White Paper

How Cedar Secures their Data with Cyral

As Cedar grows rapidly and on-boards new healthcare providers, Cyral enables the company to maintain a consistent data security posture.

About Cedar

Built from the best of consumer-facing technology, Cedar is a healthcare financial engagement platform that creates customized interactions for every patient. Cedar partners with leading hospitals, health systems, and physician groups to personalize and simplify the billing and payment experience for patients, ultimately improving financial results for providers. Using intuitive product design and advanced data science, Cedar is the only platform to facilitate patient-centric financial engagement across the care journey.

In an industry where traditional players cut releases once every 18 months, Cedar powers innovation with two deploys per day, across multiple product teams working independently. This fast cadence requires automation at all levels, including automatic enforcement of internal data access policies so development teams stay secure and maintain an audit trail, and real-time data access monitoring in production systems so the team can spot potential threats immediately.

The Challenge

Cedar is growing rapidly and quickly onboarding new providers. To deliver a personalized end-to-end billing experience for patients and an easy implementation for providers, Cedar fully integrates with providers’ EHR and billing systems. However, every provider has an individualized approach, complicating unified management of health records and databases.

For Cedar’s CISO Aaron Zollman, the security of their customers’ data was of the utmost importance. Zollman had already implemented a robust security practice for all of Cedar’s clients. But as their numbers grew, he wanted to be sure they could maintain the same levels of security without slowing down performance and quality of service. As Cedar started deploying Cyral, the company sought to improve across three dimensions:

  • Increased visibility into the data accesses made by users, without manual effort or complex workflows that would slow down integration engineers, support engineers, and data scientists.
  • Managing database credentials and access for a growing number of users: Cedar uses various developer-friendly databases that don’t support SAML authentication. Creating and regularly rotating database credentials for all users was inefficient but necessary.
  • Even more robust alerting and blocking capabilities to support the security team in case of potential attempts to exfiltrate of sensitive information. Cedar already encrypts personally identifiable information (PII) at the application layer and in its data storage repositories, but monitoring all data interactions remained a top priority. “By continuously monitoring who is requesting which data, we make sure that we’re continuing to maintain protections as our code and schema evolve,” says Zollman. With these initiatives in mind, Cedar needed to apply consistent security postures to data types at the same sensitivity level, regardless of how they’re accessed, which engineering team is responsible for the data, or which client the data came from. As a forward-leaning engineering organization, Cedar also required that the implemented solution fit developer and DevOps workflows.

“We work with our partners to create a data-driven, personalized approach for patients. Since health and financial data are so important to patients, our clients, and our business, we’re constantly looking for ways to better protect that information. As we grew, it was critical that we be able to maintain speed, flexibility, and security without compromise.”

Aaron Zollman, CISO, Cedar

Why Cyral

Cedar selected Cyral based on the following criteria:

Security as Code-driven approach to manage data access policies

  • Speed of innovation and daily deployments mean having independent data access control policies is particularly important
  • Cyral integrates with Cedar’s CI/CD pipeline and existing tools and workflows to keep up with the pace and needs of a forward-leaning engineering organization. The same CI/CD tools that enable fast, safe development are used to apply and audit data access policies.

Support and consistency across all types of data endpoints: repositories, pipelines, and warehouses

  • Data access and monitoring policies span all data storage locations and are keyed to the actual data being protected, rather than its location.
  • Data flowing into Cedar’s environment goes through multiple stages and locations before being normalized and mapped against the production system. Cyral makes it easy to monitor sensitive data as it flows through the system. Cyral’s universal access policies mean access rules for an email address or a SSN are the same, no matter where in the process the data is.

Granular, consistent, and centralized controls around database credentials and access privileges

  • Cyral integrated with Cedar’s Okta identity management instance to enable users to access data with their secure Okta credentials—not their database credentials.
  • This allows for access governance at the granularity of Okta groups that map to the various database user personas (integration engineer, support engineer, data scientist), and the increased security associated with Okta’s authentication policies.
  • Logs show which Okta user has accessed each piece of data.
  • Centralized controls, alerts, and data access logging help Cedar easily review access certifications and demonstrate compliance. Every policy and permission change is tracked in version control, and every access to a particular set of data is tracked in centralized logs.

“Cyral was the missing piece for us in access governance. It helps us tell a clear story of why a piece of data is protected, who accessed it, how they authenticated and what queries they ran. Before this, we would’ve had to string together multiple database and infrastructure logs using fragile scripts, runbooks and alerting. Now, policy and permission changes in these databases can be managed with the right tools – source code version control and user directory – that are already familiar to security and platform engineers and which can be easily audited.”

Aaron Zollman, CISO, Cedar

The Result

Today, Cedar’s deployment of Cyral delivers

Principle of Least Privilege: Enhanced security controls to protect against exfiltration of sensitive data due to hacking or compromised database credentials

  • Instead of their own database credentials, users now authenticate with their more secure Okta credentials

Data Activity Monitoring for all data and users

  • Targeted, high-confidence audit logs provide rich context for every data access event

Zero Trust Architecture (ZTA) for the data cloud

  • Granular, easy-to-manage access control management for senior engineers with privileged access
  • Access determined by policies tied to each user’s Okta-authenticated identity

Improved collaboration between security and DevOps

  • Security as Code approach where security automation runs on the same CI/CD infrastructure used for development and testing. This enables security and DevOps teams to collaborate throughout the product life cycle. Zollmann says, “With DevOps and security operating as one team, there’s no lag in sharing designs and implementations, and that means fewer security surprises that might derail our release schedule.”

Any security organization can eventually track down a data access policy change, or drill down to find out which user ID was responsible for accessing a particular database, but for an organization operating at Cedar’s fast cadence, “eventually” is not acceptable. By adopting an automated, policy-driven approach to data access management, Zollman and his team can attribute data access events and policy changes in minutes, not hours, and with a high level of precision.

The bottom line: A secure organization can only run as fast as its security infrastructure allows, and by adopting Cyral and a Security as Code approach, Cedar is able to ensure security at the speed of DevOps.