses, birthdays, salaries, and much more,” says Jeff Schneble, CEO of Human Interest.

“We needed controls, to make sure people only see the data that is appropriate for their use case and their job. This is what Cyral helps us with, in creating and enforcing policies that block access to data you’re not supposed to see.”

An agent-less, in-line approach to security 

A key feature that excited the Human Interest team was the fact that Cyral’s solution provides an agentless approach to protecting data. This means that as Human Interest grows, there will be no need to deploy agents on individual workstations or machines, a deployment model that can take time and slow down growth. 

“One of the things we at Human Interest love about Cyral is the sidecar approach, meaning having an architecture that is agent-less”, explains Jon Chase, Engineering Manager, Shared Services at Human Interest. “As we grow and scale, it’s critical to have a security approach that does not require deploying agents on individual workstations and machines. Also critical was the in-line approach, because we need to restrict access to data for employees and applications, and with the in-line approach, new employees and new applications can connect to data repositories without having to install anything.”

Comprehensive audit capabilities

As a provider of financial services, having robust audit capabilities is paramount for Human Interest. Audit capabilities are important when a potentially unauthorized action happens, and also for submitting evidence and assurance to auditors while undergoing SOC2 or other audits. Returning to the Excel analogy that we used earlier, Cyral’s logging technology shows which exact cells, rows or columns each viewer looked at, or clicked on, and of course every change that was made.

Cyral’s approach to logs and audit is that good logging, clearly showing everything that happens, can save a company a lot of money in case something goes wrong. Cyral’s technology separates the logs from the actual database to prevent performance effects on the database. Moreover, such separation plays a critical role in case a bad actor does manage to get access to the database – all the logs are kept separately, in a different place, to prevent the bad actor from tampering with them.

The audit trail from Cyral enables Human Interest to go back in time and see exactly what happened and who accessed which exact type of data, should such a review be needed in the future.

A security control that reduces work and improves productivity

Agility, as mentioned earlier, has been a significant priority for Human Interest. The way Human Interest uses AWS S3 is a good example of how Cyral enables them to enhance security, while simplifying processes and reducing time and costs.

For conducting 401(k) management services, Human Interest partners with large, traditional financial institutions. This involves Human Interest employees and these financial institutions exchanging payroll withholding data, which is typical for a 401(k) management company.  The institutions must verify that – at any point in time – the right amounts are withheld, contribution thresholds are respected, and deductions are applied to the correct 401(k) plans.

These data exchanges include multiple moving parts. To avoid errors, Human Interest and the financial institution must perform manual quality assurance to the data, to ensure everything is correct. The raw data is kept in AWS S3 buckets, and is regarded as a ‘Source of Truth’. This means that Human Interest’s customer success team frequently needs to access highly confidential and mission-critical critical data, located in S3 buckets. 

Prior to Cyral’s solution, the customer success representatives used a mix of SSH and FTP-based workflow that was very complicated to set up, and a heavy lift for the representatives to use. Additional challenges included cumbersome change management and the inability to grant temporary access. Human Interest’s customer success team spent significant time operating a tool that wasn’t suited for the task at hand, and the DevOps team had to spend resources to maintain, support, and operate the tool. As the company grew, so did the problem.

Cyral suggested that Human Interest use its Cyral S3 Browser, integrated with Okta. This enables easy user management and provides temporary access to users – things not previously possible. Moreover, using Cyral’s S3 Browser eliminated the need for employees to manage SSH keys, hence simplifying the work of the customer success team and saving them a lot of time.

Security that embraces Automation and Infrastructure as Code

Human Interest needed a security partner that would fit in with their Infrastructure as Code, automation-focused approach. A tool that couldn’t work within their build pipelines would quickly fall out of sync in their fast-moving environment and would create additional operational drag on the DevOps team, slowing everyone down. Cyral’s security solution embraces these cloud-native, DevOps-friendly principles, which meant the Human Interest team didn’t have to choose between security and speed. 

“We rely heavily on Terraform and Infrastructure as Code to automate our ongoing operations and enable us to move quickly. Cyral fits perfectly into that because Cyral’s Terraform Provider allows us to drop their technology into our existing automation frameworks to quickly, repeatedly, and reliably grant users access to the database as needed,” says Jon Chase.

Human Interest team feels more secure with Cyral’s controls in place

“The entire Human Interest organization feels more secure with Cyral’s controls in place. We have peace of mind, knowing we have another layer of protection in front of our databases and the sensitive data in them. We’re definitely happy about what Cyral provides us,” says Chase.

Jon Chase, Engineering Manager, Shared Services at Human Interest

At present, in the summer of 2022, Human Interest employs close to a thousand employees, with most of them working with and having access to data. The company is working hand-in-hand with Cyral to implement new and advanced features that will help its mission of revolutionizing the retirement industry and making 401(k) plans available to small and mid-size businesses.

“The entire Human Interest organization feels more secure with Cyral’s controls in place. We have peace of mind, knowing we have another layer of protection in front of our databases and the sensitive data in them. We’re definitely happy about what Cyral provides us,” says Chase.

“Working with Cyral has been an awesome experience for us at Human Interest,” adds Chase. “Cyral has been instantly responsive, helping us dig into some of the things that we saw. Everyone at Cyral that we’ve talked to has been super helpful.”

Jeff Schneble, CEO of Human Interest, concludes that “Human Interest grows extremely fast and handles a lot of sensitive data. We needed a solution to protect customer data, and that solution had to be secure, scalable, and easy to manage. The solutions also had to provide great audit capabilities, so we could see what people were doing, plus create actionable alerts on that audit.” 

“We found all of that in Cyral. We’ve so far implemented Cyral on our PostgreSQL databases and S3 data stores, and we’re looking into additional options and data stores that Cyral covers”.