Forbes is a global media brand that champions success by celebrating those who have made it, and those who aspire to make it. The Forbes brand today reaches more than 140 million people worldwide through its trusted journalism, signature LIVE and Virtual events, custom marketing programs, and 45 licensed local editions in 76 countries. Forbes’ brand extensions include real estate, education and financial services license agreements.
After Forbes migrated to the cloud in 2019, Google performed a cloud infrastructure assessment for the company, identifying the need for better control of identity access to cloud infrastructure and applications. This gap prompted Sameer Patwardhan, SVP Technology for Forbes, to examine identity tooling that could fulfill this need.
At the time, the IT security team was handling access requests manually. Patwardhan wanted a more programmatic means of implementing time-bound access with the correct level of permissions, so he evaluated Britive, which Forbes now uses for automated Just-in-Time (JIT) access provisioning.
Manual review and approval access process: granting and revoke privileges took several days and could introduce errors resulting in incorrect privileges
Delayed onboarding and access: having a globally dispersed development team meant the manual review and approval process could take even longer due to back-and-forth communications across time zones
No DevOps-friendly JIT access tools available that readily integrate with DevOps build processes to enhance developers’ productivity
Eliminated 54K+ static privileges and secured access to 978+ GCP Projects
Manage 400+ identity profiles for JIT access in GCP
Deployed in under four weeks using Britive’s lightweight API architecture
The Forbes management team saw the Google cloud infrastructure and process assessment findings as validation for implementing a unified JIT access management solution like Britive: the goal was to both secure identity access to cloud infrastructure and apps while ensuring no account has more privileges than necessary for longer than necessary.
The security team at Forbes considered building their own automated JIT access tooling for GCP, knowing that they needed to address the risk introduced by standing privileges and hard coded secrets necessary for developers and the BI team to execute their work. But once their analysis revealed the level of complexity necessary to institute the controls necessary to grant and revoke privileged access, they decided to search for an enterprise-grade solution.
Forbes deployed Britive’s API-first solution in under four weeks. The security team can now restrict user access to the minimum levels required to perform a job or function in GCP. Doing so means Forbes’ security team can enforce the principle of least privilege to reduce the risk of data breaches and data leakage.
Forbes uses Britive to provide JIT access in GCP to a team of 70+ developers and recently onboarded and provisioned access for their Business Intelligence Team to BigQuery and Looker. With Britive, Forbes was able to free up the junior security engineer and overall security team for higher-value work instead of managing a slow manual process of reviewing, approving and provisioning access requests: “Access management is no longer a full-time job for the security team to babysit,” Patwardhan said.
Once deployed, Forbes realized several benefits:
Rapid deployment via lightweight API in just under four weeks, not months as legacy PAM solutions require
Automated JIT access with granting and revoking of temporary privileges across GCP, Google Workspace, BigQuery, Looker and Okta Super Administrator accounts—all of which can be monitored while on- and off-boarding of privileged access.
Access visibility via an audit trail of every privileged access granted with robust approval controls to eliminate approval fatigue and accelerate adoption
“Britive takes the pain out of manual provisioning and preventing user errors that could otherwise be very costly. With Britive, we make sure that certain privileges don’t go to very new junior developers with production access. Britive’s JIT access solution takes our minds off of managing access at the individual account level with its automated provisioning and keeps us secure.
With Britive, we can provision access rapidly but safely.”
– Sameer Patwardhan, SVP Technology at Forbes
Adopting Britive for ephemeral, time-based access to data and apps in GCP meant Forbes could increase developer and business end user productivity by moving away from manual processes to review, grant and revoke privileges and reducing overall on- and off-boarding time.
Forbes’ development team currently uses Britive to manage access for 978 GCP Projects that form the basis for creating, enabling, and using all Google Cloud services, including managing APIs, adding and removing collaborators, and managing permissions.
In aggregate, Britive has helped Forbes eliminate 54K+ standing privileges for developers and business users so they can access critical cloud infrastructure, apps and data. Doing so means they can deliver key cloud-based projects for stakeholders across Forbes rapidly.
“Britive worked to build a good relationship with us and that’s key: the Britive team really understood our use cases and what we were looking for and quickly identified how they could help us. That relationship aspect is important to us.”
– Sameer Patwardhan, SVP Technology at Forbes
Additional results of implementing Britive for JIT cloud access include:
Customization via API coupled with an approval process that provides visibility into what identities have access to specific GCP-based resources
Implementing JIT access management with temporary, granular profile-based access
Eliminating 54K+ standing privileges across 978 GCP Projects, Google Workspaces, BigQuery, Looker, and Okta Super Administrator accounts
Integrating DevOps build process with Britive’s JIT access solution
Other factors that influenced the decision to implement Britive’s JIT cloud access solution include:
Ensuring privileges are assigned correctly
preventing the manual errors that result in an identity being assigned unnecessary privileges
Auto-provisioning access entitlements
and eliminating manual permission provisioning
Audit logs and metrics
that show who accessed what cloud resource, when and for how long