{"pageProps":{"posts":[{"name":"million-dollar-ai-engineering-problem","title":"The million dollar AI engineering problem","ogTitle":"","fullTitle":"The million dollar AI engineering problem","ogImageUrl":"https://indent.com/static/og/indent-blog-million-dollar-ai-eng-problem.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"How to not leak your AI model.","noSidebar":false,"heading":"","date":"2024-03-13T18:30:00.000Z","content":"\nThe crown jewels of AI: model weights, biases, and the data that trains them. Regardless of where inference is hosted, what model you're using, or cloud provider you use, these `.json`, `.onnx`, and `.gguf` files are one of a company's most valuable assets.\n\nFor companies developing custom models or fine-tuning existing models, they'll invest millions of dollars in engineering time, compute, and training data collection.\n\nMost models operate on publicly accessible data like Wikipedia, Common Crawl, or something like OpenAI's [internal WebText dataset](https://openai.com/research/better-language-models). But like with ChatGPT, the real value comes from the fine-tuning data and reinforcement learning from human feedback (RLHF) that's used to adapt the model to a specific use case.\n\nUsually this data sits in a shared S3 bucket, accessible to everyone in the company. In a very simple case, it might look something like this:\n\n```\n$ aws s3 ls secret-internal-model-archive/models\nFINE_TUNED-openhermes-2.5-mistral-7b.Q4_K_M.gguf\nllama-2-7b-chat-hf-ggml-model-q4_0.gguf\nadded_tokens.json\n\n$ aws s3 ls secret-internal-model-archive/training-data\ncommoncrawl-CC-MAIN-2023-50/\nscale-export-2024-02-23/\napp-rlhf-latest/\n```\n\n\nWhile Llama is a fully open-source model today, it didn't start that way.\n\nBack when Meta first announced LLaMA, they were intending to restrict full access to limited set of researchers and allow people to request access. “To maintain integrity and prevent misuse, we are releasing our model under a noncommercial license focused on research use cases.”\n\nOne week later, [someone leaked the model on 4chan](https://www.theverge.com/2023/3/8/23629362/meta-ai-language-model-llama-leak-online-misuse) — that's a link to TheVerge, not 4chan.\n\n## How to *not* leak your AI model\n\nAfter initial development, the next step is to control access to the model and training data. Unlike most commercial software, AI models are a lot more valuable and a lot easier to leak.\n\nThe primary goal should be to limit access to only the machines that absolutely need it, using a combination of IAM policies and secure virtual networking.\n\nThe second step is to monitor access to the model and training data. This can be done by logging access to the S3 bucket, and using a tool like AWS CloudTrail to monitor access to the bucket.\n\nWhy is the marketing team downloading the fine-tuning data? Why is the model being accessed from a region where we have no employees or customers? Why is [Leon uploading confidential models](https://www.justice.gov/opa/pr/chinese-national-residing-california-arrested-theft-artificial-intelligence-related-trade) to a personal Google Cloud account?\n\nPeople generally will still need access to the model and training data, so the third step is to require justification for access. This can be as simple as a Slack message to a security team, or as complex as a ticketing system that requires approval from a manager.\n\nDepending on team size, the strictness of these controls will vary:\n\n1. Small teams (under 10 people) should require justification by default, especially if you're spending half your seed round training a model. Companies that deal with sensitive data—like personally identifiable information (PII), health data (PHI), and financial info will enforce stricter controls from day one.\n2. Growing teams (between 10 and 100 people) start to tighten control to the models. Infrastructure and model teams still need instant access, while others need a reason or approval.\n3. Large teams (100+ people) who've invested millions into training models — a model leak is an existential risk. Access control is tied to team membership and strict approvals.\n\n## Fine-tuning data security\n\nMost teams use a pre-trained model like Mistral and fine-tune it on their own data. It's much cheaper and faster to get a model that's good enough for most use cases.\n\nFine-tuning data allows AI models to adapt and evolve based on real user feedback over time, resulting in far better performance including with smaller models. Usually this data is based on task completion, user interaction, or even something as simple as a thumbs up/down button shown to users.\n\nFor these teams, the fine-tuning data is the most valuable asset. It's the secret sauce that makes their model better than the competition.\n\nRLHF is what separates you from competitors who are also using OpenAI, Mistral, and Llama models to build their products.\n\nIf data is oil, RLHF is aluminum — a strategic resource for building the future.\n\n## How to set up temporary access for AI\n\nThe best way to secure your AI secrets is to limit access to only the machines that need it, and to monitor and require justification for access.\n\nYou can build a simple internal tool, ticket-oriented service desk, or use a product like [Indent](https://indent.com) to enforce this workflow.\n\nIndent provides a simple API that you can use to require justification for access to your AI secrets, and to monitor and log data access.\n\nIt's also a lot easier if engineers can request directly from Slack and, if approval is required, route notifications into Slack channels. This is a lot easier than having to log into a ticketing system to request access.\n\n## Talk to Us\n\nWe've thought about the broader problem of implementing strict access controls a lot (previously at [Segment](https://segment.com) and [CoreOS](https://coreos.com)) which is what led us to build Indent. If you need any help deciding on the right security architecture or controls for your team, we're happy to help — you can get a demo or [talk to us](/demo).\n\nWe're also building a set of APIs that you can use to build security into your AI products. For example, you can use our Approval API to require justification for access to your AI secrets, and our Prompt API enable AI models to get clarification from users or developers in production.","hero":{"bg":"#2a3543","text":"#8fb5d5","image":"/static/images/blog/content/blog-hero-million-dollar-ai-problem.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"cloudflare-security-best-practices","title":"Locking Down Cloudflare: Security Best Practices","ogTitle":"","fullTitle":"Cloudflare Security Best Practices","ogImageUrl":"https://indent.com/static/og/indent-blog-cloudflare-best-practices.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Keep your Cloudflare account secure with best practices.","noSidebar":false,"heading":"","date":"2024-02-21T10:30:00.000Z","content":"\nFew systems in a company's tech stack are more sensitive than where your traffic is routed. Cloudflare is a popular choice for managing DNS, DDoS protection, and more. (We use it here at Indent!)\n\nPutting some security best practices in place can help you better manage the risk around your Cloudflare account and more easily become compliant with frameworks like SOC 2, PCI DSS, and HIPAA.\n\nHere's the TLDR of what you should od:\n\n1. Least privilege Cloudflare access\n2. Monitor DNS record changes\n3. Set up Infrastructure as Code (IaC)\n4. Enforce security headers\n5. Hardware 2FA keys\n\n---\n\n## 1. Least privilege Cloudflare access\n\nUsers with permissions to add or edit your DNS records can redirect traffic to malicious sites, intercept sensitive data, or launch phishing attacks by altering DNS settings.\n\nTo prevent bad actors from making these malicious updates you should grant access on a least privilege basis.\n\nBy granting temporary access to Cloudflare roles to complete a specific task, and then revoking that access once the task has been completed, it eliminates unused privileged access, making it much harder to successfully breach your Cloudflare.\n\nYou can manage accounts manually or fully automate approvals and provisioning with Indent’s Cloudflare integration.\n\n[Indent](https://indent.com/) is the request access button for work, getting your team access when they need it and automatically revoking it after they’re done. If you have any questions, feel free to [book some time with our team](https://indent.com/demo#schedule) and we’re happy to answer any questions.\n\n## 2. Monitor DNS record changes\n\nThe settings in your Cloudflare accounts can have a big impact on your attack surface. It's important to monitor for high risk activities, like creation or modification of DNS records, API keys, or security sensitive products like WAF, Bot management, or Zero Trust.\n\nThe easiest way to set up that monitoring is to use [RunReveal](https://runreveal.com/) which can collect your Cloudflare audit logs and detect anomalies and critical configuration changes.\n\n> Cloudflare configuration changes are critical to monitor. Cloudflare operates on their customer's traffic on so many layers that configuration changes can have a massive security impact.\n>\n> — Evan Johnson, Cofounder/CEO at RunReveal, former Head of Security Engineering at Cloudflare\n\n## 3. Set up Infrastructure as Code (IaC)\n\nInfrastructure as Code increases your security while also saving you time. Here are a few of our recommendations:\n\n- **Deploy Cloudflare Workers with \\`**_**wrangler**_**\\`**\n - Using wrangler simplifies Cloudflare Worker deployment by providing a command-line interface for streamlined setup, version control integration, local testing, and automated deployment. \n - This creates a more developer-friendly workflow while automatically helping you adhere to Cloudflare's best practices for security and performance.\n- **Configure your Cloudflare account with Terraform**\n - Using Terraform facilitates automation and reproducibility of Cloudflare configurations across multiple environments.\n - It streamlines management, version control, and collaborative deployment while maintaining consistency in managing Cloudflare.\n- **Use least privilege roles to purge cache or call via API**\n - Rather than granting someone full admin access, you can implement low-risk access to manage cache settings.\n - Least privilege roles allow for easier management, version control, and automation of Cloudflare resources, streamlining deployment processes and promoting scalability with efficient resource provisioning and updates.\n\n## 4. Enforce security headers\n\nCloudflare Page Rules allow straightforward configuration by enabling users to set up specific rules for different URL patterns, effortlessly incorporating security headers like Content Security Policy (CSP), `X-Frame-Options`, or HTTP Strict Transport Security (HSTS).\n\nAlternatively, Cloudflare Workers provide a more dynamic and programmable approach, allowing for advanced customization and fine-grained control over security headers based on specific conditions or application logic. Whether opting for the simplicity of Page Rules or the flexibility of Workers, both methods empower users to bolster their website security by enforcing essential security headers effectively within the Cloudflare ecosystem.\n\nHere's an example of enforcing security headers using Workers:\n\n```js\nconst DEFAULT_SECURITY_HEADERS = {\n 'X-Frame-Options': 'DENY',\n // more headers...\n}\nconst BLOCKED_HEADERS = ['Public-Key-Pins', 'X-Powered-By', 'X-AspNet-Version']\n\nObject.keys(DEFAULT_SECURITY_HEADERS).map((name) => {\n newHeaders.set(name, DEFAULT_SECURITY_HEADERS[name])\n})\n\nBLOCKED_HEADERS.forEach((name) => {\n newHeaders.delete(name)\n})\n\nconst tlsVersion = request.cf.tlsVersion\n\nif (tlsVersion !== \"TLSv1.2\" && tlsVersion !== \"TLSv1.3\") {\n return new Response(\"You need to use TLS version 1.2 or higher.\", {\n status: 400,\n });\n} else {\n return new Response(response.body, {\n status: response.status,\n statusText: response.statusText,\n headers: newHeaders,\n });\n}\n```\n\nExplore on the [Cloudflare Docs](https://developers.cloudflare.com/workers/examples/security-headers/) for more information on how to enforce security headers using Cloudflare Workers.\n\n## 5. Hardware 2FA keys\n\nUsing hardware-based two-factor authentication (2FA) keys in Cloudflare significantly enhances the overall security of privileged accounts. Encouraging employees to utilize hardware tokens, such as YubiKeys, over less secure alternatives like SMS-based 2FA, serves as a critical step in mitigating the risk of unauthorized access.\n\nBy providing employees with YubiKeys and actively discouraging SMS-based authentication, Cloudflare users can elevate their account security to a more robust level.\n\nLimiting access for users without hardware keys to only the essential functions ensures that only those authenticated through a secure hardware token can take privileged action, adding an additional layer of protection to sensitive Cloudflare accounts. \n\nThis approach aligns with best practices in access control and authentication, fortifying the defense against potential security threats.\n\nIf you have any questions about implementing these best practices or have questions about Indent, feel free to [book some time with our team](https://indent.com/demo).\n","hero":{"bg":"black","text":"white","image":"/static/images/blog/content/blog-hero-cloudflare-best-practices.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"tasting-notes-from-vercel-evil-rabbit","title":"Tasting Notes from Vercel's Evil Rabbit","ogTitle":"","fullTitle":"Tasting Notes from Evil Rabbit","ogImageUrl":"https://indent.com/static/og/indent-blog-tasting-notes-evil-rabbit.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Hear from Evil Rabbit, Vercel's founding designer.","noSidebar":true,"heading":"","date":"2024-02-16T20:30:00.000Z","content":"\nEvil Rabbit is the founding designer at Vercel, the company behind Next.js, a popular framework for building web applications with React.\n\nIn this interview, Evil Rabbit shares insights into his design philosophy and the principles that guide his work.\n\n
\n \n \n \n \n
\n\n## What work have you done that most embodies your taste?\n\n\n\nMy taste in design is embodied by Vercel's principles, which revolve around making technology more accessible, efficient, and enjoyable for developers and end-users alike.\n\nIt's about **combining aesthetics with functionality** to create a harmonious and effective digital experience.\n\nBuilding a platform that prioritizes developer experience, speed, and simplicity aligns with my design principles.\n\n
\n\nDesign principles in-depth\n\n\n- **Developer-Centric Approach:** Vercel's platform is designed with developers in mind. We aim to make their lives easier by providing tools and services that simplify the deployment and management of web applications. This involves creating intuitive interfaces and documentation that developers can easily understand and work with.\n- **Speed:** In today's fast-paced digital world, speed is of utmost importance. Vercel is all about helping developers deploy their projects quickly, with minimal configuration and setup. Design goes beyond a static moment in time, a positive user experience requires a fast product that reacts at the speed of user interaction. We designed the requirements for our frameworks, infrastructure, and CDN to ensure websites and applications load blazingly fast.\n- **Simplicity:** Complexity can often lead to confusion and frustration. We believe in keeping things simple. Our goal is to abstract away unnecessary technical complexities so that developers can focus on their code and creativity.\n- **User-Focused Design:** While our primary audience is developers, we also consider the end-users of the websites and applications hosted on Vercel. Our design scope extends to the users of every Vercel customer, which means products developed with our solutions should be responsive, accessible, and performant by default.\n- **Continuous Improvement:** Taste in design isn't static; it evolves over time. We are committed to continually refining our platform based on user feedback, industry best practices, and emerging technologies. This principle ensures that Vercel stays aligned with the evolving tastes and needs of developers and businesses.\n\n
\n\n## How would you prompt for your taste?\n\n
\n
Prompt
\n
Create an image that fuses minimalism with the energy of electronic music. Utilize black and white geometric shapes inspired by brutalist architecture, interwoven with elements of Swiss design typography and the Bauhaus style. Infuse the composition with hints of graphic design reminiscent of the 1930s, evoking the dynamism and innovation of that era.
\n
\n\n
\n \n \n
\n\n## Whose work inspires your taste?\n\n
(excluding current and past coworkers)
\n\n\n\n**Josef Müller-Brockmann**, **David Carson**, and **Jony Ive**. Their contributions to graphic design, typography, and product design have been a significant contribution to my taste.\n\nI've also been inspired by Marta Minujin, Kevin Cummins, Scott Makela, Peter Saville, Enrique Longinotti, Gaspar Noe, and Steve Jobs.\n\nLately, I've found myself drawing inspiration from people like [Rasmus Andersson](https://rsms.me), [Rek](https://kokorobot.ca/site/home.html) and [Devine](https://xxiivv.com) from [100Rabbits](https://100r.co/site/home.html), and [Mike Matas](https://mikematas.com/).\n\nHere are more designers I've been following:\n\n- [Oğuz Yağız Kara](https://oguzyagiz.com)\n- [Pedro Duarte](https://ped.ro)\n- [James](https://twitter.com/jamesm)\n- [Edgar Amber](https://twitter.com/ambedgar)\n- [Mateo Zaragoza](https://twitter.com/teo_zaragoza)\n- [Andrés Briganti](https://dribbble.com/abriganti)\n- [Guido Ferreyra](https://tipografia.com.ar/)\n- [FodaFarm](https://www.instagram.com/foda.farm/)\n\n## How do you put your taste into practice? What tools do you use?\n\n\n\nI put my taste into practice by focusing on user-centric design, emphasizing clarity, and prioritizing simplicity. Collaborative and creative environments, combined with development processes, help bring my ideas to life.\n\nIn my work, I use design software like **Figma** (Prev. Sketch, Photoshop, Illustrator, Macromedia Flash) for prototyping and design, as well as development tools like **VS Code** for coding and **Vercel** for deployment.\n\n## Any new tools that inspire you?\n\n\n\n**Framer** is a great tool, I wish we could do a bit more with it. I typically use it for prototyping.\n\n[Semplice](https://semplice.com) and [mymind](https://mymind.com) by [Tobias van Schneider](https://vanschneider.com) are also great.\n\n## What other creative works (like food, music, books) have shaped your taste?\n\n\n\nI appreciate the timeless simplicity. For example, the elegant simplicity of **Japanese cuisine**, the innovative soundscapes of **electronic music**, and the insightful writings of authors like **Don Norman** have all contributed to shaping my taste.\n\nHere are some of my most beloved dishes for their straightforward preparation methods and the way they highlight the natural flavors and textures of the ingredients. You can create something incredible with only a few ingredients and a simple technique.\n\n
\n\nDishes and ingredients\n\n\n**Savory Dishes**\n\n- **Sashimi**: Raw fish, soy sauce, wasabi.\n- **Miso Soup**: Miso paste, dashi, tofu, wakame, green onions.\n- **Tempura**: Seafood or vegetables, light batter.\n- **Onigiri**: White rice, fillings (umeboshi, salted salmon, tuna mayonnaise), nori.\n- **Tofu Steak**: Firm tofu, soy sauce, mirin, ginger, spring onions.\n- **Shioyaki**: Grilled fish (salmon, mackerel), salted and served simply.\n- **Tamagoyaki**: Eggs, sugar, soy sauce, mirin; a sweet, layered omelet.\n- **Kabocha Nimono**: Kabocha squash, soy sauce, mirin, sugar, simmered until tender.\n- **Yakitori**: Chicken pieces, skewered and grilled, seasoned with salt or tare sauce (soy sauce, mirin, sugar).\n\n**Sweet Dishes**\n\n- **Mochi**: Glutinous rice, sugar, water, fillings (sweet red bean paste).\n- **Dorayaki**: Sweet red bean paste, flour, eggs, sugar, honey.\n- **Matcha Ice Cream**: Matcha (green tea powder), milk, cream, sugar.\n- **Taiyaki**: Flour, baking powder, eggs, milk, sweet red bean paste (or custard, chocolate).\n- **Anmitsu**: Agar jelly, fruits, red bean paste, mochi, black sugar syrup.\n\n**Snacks**\n\n- **Edamame**: Boiled young soybeans, salt.\n- **Hiyayakko**: Chilled tofu, grated ginger, bonito flakes, soy sauce.\n- **Umeboshi**: Pickled plum, traditionally served with rice.\n- **Nasu Dengaku**: Eggplant, miso glaze (miso, sugar, mirin), grilled.\n- **Sunomono**: Cucumber, vinegar, sugar, salt, with seaweed or octopus.\n- **Tsukemono**: Pickled vegetables (cucumber, radish, eggplant, ginger), salt, rice bran or vinegar.\n\n
\n\n
\n\n**Music**\n\nJoy Division, New Order, Pearl Jam, Nirvana, Chemical Brothers, Marilyn Manson, Rammstein, Luis Alberto Spinetta, David Bowie, Gustavo Cerati, Soda Stereo, Queen, Muse, Heroes del Silencio\n\n\n
\n \n \n \n
\n\n**Movies**\n\nEnter the Void, Trainspotting, Requiem for a Dream\n\n**Books**\n\nGrid Systems in Graphic Design, The Design of Everyday Things, Emotional Design, Living with Complexity\n\n## Can taste can be taught?\n\n\n\nYes, I believe taste can be refined through exposure to different influences, learning from experienced mentors, and continuous practice. It stems from a mixture of learning principles and honing one's intuition over time.\n\n## How do you know if someone has taste?\n\n\n\nSomeone with taste demonstrates a deep understanding of aesthetics, functionality, and their end user experience. They make thoughtful design choices, appreciate the **balance of form and function**, and consistently produce work that resonates with others.\n\n## What’s your most controversial opinion?\n\n\n\nWhile it might not be a radical opinion, I believe that design should **always prioritize user experience over aesthetics**. Sometimes, in pursuit of aesthetics, usability can be compromised, which I find controversial when considering taste in design.\n\n## Is there something about your taste that you find important that others ignore?\n\n\n\nI place a strong emphasis on **accessibility in design**, ensuring that digital products are usable by everyone. This helps me deliver a better experience for all users because it can sometimes reveal potentially confusing interfaces or interactions.\n","hero":{"bg":"black","text":"white","image":"/static/images/blog/content/blog-hero-tasting-notes-evil-rabbit.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"temporary-1password-vaults","title":"Temporary 1Password Vaults","ogTitle":"Temporary 1Password Vaults","fullTitle":"Temporary 1Password Vaults","ogImageUrl":"https://indent.com/static/og/indent-blog-1password-break-glass.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Set up temporary 1Password vaults in minutes","noSidebar":false,"heading":"","date":"2024-01-16T19:00:00.000Z","content":"\nNeed to share passwords temporarily, then take back access? \n\nBingo—temporary 1Password vaults. They're your key to controlled info exchange; perfect for managing identity groups. Quick access, faster revocation, zero headaches.\n\n## Set up group-based vaults\n\nLet's say you've got three vaults - social media accounts, single license accounts, and production API secrets. Each vault needs access by different teams. The old way? Manually add each user to the vaults relevant to them. Time-consuming, tedious, prone to error - we've all been there.\n\nThe new and improved way? Groups.\n\nLet's create three groups, one for each team. Put all your marketing team into the 'Social Media' group, your business users into the 'Single License Accounts' group, and your senior engineers into the 'Production API' group.\n\n\nLink these groups to the respective vaults - 'Social Media' should have access to the social media accounts.\n\n## Set up 1Password SCIM Bridge\n\nNow, you need to set up the 1Password SCIM bridge. This is a bridge between your identity provider and 1Password. It allows you to manage users and groups in 1Password using your identity provider.\n\n1. [Set up the SCIM bridge in 1Password](https://support.1password.com/scim/)\n2. Configure your identity provider to use the SCIM bridge\n - Google: [Set up SCIM provisioning for Google Workspace](https://support.1password.com/scim-google-workspace/)\n - Okta: [Set up SCIM provisioning for Okta](https://support.1password.com/scim-okta/)\n\nNow that you've completed the SCIM bridge setup, you can manage your groups and users in 1Password using your identity provider. With Indent, you can grant and revoke temporary access to these groups in 1Password based on your identity provider's groups.\n\n## How does it work?\nThrough Slack, a user is able to request time-bound, role-based access to vaults. Here is what that workflow looks like:\n\n1. Open slack and enter `/access`\n2. Fill out request form requesting access to break glass group, give reason, and hit enter\n3. Indent verifies on-call status or other configured attribute of requester\n4. Once verified, access is granted and provisioned for configured length of time\n5. Indent notifies admins that break glass access has been granted \n6. After configured duration, the requester loses access, but can request again if necessary\n\n## Get Started\nWant to learn more about Indent or have questions about getting 1Password set up? Feel free to [schedule time](https://indent.com/demo) that works for you and we're happy to answer any questions you have!\n","hero":{"bg":"#0472ec","text":"white","image":"/static/images/blog/content/blog-hero-1password-break-glass.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"routing-for-the-modern-frontend","title":"Routing for the Modern Frontend","ogTitle":"Routing for the Modern Frontend","fullTitle":"Routing for the Modern Frontend","ogImageUrl":"https://indent.com/static/og/indent-blog-routing-for-the-modern-frontend.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Instrumenting routing for 2023 and 2024","noSidebar":false,"heading":"","date":"2023-12-19T22:00:00.000Z","content":"\nFrontend has become complicated. Gone are the days where you cram everything into a single-page app with a giant bundle.\n\n
\n\nThis blogpost is adapted from talks I gave at [Cloudflare](https://cloudflare.com) Tech Talks in 2023, you can find the original slides: [here →](https://routing-for-the-modern-frontend.pages.dev) (or at the end)\n\n
\n
\n\nToday, we have a number of frameworks, libraries, and tools to pick from — [Next.js](https://nextjs.org), [Astro](https://astro.build), [Svelte](https://svelte.dev), [Docusaurus](https://docusaurus.io), or [Vue](https://vuejs.org/). That's just the tip of the iceberg.\n\nThere are so many tools you could use to build a frontend: [Vite](https://vitejs.dev), [Snowpack](https://www.snowpack.dev), [Webpack](https://webpack.js.org), [Rollup](https://rollupjs.org), [Parcel](https://parceljs.org), [Gatsby](https://www.gatsbyjs.com), [Nuxt](https://nuxtjs.org), [Sapper](https://sapper.svelte.dev), [Eleventy](https://www.11ty.dev), [Hugo](https://gohugo.io), [Jekyll](https://jekyllrb.com), [VuePress](https://vuepress.vuejs.org), [Gridsome](https://gridsome.org), [Scully](https://scully.io), and the list goes on.\n\nIn our case ([Indent](https://indent.com)), we use [Next.js](https://nextjs.org) for our marketing site and [Docusaurus](https://docusaurus.io) for our docs both hosted on [Vercel](https://vercel.com) which enables us to have niceties like [per-branch deployment previews](https://vercel.com/docs/deployments/preview-deployments) and [multiplayer comments](https://vercel.com/docs/workflow-collaboration/comments) so anyone on our team can contribute.\n\nFor our main app, we also use Next.js, so why not consolidate it with our marketing site? Well, we have to follow compliance and security requirements from our customers like allowing customers to self-host and strict code review controls.\n\nThe common problem with splitting into separate apps is that you have to manage routing between them.\n\nYou can't just a regular `next/link` or `Link` component from `react-router-dom` to link to a page in another app. You have to use routing-aware links that check if it's the linked route is part of the current app, another [Next.js zone](https://nextjs.org/docs/pages/building-your-application/deploying/multi-zones), or a different framework.\n\nAnd maybe one of the worst parts is separate domains for each app. How many times have you gone to `company.com/docs/deep/link`, just to get redirected to `docs.company.com` index page?\n\nIt's a terrible experience.\n\nInstead, we use [Cloudflare Workers](https://workers.cloudflare.com) to route between the apps and merge into one canonical domain: [indent.com](https://indent.com)\n\n```\nindent.com\n └── / — Next.js for marketing — Vercel\n └── /docs — Docusaurus for docs — Vercel\n └── /home — Next.js for product — Google Cloud\n```\n\nThe worker code starts by adding security headers to every response:\n\n```js\naddEventListener('fetch', event =>\n event.respondWith(handleRequest(event))\n)\n\nasync function handleRequest(event) {\n try {\n if (event.request.method === 'GET') {\n let response = await serveAsset(event)\n\n return await addSecurityHeaders(response)\n }\n\n ...\n```\n\nIn Next.js, we also have to add an asset prefix:\n\n```js\n/** @type {import('next').NextConfig} */\nconst isProd = process.env.NODE_ENV === 'production'\nconst assetUrl = process.env.VERCEL_URL || 'my.vercel.app'\nconst assetPrefix = isProd ? `https://${assetUrl}` : ''\n\nmodule.exports = {\n assetPrefix\n}\n```\n\nAnd then we can serve the asset from the correct deployment:\n\n```js\nasync function serveAsset(event) {\n const url = new URL(event.request.url)\n let { pathname, search } = url\n let cache = caches.default\n let response = await cache.match(event.request)\n\n if (response && response.status < 400) {\n return response\n }\n\n if (shouldServeDashboard(pathname)) {\n // Remove assetPrefix for dashboard Next.js App\n } else if (shouldServeDocs(pathname)) {\n // Remove assetPrefix for docs Docsaurus 2.0 site\n } else {\n // Serve marketing Next.js App\n }\n\n if (response.status < 400) {\n const res = response.clone()\n event.waitUntil(cache.put(event.request, res))\n }\n\n return response\n}\n```\n\nHave any questions?\n\nFeel free to reach out ([@fouadmatin](https://twitter.com/fouadmatin) on X) or [check out the slides](https://routing-for-the-modern-frontend.pages.dev)!\n\n\n \n
","hero":{"bg":"white","text":"teal-500","image":"/static/og/indent-blog-routing-for-the-modern-frontend.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"on-call-patterns","title":"Patterns for On-Call Access","ogTitle":"Patterns for On-Call Access","fullTitle":"Patterns for On-Call Access","ogImageUrl":"https://indent.com/static/og/indent-blog-on-call.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Explore five patterns of on-call access","noSidebar":false,"heading":"","date":"2023-12-12T17:00:00.000Z","content":"\nStep 1 for any on-call procedure is to get access to respond to an incident. Time to access can make or break your response time, and your team’s morale.\n\nThere is no one “right” way to handle on-call access across every organization, or even within a single organization.\n\nFactors like tech stack, release process, time zone distribution, size and experience of your team, area of focus, and security risk all play a big part in determining which pattern is the right tool for the job.\n\nIndent is able to help you manage the full lifecycle of on-call access, so we’ve seen a lot of different ways this is handled across a spectrum of companies. In this blogpost we’ll explore some common patterns we’ve seen from our customers.\n\n## Patterns for on-call access\n\n\n| | Pattern | When to use it |\n| ---------------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------------------------------------------------------------------------- |\n| 1 | Indefinite | Small teams, senior management, or people who are always on-call |\n| 2 | 1 week | Dedicated teams with known surface area, like IT on-call |\n| 3 | 12 hours | Cross-functional engineers with known but dynamic surface area, like product teams or customer access |\n| 4 | Task-based | Teams with higher security risk implementing least privilege |\n| 5 | Semaphore | Sensitive operations that require only cook in the kitchen |\n\n## 1 Indefinite access for the forever on-call\n\nIt can make sense to retain on-call access at all times. This generally applies certain mission-critical personnel and for smaller teams under 10 engineers with low risk data.\n\n- **CTO**\n - Responsible for the overall health and performance of the technology stack, indefinite on-call access allows the CTO to offer immediate guidance during emergencies.\n- **VP of Engineering**\n - Indefinite on-call access enables the VP of Engineering to support and guide teams during critical incidents, ensuring optimal performance and swift resolution of issues.\n- **Head of Infrastructure**\n - With a focus on scalability, security, and efficiency of the infrastructure, indefinite on-call access allows the Head of Infrastructure to swiftly respond to emergent issues, implementing necessary measures to maintain operational continuity and mitigate risks.\n- **Infrastructure Teams**\n - Some engineers require indefinite on-call access to address system failures, network outages, and security incidents promptly, ensuring uninterrupted service and minimizing downtime for the entire organization.\n\nOver time, as teams and security risks grow, the risks of permanent access starts to outweigh the benefits. It’s important to have a process in place to review and remove access when it’s no longer needed.\n\nOnce you remove access, it's important to grant it quickly when someone needs it. With Indent, you can always grant it again with a single click from Slack.\n\n## 2 Week-long access for on-call rotation\n\nA common on-call practice for dedicated teams with a well-defined surface area (like IT teams or customer support teams), is to automate the rotation of on-call status within an incident response solution on a weekly cadence.\n\nRight before the rotation, the person ending their on-call shift is responsible for granting on-call permissions via an on-call group to the person who is about to start the next shift.\n\nFor the same reason we automate on-call rotation, we should automate on-call permissions rotation – consistency.\n\nOne way you can do this is with Indent. You can auto-approve access for a week based on a user’s on-call status in your incident response provider like PagerDuty, Opsgenie, or Incident.io.\n\nIt also comes with the benefit that if someone is not on-call but wants to help with an incident, there’s a fast path for them to get the needed access. They can request on-call permissions through Indent which can be on-click approved and automatically provisions. This type of access gives you least privilege by default while accelerating time to resolution.\n\n## 3 Work-day or per-incident access\n\nFor cross-functional engineers with known but dynamic surface area, like product teams or teams that need customer access, time-limiting on-call access to 12 hours can make a lot of sense.\n\nShifting to more granular, time-bound access helps prevent accidents like making changes in production when you meant to make them in testing, and reduce security and compliance risk.\n\nWith Indent you can auto-approve for 6, 12, 24, or a custom number of hours based on a variety of factors like Okta Group membership, on-call status, or assignment to an active incident in incident.io, etc. If the clock runs out, but access is still needed, you can request access again with a single click from Slack.\n\n## 4 Task-based access\n\nTeams with a higher security risk or that have implemented least privilege should opt for task-based on-call access.\n\nRather than granting role-based access to a category of tasks (e.g. On-Call Admins), they take the extra step to break down access into groups that mirror domains like:\n\n- On-Call Logging Viewer\n- On-Call Server Admin\n- On-Call Database Admin\n\nUsing Indent you’re able to grant time-bound or indefinite access to these groups. This style of access can also work for customer access for engineering, sales, and support, to get temporary access to customer accounts.\n\n## 5 Semaphore production access\n\nThere are some tasks that are so sensitive, that you might only want one person at a time to have the permissions to perform them e.g. database migration.\n\nHere’s how you could implement that using the Indent API:\n\n```js\nimport { verify } from '@indent/webhook'\nimport { Request, Response } from 'express'\nimport { IndentAPI } from '@indent/api'\n\nconst indent = new IndentAPI()\n\nexport default async function(req: Request, res: Response) {\n const body = await json(req)\n\n await verify({\n secret: process.env.INDENT_WEBHOOK_SECRET,\n headers: req.headers,\n body: req.body\n })\n\n const { events } = body\n const { resource, actor, event } = events[0]\n \n let decision\n\n const existing = await indent.petition.list({\n resourceId: resource.id,\n phase: 'granted'\n })\n\n if (!existing) {\n return res.json({ events: [] })\n }\n\n return res.json({\n events: [{\n event: 'access/deny',\n actor: { kind: 'bot', id: 'semaphore' },\n resource: { kind: 'access', id: existing[0].id },\n reason: `semaphore - already granted: ${existing[0].name}`\n }]\n })\n}\n```\n\nNow once the first person requests access, the second person will be denied access until the first person’s access expires.\n\n---\n\nThere are many ways to handle on-call access and it’s important to find what fits best for your team.\n\nHave a question about optimizing on-call access? [Get a demo and schedule time](https://indent.com/demo) that works for you — we're happy to help!\n","hero":{"bg":"black","text":"white","pattern":"pattern-isometric pattern-gray-700 pattern-bg-gray-900 pattern-opacity-100 pattern-size-8"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"per-customer-access","title":"Per-Customer Access Control using Indent API","ogTitle":"","fullTitle":"Per-Customer Access Control using Indent API","ogImageUrl":"/static/og/indent-blog-per-customer-access.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Implement per-customer access control using Indent.","noSidebar":false,"heading":"","date":"2023-12-07T16:00:00.000Z","content":"\nPer-Customer Access Control is essentially a way of ensuring the principle of least privilege (PoLP) in the context of employee access to customer data.\n\nIt's the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. \n\nImagine a bank where employees can only access the accounts relevant to their role. A teller can manage cash transactions but can't authorize a loan - they simply don't have the \"key\" to that information.\n\nThe same principle applies to customer data in a digital environment. An employee in the sales team shouldn't have access to sensitive personal customer information that is unnecessary for them to perform sales tasks. Least privilege access reduces the risk of internal data breaches and prevents the misuse of privileged data.\n\nMore importantly, it helps maintain customer trust, as it ensures their data isn't exposed unnecessarily.\n\nWhile it may seem like more administrative effort, the efficiency and safety paybacks can be substantial. Consider it the ultimate spring clean - getting rid of access that is no longer needed while being fundamentally aware of who has access to what data!\n\n## Per-customer access architecture\n\nHere's how managing per-customer access with Indent works:\n\n1. List customers from our database\n1. Create a resource for each customer in Indent\n1. Provision when a user is granted or revoked access to a customer\n1. Create a petition to request access to a customer\n\nThere's a few different options for how provisioning can work:\n\n- **Group-based**: create a group or role in your identity provider for each customer and add users to the group (`CustomerAccess_123`)\n- **Attribute-based**: add a customer attribute to each user in your identity provider that can be used to filter customer access (`assigned_customers=[123]`)\n- **Webhook-based**: create a webhook that is called when a user is granted or revoked access to a customer\n\nWe're going to use a custom webhook because it's the most flexible and we can use our existing production access control system rather than a side door.\n\nThe webhook will be called once access is granted. After the access time period expires, the webhook will be called again with the `access/revoke` event and access will be cleaned up. That's it!\n\n## Upload customers as Indent resources\n\nFirst, we'll upload our customers as Indent resources. We'll use the [Indent API](https://indent.com/docs/api/overview) to create a new resource for each customer.\n\n```\nnpm install @indent/api\n```\n\nNext, we'll need to list our customers from our database. We'll use the following query to list all customers:\n\n```sql\nselect id, name, plan from customers;\n```\n\nWe can write a script using `@indent/api` to bulk upload them:\n\n```js\nimport { IndentAPI } from '@indent/api'\nimport sql from './sql' // or some SQL client\n\nconst indent = new IndentAPI({\n spaceName: process.env.INDENT_SPACE,\n apiToken: process.env.INDENT_API_TOKEN\n})\n\nasync function upload() {\n const customers = await sql`select id, name, plan from customers;`\n\n await indent.resource.bulkUpdate({\n resources: customers.map(c => ({\n kind: 'customer',\n id: c.id,\n displayName: c.name,\n labels: { plan: c.plan }\n }))\n })\n}\n\nupload()\n```\n\nThese resources will now show up in the Indent API:\n\n```js\n> await indent.resource.list()\n\n[{ kind: 'customer', displayName: 'AcmeCorp', ... }, ...]\n```\n\nNext we'll need to handle when access is granted and revoked.\n\n## Grant access on a per-customer basis\n\nWe'll need to create a webhook in Indent that will be called when a user is granted or revoked access to a customer.\n\nFollow these steps to do that:\n\n1. [Create a webhook](https://indent.com/spaces?next=/manage/spaces/[space]/webhooks) in the Indent dashboard\n1. Copy the webhook secret and add to environment as `INDENT_WEBHOOK_SECRET`\n\nNext we'll need to create a webhook handler that will be called when a user is granted or revoked access to a customer.\n\nWe'll use the [Indent Webhook SDK](https://indent.com/docs/webhooks) to verify the webhook signature and handle the event:\n\n```js\nimport { verify } from '@indent/webhook'\nimport { Request, Response } from 'express'\nimport { Event as AuditEvent } from '@indent/types' // for TypeScript\n\nexport default async function(req: Request, res: Response) {\n try {\n const body = await json(req)\n\n await verify({\n secret: process.env.INDENT_WEBHOOK_SECRET,\n headers: req.headers,\n body: req.body\n })\n\n const { events } = body\n\n await Promise.all(\n events.map((auditEvent: AuditEvent) => {\n let { actor, event, resources } = auditEvent\n switch (event) {\n case 'access/grant':\n return grantPermission(auditEvent)\n case 'access/revoke':\n return revokePermission(auditEvent)\n default:\n return Promise.resolve()\n }\n })\n )\n\n res.send(200, '{}')\n } catch (err) {\n res.send(\n 200,\n JSON.stringify({ error: { message: err.message, stack: err.stack } })\n )\n }\n}\n\nasync function grantPermission({ event, actor, resources }: AuditEvent) {\n // TODO: Grant permission\n /*\n * {\n * \"event\": \"access/grant\",\n * \"actor\": { \"email\": \"reviewer@example.com\" },\n * \"resources\": [ grantedUser, grantedResource ]\n * }\n */\n}\n\nasync function revokePermission({ event, actor, resources }: AuditEvent) {\n // TODO: Revoke permission\n /*\n * {\n * \"event\": \"access/revoke\",\n * \"actor\": { \"email\": \"reviewer@example.com\" },\n * \"resources\": [ revokedUser, revokedResource ]\n * }\n */\n}\n```\n\nOnce this webhook is deployed and configured in Indent, we can start granting and revoking access to customers.\n\n## Request approval via Indent API\n\nYou can also request approval on behalf of your team via the Indent API. This is useful if your team uses an internal admin panel or a tool system like Retool. Use the API to create petitions like this:\n\n```js\nimport { IndentAPI } from '@indent/api'\n\nconst indent = new IndentAPI({\n spaceName: process.env.INDENT_SPACE,\n apiToken: process.env.INDENT_API_TOKEN\n})\n\nconst petition = await indent.petition.create({\n actor: { kind: 'support-agent', email: 'sally@indent.com' },\n resources: [{ kind: 'customer', id: '123' }]\n reason: 'to debug BUG-482',\n})\n\n// retry checking the petition until approved or timeout\nawait indent.petition.waitFor({ petitionName: petition.name })\n```\n\n## Next steps\n\nThis is just the beginning. There's a lot more you can do with Indent to manage temporary access to customers:\n\n1. Auto approvals for on-call teams or assigned support agents\n1. Geo-restrictions for access based on security and compliance\n1. Grant least privilege roles per customer (e.g. admin vs readonly)\n\nReady to start managing per-customer access control?\n\nCheck out Indent and [get a demo →](https://indent.com/demo)\n","hero":{"bg":"gray-800","text":"white","pattern":"pattern-cross pattern-size-6 pattern-bg-gray-800 pattern-orange-600 pattern-opacity-100"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"pci-dss-requirement-7","title":"How to Comply with PCI DSS Requirement 7","ogTitle":"How to Comply with PCI DSS Compliance Requirement 7","fullTitle":"How to Comply with PCI DSS Compliance Requirement 7","ogImageUrl":"https://indent.com/static/og/indent-blog-pci-requirement-7.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Deep dive into PCI DSS Requirement 7 and how to simplfy compliance","noSidebar":false,"heading":"","date":"2023-12-06T18:00:00.000Z","content":"\nPayment Card Industry Data Security Standard (PCI DSS) [PCI DSS](https://www.pcisecuritystandards.org/) is a compliance framework that protects payment card data and promotes a culture of robust security practices within organizations that handle sensitive financial information.\n\nFor those organizations, PCI compliance means avoiding fines from credit card companies and maintaining their customer’s trust through safeguarding cardholder data from unauthorized access.\n\nThere are 12 requirements within the PCI DSS, including network security, data protection, access control, monitoring, and other areas that safeguard payment card data.\n\nEach requirement comprises multiple sub-requirements that detail specific actions and security controls necessary for compliance.\n\n## PCI DSS Requirement 7 – Least Privilege Access Control\n\nPCI DSS Requirement 7 focuses on restricting access to cardholder data by implementing a \"need-to-know\" or “principle of least privilege” basis within an organization. PCI DSS Requirement 7 mandates that you grant least privilege access to:\n\n- Primary Account Number (PAN)\n- Cardholder Name\n- Expiration Date\n- Card Verification Value (CVV/CVC) code\n- Cardholder Billing Address\n- Phone Number\n\nTo comply with Requirement 7, organizations are required to:\n\n- **Set-up Role-Based Access Control (RBAC)**\n - Define access rights based on job responsibilities\n- **Implement Least Privilege**\n - Grant access to cardholder data only to those who require it for their specific job functions\n- **Continuously Monitor**\n - Log access to cardholder data and review regularly\n\nThis requirement aims to minimize the risk of unauthorized access to sensitive payment card data by limiting access to only individuals who genuinely need it to perform their job duties.\n\n## Build or Buy Considerations\n\nWhen implementing least privilege access control, teams often trip up because good security often comes at the expense of usability. \n\nBut it doesn’t have to.\n\nUser-friendly access control workflows make people less likely to try to get around them. Here's what that typically looks like:\n\n- **Self-serve access requests**\n - Minimize steps for requesting and approving access\n - Enable requesting and approving from tools they’re already using\n- **Automating policy enforcement**\n - Automatically route requests to the correct approvers\n - Encode your policies like max duration of access, number of approvals, etc\n- **Reducing manual admin tasks**\n - Trigger provisioning automatically upon approval\n - Automatically revoke access after set duration\n - Log all access related events with full metadata to make auditing easier\n\nCompanies like Addepar and Robinhood chose to build their own least privilege access control system. To learn more about the building process, check out this [great talk by Karthik Rangarajan](https://www.youtube.com/watch?v=121TkWzXXYI), who helped both companies create their systems.\n\nNot every team has the desire and resources to build and maintain a least privilege access control system, and for them, buying a solution to help them with compliance makes a lot of sense.\n\nThere’s a lot that goes into choosing a least privilege access control solution. Here’s a compilation of dozens of teams’ buying criteria in a [handy scorecard](https://docs.google.com/spreadsheets/d/1O2aZo2wivmB1VR8mavbBCv19UdcKaWywFWvMjA89S6E/edit?usp=sharing) that you’re welcome to use.\n\n## Faster, Compliant Access\n\nMost of the time it's easier to pick a ready-to-go solution and get back to building. Teams can get set up with Indent to start granting compliant access in hours rather than quarters.\n\nIndent allows users to request access to any cloud app that contains cardholder data, right from Slack.\n\nThat request can either be automatically approved for a preconfigured duration or routed to the right reviewer(s) for approval and a customizable access duration grant.\n\nAfter the user’s access expires, it’s automatically revoked, with all relevant event data being logged for security and compliance purposes.\n\nCheck out the table below to see how Indent helps you meet PCI DSS Requirement 7 sub requirements.\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
\n Requirement\n \n Description\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n Indent\n
\n 7.2.1\n \n An access control requirements: • Appropriate access depending on the\n entity's business and access needs. • Access to system components and\n data resources that is based on users' job classification and functions.\n • The least privileges required (for example, user, administrator) to\n perform a job function.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • Granular, role-based access • Able to grant access to employees,\n contractors, and third parties\n
\n 7.2.2\n \n Access is assigned to users, including privileged users, based on: • Job\n classification and function. • Least privileges necessary to perform job\n responsibilities.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • adds users to role-based groups • Auto-revokes access after set\n duration\n
\n 7.2.3\n \n Required privileges are approved by authorized personnel.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • Automatic request routing\n
\n 7.2.4\n \n All user accounts and related access privileges, including\n third-party/vendor accounts, are reviewed as follows: • At least once\n every six months. • To ensure user accounts and access remain\n appropriate based on job function. • Any inappropriate access is\n addressed. • Management acknowledges that access remains appropriate.\n Note: This requirement is a best practice until 31 March 2025, after\n which it will be required and must be fully considered during a PCI DSS\n assessment.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • Real-time approvals with no persistent access\n
\n 7.2.5\n \n All application and system accounts and related access privileges are\n assigned and managed as follows: • Based on the least privileges\n necessary for the operability of the system or application. • Access is\n limited to the systems, applications, or processes that specifically\n require their use. Note: This requirement is a best practice until 31\n March 2025, after which it will be required and must be fully considered\n during a PCI DSS assessment.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • Granular, role-based access\n
\n 7.2.6\n \n All user access to query repositories of stored cardholder data is\n restricted as follows: • Via applications or other programmatic methods,\n with access and allowed actions based on user roles and least\n privileges. • Only the responsible administrator(s) can directly access\n or query repositories of stored CHD.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • Granular, role-based access\n
\n Bonus: 8.2.4\n \n Addition, deletion, and modification of user IDs, authentication\n factors, and other identifier objects are managed as follows: •\n Authorized with the appropriate approval. • Implemented with only the\n privileges specified on the documented approval.\n L\" className=\"\" style={{ width: \"232.66949462890625px\" }}>\n • Granular, role-based access with approvals\n
\n\n
\n\n\n\n
\n\nTeams like Modern Treasury and KnotAPI chose Indent to help them achieve and maintain PCI compliance.\n\n**Modern Treasury**\n\n[Modern Treasury](https://www.moderntreasury.com) provides APIs for sending, receiving, and reconciling payments over any payment method, including ACH, wires, and RTP.\n\nAfter achieving initial compliance, they realized that their manual access control wasn’t going to scale with their team. Getting access was taking days, and required manual admin work to revoke and document access.\n\nBy switching to Indent they were able to maintain compliance, but reduced the time it took to get access for employees who really needed it down to minutes rather than days, while reducing admin workloads.\n\n**“We're not actually blocking them. Like fifty-nine seconds is shorter than it takes to boot up a local rails server sometimes. So that's amazing to me that it's so on demand that anyone can access it and our CTO's not spending any time managing roles.”**\n\n\n\n**KnotAPI**\n\n[KnotAPI](https://knotapi.com/) programatically updates card on file information, cancel subscriptions and change passwords. They adopted Indent before they began their compliance journey.\n\nLike Modern Treasury, they were handling their access control manually and were looking for a solution to handle an influx of engineers and temporary access for contractors. By using Indent they were able to reduce the admin time associated with managing access by 50% and reduce access wait times to just a few minutes.\n\n**“We’re excited to be able to bring the speed of on-demand access with Indent to our codebase to empower our engineers to move even faster while also reducing our breach risk.”**\n\n
\n — Kieran O’Reilly, CTO at Knot API\n
\n\n## Partner in PCI Compliance\n\nPCI DSS Requirement 7 plays an important role in protecting critical financial information.\n\nImplementing consistent least privilege access control keeps organizations in compliance, and shields them from fines from credit card companies, while maintaining the trust of their customers.\n\nBecoming compliant doesn’t have to be difficult. For teams who want to lay the groundwork for compliance with Requirement 7 in a day, solutions like Indent can be set up in an hour.\n\nIf you're a Drata, Secureframe, or Vanta customer, you can also use Indent reports for your compliance audit evidence.\n\nWant to learn more or get a guided installation? [Get a demo and schedule time](https://indent.com/demo) that works for you — we're happy to answer any questions you have!","hero":{"bg":" pattern-isometric pattern-green-800 pattern-bg-green-900 pattern-opacity-100 pattern-size-8","text":"white","pattern":"pattern-isometric pattern-green-800 pattern-bg-green-900 pattern-opacity-100 pattern-size-8"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"github-pr-break-glass","title":"Break Glass for GitHub PRs with Indent","ogTitle":"Break Glass for GitHub PRs with Indent","fullTitle":"Break Glass for GitHub PRs with Indent","ogImageUrl":"https://indent.com/static/og/indent-blog-github-pull-request-break-glass.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Set up a secure branch protection rules bypass workflow in minutes","noSidebar":false,"heading":"","date":"2023-11-30T21:00:00.000Z","content":"\nGitHub branch protection rules ensure that changes to critical branches, such as the main branch, meet certain criteria before being merged into the codebase. \n\nThey’re guardrails to ensure PRs are properly reviewed, tested, and approved before they’re merged into the codebase, reducing the likelihood of introducing bugs or vulnerabilities.\n\nBut every once in a while you might have an emergency.\n\nOne of those hair-on-fire moments where time is ticking, and you need to make a change pronto. That’s when you need to break glass and bypass those branch protection rules, but doing it correctly is critical for the security of your codebase. \n\nThe essential components of a secure break glass workflow is:\n\n- **Time-boundedness**: no users should be able to indefinitely be able to bypass branch protection rules.\n- **Notifications**: breaking glass in the physical world makes noise. There should also be noise when your normal security workflow is being circumvented. Admins should receive notifications when someone has bypassed your branch protection rules. \n- **Auditability**: Everytime someone uses break glass access, it should be logged, so it can undergo a security audit later. \n\n## Common Methods\n\nOne way we see people attempt to set up break glass access is by creating teams with the ability to override branch protection rules. Members of the team still have persistent access, increasing the potential for a compliance violation, unauthorized action, or a mistake.\n\nAutomating the process of granting and revoking access to the team is a great way to ensure that access is only granted when necessary and is automatically revoked after a specified period.\n\nTo achieve this, you can use the GitHub API to create a script that:\n\n- When an issue is opened, add them to breakglass-approvers team\n- When the issue is closed, remove the user from the team\n- Check out this open-source GitHub repository that uses GitHub Issues/Actions for a DIY solution: [github-break-glass-template →](https://github.com/indentinc/github-break-glass-template)\n\nThe issue with the Issue/Action-based approach is that it has no approval process and it's up to the user to decide when to open/close the issue. You’re also missing those crucial logging and notification components as well. It's better than nothing, but there’s a better way. \n\n## Bypassing Branch Rules the Right Way\n\nThe easiest way to incorporate these attributes is to use a privileged access management solution like Indent. \n\nWith Indent, you can: \n\n- Set-up access policies and auto-grant or revoke access as needed\n- Log access related events for security and compliance\n- Send notifications to admins to keep them in-the-loop\n\n## Set-up Break Glass for GitHub PRs \n\nGetting Indent set-up with GitHub is free and takes just a few minutes. \n\n- Make branch protection rules for main that require approval, including for admins (there’s an extra checkbox for that)\n- Create a GitHub team like ```breakglass-approvers``` that is excluded in the branch protection rule just created\n- Sign up for a [free Indent account and select GitHub groups as what you’d like to manage during set-up](https://indent.com/setup)\n- Start using Indent to grant temporary access to the breakglass-approvers team either with management or on-call approval\n\n## Secure all your access workflows - not just GitHub break glass\n\nIndent can also help manage access to your production infrastructure like AWS, GCP, or Azure. Many teams also choose to set up on-call auto approvals with our PagerDuty, Opsgenie, and Incident.io integrations.\n\nWant to see a demo or have a guided onboarding? \n\nFeel free to [schedule time](https://indent.com/demo) that works for you and we're happy to answer any questions you have!\n","hero":{"bg":"bg-gradient-to-t from-black to-blue-900","text":"white","image":"/static/images/blog/content/blog-hero-github.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"1password-break-glass","title":"Set Up Break Glass Access in 1Password","ogTitle":"Set Up Break Glass Access in 1Password","fullTitle":"Set Up Break Glass Access in 1Password","ogImageUrl":"https://indent.com/static/og/indent-blog-1password-break-glass.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Set up break glass access for 1Password in minutes","noSidebar":false,"heading":"","date":"2023-11-28T19:00:00.000Z","content":"\nNamed after breaking glass to activate a fire alarm, break glass access is an expidited way for users without access to certain accounts to get access in emergency situations through a predetermined workflow.\n\nTo implement it safely, you should store your break glass credentials in a vault within an enterprise password management system like 1Password.\n\nBut, how do you manage access to that vault? \n\nBreak glass access should be time-bound and create an audit trail to prevent abuse. 1Password doesn’t have that functionality natively, but it’s simple to get set up. Let’s walk through it. \n\n ## TL;DR: Break Glass Access with Indent \nIndent integrates with 1Password to get users fast and secure emergency access to vaults, and then will automatically expire that access after a configured length of time. \n\n## How does it work?\nThrough Slack, a user is able to request time-bound, role-based access to vaults. \n\nHere is what that workflow looks like:\n\n1. Open slack and enter ‘/access’\n2. Fill out request form requesting access to break glass group, give reason, and hit enter\n3. Indent verifies on-call status or other configured attribute of requester\n4. Once verified, access is granted and provisioned for configured length of time\n5. Indent notifies admins that break glass access has been granted \n6. After configured duration, the requester loses access, but can request again if necessary\n\n## FAQ\n**Does Indent integrate with PagerDuty, Opsgenie, and Incident.io for on-call verification?**\n\nYes! Indent integrates with all the most popular incident management systems.\n\n**Does Indent still work if identity, authentication, or authorization systems are down?**\n\nIndent can integrate into a break glass workflow even if your primary identity management systems are down. If you have questions about how to get this set up, [reach out](https://support.indent.com/hc/en-us). \n\n**Is there a free tier or a trial?**\n\nYes, setting up break glass access for 1Password won't cost you anything. You can either [use Indent Free](https://indent.com/setup) or [sign up for a free 30 day trial](https://indent.com/setup) of the Business or Enterprise tiers. \n\nTo find the right tier for you, check out [the pricing page](https://indent.com/pricing). \n\n## Setting Up Emergency Access with Indent and 1Password\n\nIn less than an hour you can get break glass access for 1Password set up by following these steps: \n\n- **Create group**: Create a new group in your identity provider and give it a name that indicates it's for break glass access e.g. break-glass-1Password\n- **Register with Indent and configure**: [Sign up for a free Indent account](https://indent.com/login), install the [1Password integration](https://indent.com/integrations/1password) and follow the [1Password + Indent docs](https://indent.com/docs/integrations/1password) to configure. If you’re interested in setting up auto-approvals with on-call verification install the Indent integration for [Opsgenie](https://indent.com/catalog/opsgenie), [PagerDuty](https://indent.com/catalog/pagerduty), or [Incident.io](https://indent.com/catalog/incidentio). \n- **Set up your breakglass vault in 1Password**: Create a vault in 1Password to store your admin credentials for your cloud apps and infrastructure. Assign your new break glass group to the vault. \n\n ## Get Started\nWant to learn more about Indent or have questions about getting break glass access set up? Feel free to [schedule time](https://indent.com/demo#schedule) that works for you and we're happy to answer any questions you have!\n","hero":{"bg":"#0472ec","text":"white","image":"/static/images/blog/content/blog-hero-1password-break-glass.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"indent-api","title":"Introducing the Indent API","ogTitle":"Introducing the Indent API","fullTitle":"Introducing the Indent API","ogImageUrl":"https://indent.com/static/og/indent-blog-indent-api.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Today we’re releasing Indent API – the easiest way to add human approvals to any software.","noSidebar":false,"heading":"","date":"2023-11-16T18:00:00.000Z","content":"\nToday we’re introducing the Indent API – the easiest way to add human approvals to any software.\n\nWith it, you can secure your applications, internal tools, and AI agents with a general-purpose interface for requesting human review. Reduce the risk of your most dangerous code paths by defining policy checkpoints that can either be automated or require human approval.\n\n```js\nimport { approval } from '@indent/approvals'\n\nasync function resetPassword({ actor, user, reason }) {\n await approval(\n {\n reason,\n petitioners: [{ kind: 'staff', email: actor.email }],\n resources: [\n {\n kind: 'action',\n id: `reset-password:${user.id}`,\n displayName: `Reset Password - ${user.name}`,\n altIds: [user.id],\n },\n ],\n },\n { retries: 10, wait: 1000 }\n ) // wait for max 10 seconds\n\n // continue\n}\n```\n\n[Join private beta →](/form/approvals)\n\n[Explore API docs →](https://indent.com/docs/api/overview)\n\n<>\n {/* Get your API key in 2 minutes: [indent.com/api-keys](https://indent.com/api-keys) */}\n\n\n## Who is Indent API for?\n\nDevelopers who need to secure potentially dangerous API operations like:\n\n- Sensitive actions like deleting a project\n- AI agents that need human review for edge cases\n- Low-code internal tools (Retool, Zapier, etc) that need human review\n\nWith Indent, we've built a system that lets you define approval checkpoints that can either be automated or require human approval.\n\nIt provides a general-purpose interface for requesting human review, and we're making it available to developers to use in their code.\n\n## How it works\n\n1. **Install the Indent SDK**. We have SDKs for JavaScript, Python, and Go. You can also use our REST API directly.\n\n```shell\nnpm install @indent/approvals\n\npip install approvals\n```\n\n2. **Request approval**. When you want to request approval, call the `approval` function in the SDK. You can specify the reason for the request, the people who need to approve it, and the resources that are being accessed. Requests can also be auto-approved based on a set of policy conditions.\n\n3. **Wait for approval**. The `approval` async function will wait for the request to be approved. You can specify how long to wait, how many times to retry, or if you want it to be resumable.\n\n4. **Continue**. Once the request is granted, the `approval` promise will resolve. You can continue with the rest of your code.\n\n## How to use it\n\nYou can use `await approval` in your code anywhere that you need approvals. The API will check if the request can be auto-approved or if it requires human review, then Indent handles all the notificatoin, time-bounded state management, retry, and other distributed systems logic.\n\nHere's an [example for LangChain](https://indent.com/docs/api/quickstart/langchain) using callbacks to require approval before running shell commands:\n\n```python\nfrom approvals.using.langchain import HumanApprovalCallbackHandler\nfrom langchain.tools import ShellTool\n\ntool = ShellTool(callbacks=[HumanApprovalCallbackHandler()])\nprint(tool.run(\"ls /usr\"))\n```\n\n```shell\n$ python tool.py\n\n ✳︎ Requesting approval for: ls /usr\n ⏵ Requested approval\n ↳ Waiting for approval... (2s elapsed)\n ↳ Waiting for approval... (4s elapsed)\n ↳ Waiting for approval... (8s elapsed)\n ✅ Granted\n\n X11\n X11R6\n bin\n lib\n libexec\n sbin\n share\n standalone\n```\n\n## Roadmap\n\nWe’ve designed the API to be both simple for anyone to use but also flexible enough to give engineers what they need to secure their products and tools.\n\nEvery part of Indent is designed and built with engineers in mind. You can now request access in order to integrate approvals into your product, internal tools, or AI agents.\n\nHere’s a preview of what’s next:\n\n- Ready-to-go examples for frameworks and integrations\n- Drop-in UI components for approvals in your apps\n- Terraform provider to manage Indent resources\n- [Multiparty](https://multiparty.ai) policy engine for inline authorization checks\n\nInterested in exploring the API? Join our [private beta](/form/approvals). Private beta starting November 2023. Open beta in December 2023.\n","hero":{"bg":"#477ee5","text":"white","image":"/static/images/blog/content/blog-hero-indent-api.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"ethernetdan","name":"Dan Gillespie","twitter":"ethernetdan","image":"/static/images/blog/avatars/ethernetdan.jpeg","title":"CTO"}],"kind":"blog/post"},{"name":"gantry","title":"Gantry Secures AI Data with Indent and Tailscale","ogTitle":"Gantry Secures AI Data with Indent and Tailscale","fullTitle":"Gantry Secures AI Data with Indent and Tailscale","ogImageUrl":"https://indent.com/static/og/indent-blog-gantry.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"When building AI products, training and production data become your secret sauce","noSidebar":false,"heading":"","date":"2023-11-14T18:00:00.000Z","content":"\nWhen building AI products, training and production data become your secret sauce.\n\n[Gantry](https://gantry.io?ref=indent) is a continuous machine learning improvement platform that makes building with AI more accessible and safe. Their infrastructure makes it easy to observe, analyze, and evaluate the performance of AI powered products while reducing development costs and risk.\n\n![Screenshot of Gantry Analytics dashboard](/static/blog/gantry/gantry-analytics-screenshot.jpg)\n\nGantry was looking for a way to automate least privilege access, to reinforce their security posture and make compliance simpler.\n\n\n
\n
\n

{`“${`Our customers are feeding their training and production ML data into our platform. They trust us to safeguard, what is in a lot of cases, their secret sauce. Getting production access control right plays a big part in our ability to maintain their trust.`}”`}

\n
\n
\n \n
\n
Vicki Cheung
\n
CTO, Gantry
\n
\n \n
\n
\n
\n
Want to see how they did it?
\n \n Get a Demo →\n \n
\n
\n
\n\n\nAfter evaluating several solutions that introduced too much friction and didn’t provide the value they were looking for, Gantry found Indent.\n\nWithin two days, Indent was rolled out to Gantry’s twelve engineers. Their new access workflow paired Tailscale at the networking level with Indent to handle approvals, ACL updates, and logging.\n\n\n
\n
\n

{`“${`Indent and Tailscale are easy to setup and require pretty minimal admin effort. With Indent’s Tailscale integration, you can get a Zero Trust network stood up quickly that checks all the security best practice boxes without annoying or slowing down engineers.`}”`}

\n
\n
\n \n
\n
Vicki Cheung
\n
CTO, Gantry
\n
\n \n
\n
\n
\n
Want to see how they did it?
\n \n Get a Demo →\n \n
\n
\n
\n\n\nRead more about how Gantry uses Indent and Tailscale to secure training and production ML data in our [case study](/customers/gantry).\n\nWant to learn more about Indent? [Get a demo](/demo?utm_source=gtm&utm_medium=blog&utm_campaign=customers-gantry) or [sign up](https://indent.com/signup?utm_source=gtm&utm_medium=blog&utm_campaign=customers-gantry) for a free trial.\n","hero":{"bg":"black","text":"orange-600","image":"/static/images/blog/content/blog-hero-gantry.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"wasm-in-nextjs","title":"How to use WebAssembly (WASM) in Next.js","ogTitle":"How to Use WebAssembly (WASM) in Next.js","fullTitle":"How to Use WebAssembly in Next.js","ogImageUrl":"https://indent.com/static/og/indent-blog-wasm-in-nextjs.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Call functions in WASM from inside a Next.js appplication","noSidebar":false,"heading":"","date":"2023-09-06T18:00:00.000Z","content":"\nIt's become pretty easy to call functions in WASM from the web. Let's take a simple example, assuming we have a function called `add` written in Rust that adds two numbers together.\n\nHere's the source code in Rust:\n\n```rust\n// The wasm-pack uses wasm-bindgen to build and generate JavaScript binding file.\n// Import the wasm-bindgen crate.\nuse wasm_bindgen::prelude::*;\n\n// Our Add function\n// wasm-pack requires \"exported\" functions\n// to include #[wasm_bindgen]\n#[wasm_bindgen]\npub fn add(a: i32, b: i32) -> i32 {\n return a + b;\n}\n```\n\nThen we can compile it into WASM using [wasm-pack](https://github.com/rustwasm/wasm-pack) and use it in our web application:\n\n```shell\nwasm-pack build --target web\n```\n\nStarting with Next.js 11, you can import WASM files either by importing them with `next/dynamic` components or using `WebAssembly` APIs.\n\nFor example, let's import the WASM file using `next/dynamic`:\n\n```js\nimport dynamic from 'next/dynamic'\n\nexport interface AddModuleExports {\n add(a: Number, b: Number): Number\n}\n\ninterface RustComponentProps {\n number: Number\n}\n\nconst RustComponent = dynamic({\n loader: async () => {\n // Import the wasm module\n // @ts-ignore\n const exports = (await import('../add.wasm')) as AddModuleExports\n const { add } = exports\n\n // Return a React component that calls the add_one method on the wasm module\n return ({ a, b }: RustComponentProps) => (\n
\n <>{add(a, b)}\n
\n )\n },\n})\n```\n\nOr you can use `WebAssembly` APIs to fetch and import the WASM file from a static path:\n\n```js\n// Put `add.wasm` in `public/wasm/` folder\n// (or any other static folder)\nWebAssembly.instantiateStreaming(\n // Fetch the file and stream into the WebAssembly runtime\n fetch('/wasm/add.wasm')\n).then((result) => result.instance.exports.add(1, 1)) // = 2\n```\n\nOk great, it works well for simple functions, but what if we want to call more complex functions? What about other languages?\n\nAt Indent, we primarily write TypeScript on the frontend and Go on the backend. Sometimes there's logic we have to replicate on both sides of the stack that can either be redundant or, worse, drift in logic. Let's see what it's like to call a function written in Go from a Next.js application.\n\n## Calling Go functions from Next.js\n\nWe have some functionality called `TestPolicy` that tests customer-defined policies in a client-side simulator to make sure they're working as expected. We want to call this function from inside our Next.js application to save users an extra network request while debugging.\n\nIn our Next.js project, we'll create a file `cmd/simulator/main.go` with the following source code:\n\n```go\n//go:build js && wasm\n\npackage main\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"syscall/js\"\n)\n\nfunc main() {\n\ttestFunc := js.FuncOf(testWrapper)\n\tjs.Global().Set(\"testPolicy\", testFunc)\n\tdefer testFunc.Release()\n\t<-make(chan bool)\n}\n\n// testWrapper wraps the validate function with `syscall/js` parameters\nfunc testWrapper(_ js.Value, args []js.Value) any {\n\tif len(args) < 1 {\n\t\treturn response(\"\", errors.New(\"missing `policy` argument\"))\n\t} else if len(args) < 2 {\n\t\treturn response(\"\", errors.New(\"missing `test` argument\"))\n\t}\n\tpolicy := args[0].String()\n test := args[1].String()\n\toutput, err := TestPolicy(policy, test)\n\tif err != nil {\n\t\treturn response(false, err)\n\t}\n\treturn response(output, nil)\n}\n\n// TestPolicy is out-of-scope for this example, we'll just assume it returns true with no error\nfunc TestPolicy(policy string, test string) (bool, error) {\n return true, nil\n}\n\nfunc response(out any, err error) any {\n\tif err != nil {\n\t\tout = err.Error()\n\t}\n\treturn map[string]any{\"output\": out, \"isError\": err != nil}\n}\n```\n\nWe can use the standard Go toolchain to compile this into WASM:\n\n```shell\n# Put in package.json scripts as \"build:wasm\"\nGOOS=js GOARCH=wasm \\\n go build -ldflags=\\\"-s -w\\\" \\\n -o public/wasm/simulator.wasm \\\n cmd/simulator/main.go\n```\n\nOnce we've built the WASM, we can try importing it into our Next.js application like we did earlier... But we get this error:\n\n`Module not found: Can't resolve 'gojs'`\n\n![Screenshot of Google search with zero results](/static/blog/wasm-in-nextjs/gojs.png)\n\nIt's never a great sign when the error message is a phrase that has **0 results** on Google. Let's see what's going on.\n\nThe only \"gojs\" I'm familiar with is [gojs.net](https://gojs.net) the diagramming tool. And the [`gojs`](https://npmjs.com/package/gojs) package on NPM is also for the diagramming tool. What is going on here?\n\nWell, it turns out that Go wasm modules require [`wasm_exec.js`](https://go.googlesource.com/go.git/+/refs/heads/master/misc/wasm/wasm_exec.js) to be loaded in the browser. This file is included in the standard Go toolchain, but it's not referring to the package on NPM.\n\nWith `wasm_exec.js` loaded, we can instantiate the module:\n\n```js\n// Go is defined in wasm_exec.js\nconst go = new Go()\n\nWebAssembly.instantiateStreaming(\n // Fetch the file and stream into the WebAssembly runtime\n fetch('/wasm/simulator.wasm'),\n // importObject is where `gojs` is defined\n go.importObject\n).then((result) => {\n // Since we used `js.Global().Set` in Go, we can access the function globally\n const result = window.testPolicy('', '')\n console.log(result)\n})\n```\n\nAnd it works!\n\n```\n{\"output\":true,\"isError\":false}\n```\n\nBut when we looked at the WASM file, it was pretty big: 43MB. Can we make it smaller since we're loading it client-side?\n\nLet's [`gzip`](https://www.gzip.org/) the WASM file and see what happens:\n\n```shell\ngzip --best -f < public/static/wasm/simulator.wasm \\\n > public/static/wasm/simulator.wasm.gz\n```\n\nThe problem is that when we try to stream the gzipped file, we get an error because the streaming WebAssembly API doesn't support gzipped files. We can use [`pako`](https://npmjs.com/package/pako) to gunzip the file before instantiating:\n\n```js\nimport pako from 'pako'\n\nconst go = new Go()\nconst imports = go.importObject\nconst res = await fetch('/static/wasm/cel.wasm.gz')\nconst gzBuf = await res.arrayBuffer()\nlet buffer = pako.ungzip(gzBuf)\n// (Firefox) Sometimes buffer is double-gzipped\nif (buffer[0] === 0x1f && buffer[1] === 0x8b) {\n buffer = pako.ungzip(buffer)\n}\nconst result = await WebAssembly.instantiate(buffer, imports)\n\n// Running the module will define `window.testPolicy`\ngo.run(result.instance)\n```\n\nGreat! Now, we've got a small WASM file that we can use to call functions written in Go from inside our Next.js application. In future blog posts, we'll cover other languages like [Python](https://pythondev.readthedocs.io/wasm.html), using WASM in API routes, and Next.js 13 Server Actions.\n\nHave any questions? Feel free to reach out to me on Twitter/𝕏 [@fouadmatin](https://x.com/fouadmatin) or send us an email: [open@indent.com](mailto:open@indent.com)\n\n## [Indent](/): Temporary Access for Production and Customer Data That Doesn't Suck\n\nAre you on a team that's building a product that store customer data or need to perform sensitive operations on your systems?\n\nSolve the root problem of over permissioned users and grant time-bound access to production. Use configurable peer or auto-approvals to remove bottlenecks for granting on-call or low-risk access instantly.\n\nWant to learn more about Indent? Feel free to [schedule time](indent.com/demo) that works for you and we're happy to answer any questions you have!\n","hero":{"bg":"gray-200","text":"black","image":"/static/images/blog/content/blog-hero-wasm-in-nextjs.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"q-soc2-timeline","title":"Q&A Friday: SOC 2 Timeline","ogTitle":"","fullTitle":"Q&A Friday: SOC 2 Timeline","ogImageUrl":"https://og-images.indent-assets.com/SOC%202%20Compliance%20Timeline.png?theme=light&md=1&fontSize=100px&images=https%3A%2F%2Findent.com%2Fstatic%2Ffavicon.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"How long does it take to get SOC 2 compliance?","noSidebar":false,"heading":"","date":"2023-09-01T18:00:00.000Z","content":"\nHow long does it take to get SOC 2 compliance?\n\n## TL;DR Answer:\n\nWith preparation time, SOC 2 Type I takes a minimum of 1.5 months and SOC 2 Type II takes a minimum of 5.5 months.\n\n## SOC 2 Timeline:\n\nThere are three phases for pursuing SOC 2 certification.\n\n### Preparation (completion time: 4-6 weeks)\n\nThe audit preparation period takes 4-6 weeks as you define controls to correlate with your selected Trust Services Criteria. During this time you’ll be drafting policies for your control areas and selecting how you’re going to prove your compliance (e.g. screenshots, logs, etc.)\n\n### SOC 2 Type I (2-3 weeks to complete)\n\nSOC 2 Type I has an audit period of one day as you do a point in time test of your controls. It takes an additional 2-3 weeks for certification once you submit your evidence.\n\n### SOC 2 Type II (4-15 months to complete)\n\nSOC 2 Type II has an audit period of 3-12 months as you test the effectiveness of your controls over your selected audit period and gather evidence.\n\nOnce you’ve submitted your evidence, the auditor review and certification takes a minimum of a month, for a 4-15 months to completion timeframe. Completion time is greatly affected by the ease of documenting your controls, gathering evidence, and your auditor.\n\nFor more information, check out our [SOC 2 page](https://indent.com/soc2).\n","hero":{"bg":"#2463ec","text":"white"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"temporary-google-cloud-database","title":"Temporary Google Cloud Database Access","ogTitle":"Temporary Google Cloud Database Access","fullTitle":"Temporary Database Access for Google Cloud","ogImageUrl":"https://indent.com/static/og/indent-blog-temporary-google-cloud-database.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Learn how to set up temporary database access for Google Cloud.","noSidebar":false,"heading":"","date":"2023-08-23T16:30:00.000Z","content":"\nWhen it comes to production databases, balancing access and security is key. Occasionally, we need to grant short-term database access for debugging a recent deploy or resolving a customer issue.\n\nYet, unchecked access is a security risk. This post will detail how to start granting temporary database access to Google Cloud SQL.\n\n## Temporary vs Permanent Access\n\nGranting access to your database on Google Cloud isn't a casual decision. While it might seem easier to give indefinite access, there are compelling reasons to opt for temporary permissions:\n\n1. **Security**: The longer someone has access, the larger the window of opportunity for potential misuse, whether intentional or accidental. Temporary access minimizes this risk.\n2. **[Principle of Least Privilege (PoLP)](/blog/least-privilege)**: This security concept advises giving users only the permissions they absolutely need, and only for as long as they need them. It reduces the potential damage of security breaches.\n3. **Audit and Compliance**: With temporary access, it's easier to track who accessed what and when. This is crucial for regulatory compliances and internal audits.\n4. **Resource Efficiency**: Permanent access might mean more active connections, more licenses, or more potential resource drain. Temporary access helps manage resources more judiciously.\n5. **Management Overhead**: Continuously monitoring users with permanent access can be taxing. Temporary permissions streamline user management, as they expire automatically.\n\nIn essence, temporary database access isn't just a best practice or something to do for compliance—it's a necessity in maintaining a secure and efficient Google Cloud environment.\n\nBefore, we get into how to set up temporary access, let's look at the different ways of accessing Google Cloud SQL databases.\n\n## Connecting to Google Cloud SQL\n\nIn order to get access to a Google Cloud SQL, there has to be a **database user** and a **network connection** to the database.\n\nThe database user is the account that is used to connect to the database. The network connection is the path that the human user takes to connect to the database.\n\n| Access Method | Pros | Cons | Best for Teams |\n| -------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | --------------------------------------------------- | ------------------ |\n| **Database User Per Human** | - Easy auditing with per-user accounts
- Fine-grained control per user | - Management overhead
- Integration complexity | Under 10 engineers |\n| **Bastion Host/Jumpbox with VPN**
[Tailscale](/tailscale), [Twingate](/integrations/twingate), [Boundary](/integrations/boundary) | - Additional security layer
- Centralized traffic management | - Single point of failure
- Increased latency | Under 50 engineers |\n| **Identity-Aware Database Proxy**
[StrongDM](/integrations/strongdm), [Teleport](/integrations/teleport) | - Granular real-time oversight
- Direct database integration | - Higher costs
- Integration complexity | Over 50+ engineers |\n\nWhen rendered, this table will neatly present the information for each access method alongside the team size it's most suitable for. Adjustments can be made based on specific organizational nuances and preferences.\n\n### 1. Direct Connect: DB User Per Human User\n\nThis approach is the most straightforward, but can be cumbersome to manage as your team grows. When a user joins, they get a unique user name and will need to be added to the instance:\n\n```bash\ngcloud sql users create $USER_NAME \\\n --instance=$INSTANCE_NAME \\\n --password=$PASSWORD\n```\n\nThen you will need to grant database privileges on that user:\n\n```sql\ngrant select on \"$TABLE_NAME\" to \"$USER_NAME\";\n```\n\n- **How it works**\n - Each engineer gets a unique database user account, allowing direct connection to the database.\n - Users can be added or removed as needed, can be granted specific permissions, and can be assigned a unique password. They can use [MySQL tools](https://cloud.google.com/sql/docs/mysql/admin-tools) or [PostgreSQL tools](https://cloud.google.com/sql/docs/postgres/connect-overview) to connect to the database.\n- **Pros**\n - **Audit Trail**: With individual accounts, it's easier to monitor who did what and when for compliance and auditing purposes.\n - **Fine-grained Access Control**: User-level permissions can be tuned to each engineer's needs, down to the table or column level.\n- **Cons**\n - **Management Overhead**: Handling credentials, permissions, and on/off-boarding can become complex as your team grows.\n - **Integration Complexity**: Initial setup might require a bit more effort, especially in hybrid or multi-cloud environments.\n\n### 2. Bastion Host/Jumpbox with VPN\n\nThink of this as a fortified gateway to your database. On this server (or container), you can record and monitor all database activity, and run a VPN to ensure secure connections.\n\nUsers can be managed directly from the networking layer and role-based access to the database through the monitored gateway.\n\nTeams will often distinguish between read-only and read-write access, and set up isolated database users and gateways for each.\n\n- `db-read` would grant access to read-only like `SELECT`\n- `db-write` would grant access to `INSERT`, `UPDATE`, and `DELETE`\n- `db-admin` would grant full admin access like `GRANT` or `DROP`\n\nHere are some examples of VPN solutions:\n\n- [Tailscale](/tailscale)\n- [Twingate](/integrations/twingate)\n- [HashiCorp Boundary](/integrations/boundary)\n- [Google Cloud Identity-Aware Proxy (IAP)](https://cloud.google.com/iap)\n\nOnce the users and gateways are set up, users can either SSH or connect directly via the networking solution to the database.\n\n- **How it works**\n - Engineers first connect to a bastion host or jumpbox, which is a secured, intermediate server. From there, they access the database.\n - Logs from the server can stream into your SIEM or log management tool for auditing and compliance. We recommend setting up alerts for unexpected behaviors like `SELECT` without `LIMIT` or any kind of destructive actions.\n- **Pros**\n - **Secure Network**: The database isn't directly exposed to the open internet, but still easy for authorized users to access.\n - **Centralized Management**: All traffic funnels through a single, managed point, simplifying monitoring and security protocols.\n- **Cons**\n - **Single Point of Failure**: If the bastion host faces issues, access to all databases can get hampered. This can be solved with redundant bastion servers, but that adds to cost.\n - **Increased Latency**: Adding an intermediary can add a minor delay to connections or if too many users are querying, slow down the database.\n\n### 3. Identity-Aware Database Proxy\n\nOnce your team grows to the point that managing individual database users is not feasible and role-based VPN-driven access doesn't have enough granularity of control, there are identity-aware proxy solutions designed for databases.\n\nYou can use your identity provider [Okta](/integrations/okta), [Microsoft Azure AD/Entra ID](/integrations/active-directory) or [Google Workspace](/google) as the identity provider and manage role-based access through identity groups.\n\nHere are some database proxy solutions:\n\n- [Teleport](/integrations/teleport)\n- [StrongDM](/integrations/strongdm)\n\nThese solutions are designed to integrate directly with your database and provide a single point of entry for all users. They can be configured to provide granular access control, and can be integrated with your identity provider for seamless onboarding and offboarding.\n\n- **How it works**\n - Connect your database to the proxy solution, and configure it to integrate with your identity provider.\n - Monitor and record individual user sessions in real-time, ensuring admins know who is accessing what and when.\n- **Pros**\n - **Granular Oversight**: Real-time monitoring means unexpected behaviors or breaches can be spotted and rectified swiftly.\n - **Streamlined Access**: These solutions often provide a single point of entry for multiple databases or resources, simplifying the process for engineers.\n- **Cons**\n - **Integration Complexity**: Initial setup might require a bit more effort, especially in hybrid or multi-cloud environments.\n - **Cost**: Advanced solutions come with a price tag. However, the security benefits often outweigh the monetary costs.\n\nBased on your organization's size, security requirements, and operational preferences, any of these solutions could be the right fit.\n\nOnce you've picked the preferred access pattern, you can start shifting users to temporary access in order to minimize risk and implement the principle of least privilege.\n\n## Temporary Access with Indent\n\n[Indent](https://indent.com) is an access management platform that integrates with a myriad of services to allow on-demand access requests. It lets admins configure policies, and users can request temporary permissions which, upon approval, are provisioned automatically.\n\nThis can be a game-changer for organizations aiming to manage temporary database access dynamically and securely.\n\nHere's how you can use Indent for each of the access patterns we discussed earlier:\n\n1. **Direct Connect: DB User Per Human User**\n - **Setup**\n - Define access policies for specific roles or access levels in the database.\n - Create a your Google Cloud Function with elevated access to your database and set up as a webhook with Indent.\n - **Workflow**\n - An engineer requests access by typing `/access` in Slack or [indent.com/access](https://indent.com/access) on the web.\n - Upon approval (either manual or automated, depending on your configuration), Indent provisions a temporary user in the database with the specified permissions.\n - Once the access duration expires, Indent revokes the user's permissions or deletes the temporary user altogether.\n1. **Bastion Host/Jumpbox with VPN**\n - **Setup**\n - Set up Indent with your networking provider like [Tailscale](/tailscale) to manage temporary role-based access via groups.\n - Configure policies dictating who can access the bastion host and under which conditions. For example, you can set up a policy that auto-approves access for on-call engineers.\n - **Workflow**\n - Engineers request access to the bastion host via Indent.\n - Upon approval, Indent grants temporary SSH access to the bastion host.\n - Engineers can then use this access to connect to the database, often using their personal credentials or temporary tokens.\n - Access to the bastion host is revoked by Indent after the stipulated time.\n1. **Identity-Aware Database Proxy**\n - **Setup**\n - Set up Indent with your identity provider that's connected to the proxy.\n - Use Indent to move users in and out of identity groups to grant access.\n - **Workflow**\n - When engineers need access, they put in a request via Indent.\n - Once approved, Indent adds the user to a group in the identity provider that grants the engineer temporary access to the requested database.\n - All sessions are monitored, and Indent ensures access is revoked after the agreed-upon duration.\n\nIndent can help reduce the amount of standing production access to meaningfully improve security, without adding a ton of friction for engineers who need access urgently.\n\nFor some companies, it can resolve compliance requirements for certifications like [SOC 2 Type II](/soc2), ISO 27001, PCI DSS, or SOX.\n\nWe're happy to help you think through the right access patterns for your team and use case, feel free to [reach out for a demo](/demo) or [contact us](/contact).\n\nIf you want to hear from a customer's experience with setting up Google Cloud SQL with Tailscale and Indent, check out [this post](https://tailscale.com/blog/securing-customer-data-tailscale-indent/) from Stevan Arychuk (Head of SRE at [Reclaim.ai](https://reclaim.ai)) [on the Tailscale blog](https://tailscale.com/blog/securing-customer-data-tailscale-indent/).\n","hero":{"pattern":"pattern-moon pattern-size-8 pattern-bg-blue-500 pattern-blue-50 pattern-opacity-80","bg":"bg-gradient-to-t from-white to-blue-100","text":"gray-800","image":"/static/images/blog/content/blog-hero-temporary-google-cloud-database.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"ethernetdan","name":"Dan Gillespie","twitter":"ethernetdan","image":"/static/images/blog/avatars/ethernetdan.jpeg","title":"CTO"}],"kind":"blog/post"},{"name":"q-hipaa-permissions","title":"Q&A Friday: HIPAA Permissions","ogTitle":"","fullTitle":"Q&A Friday: HIPAA Permissions","ogImageUrl":"https://og-images.indent-assets.com/Q%26A%3A%20HIPAA%20Permissions.png?theme=light&md=1&fontSize=100px&images=https%3A%2F%2Findent.com%2Fstatic%2Ffavicon.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"What are HIPAA Permissions?","noSidebar":false,"heading":"","date":"2023-08-11T18:00:00.000Z","content":"\nQ :How many HIPAA defined permissions exist?\n\nA: Permissions in most compliance contexts refer to predefined access control mechanisms. \n\nIn HIPAA (Health Insurance Portability and Accountability Act) though, a permission is a reason under HIPAA for disclosing patient information. There are six HIPAA defined permissions used to disclose Protected Health Information (PHI):\n\n1. disclosures to patients\n2. for treatment, payment, or health care operations\n3. disclosures with opportunity to agree or object\n4. limited incidental disclosures\n5. public interest and benefit activities\n6. in a limited data set\n\nWhen it comes to access control, HIPAA is much less prescriptive. \n\nHIPAA outlines security and privacy requirements, and the implementation of access controls is left up to organizations based on their unique needs and risk assessments. These access controls often involve the use of technical and administrative safeguards like user authentication, role-based access control (RBAC), and encryption.\n\nIn healthcare, getting access to patient data quickly is often critical. It’s also imperative to safeguard that data from improper access. By granting [role-based, auto-expiring data access](https://indent.com/product) with Indent, organizations are able to fulfill their compliance obligations without slowing their teams down. \n\nWant to learn more about Indent? Feel free to [schedule time](indent.com/demo) that works for you and we're happy to answer any questions you have!\n","hero":{"bg":"#2463ec","text":"white"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"github","title":"Indent for GitHub: Temporary Code Permissions","ogTitle":"","fullTitle":"Indent for GitHub: Temporary Code Permissions","ogImageUrl":"https://indent.com/static/og/indent-blog-github-teams.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Time-bound codebase access for teams and open source projects.","noSidebar":false,"heading":"","date":"2023-08-03T15:30:00.000Z","content":"\nOnce a GitHub repo crosses a few hundred stars and dozens of contributors, it’s hard to know each contributor and what kind of access they need to the project.\n\nThe larger the community, the bigger the problems:\n\n
\n
\n

{`“${`In the world of open source, getting GitHub permissions right can be really tricky. In the Next.js community we have a variety of contributors: core maintainers, Vercel employees, regular external contributors, and developers using Next.js who might just give feedback or submit a PR every once in a while. The complexity adds up pretty fast.`}”`}

\n
\n
\n \n
\n
Tim Neutkens
\n
\n Engineering Manager / Project Lead, Next.js\n
\n
\n \n
\n
\n\nFor external and one-time contributors, they can open pull requests from their own branch and use the [Contributor License Agreement Assistant](https://github.com/cla-assistant/cla-assistant) to take care of any legal requirements.\n\nWhat about contributors working on this full-time? Should they have Write or Admin permissions on the repo so they can make fixes without getting blocked? What about branch protection rules?\n\nWith the `Admin` permission, they can:\n\n- Delete any issue or pull request in the repo\n- Bypass branch or deployment protection rules\n- Make a public repo private (or private repo public)\n- Delete or transfer the repo out of the organization\n- Manage repository access, including adding/removing other Admins\n\nFrom a security best practices standpoint, contributors should only get permissions for the period of time they actively need them.\n\nWhen access is handled in this least-privilege model, it protects the project from being compromised by malicious actors and also from unintentional updates. Project leads are busy though. They don’t have time to manually update contributor permissions all the time.\n\n## Announcing Indent for GitHub\n\nToday we’re excited to announce Indent’s native GitHub integration for managing on-demand codebase permissions using GitHub Teams.\n\nUsing Indent for GitHub, you can:\n\n- Grant temporary admin or branch rule bypass privileges\n- Request team membership via Slack (using `/access` command)\n- Approve requests and set durations from Slack, web, or email\n- Log who had which permissions, for how long, and why\n- Auto-expire permissions and revoke team membership but provide fast turnaround for access renewal\n\nThis allows every project to increase their security by:\n\n- Automating access workflows that enforce security best practices\n- Documenting changes with an audit trail for security and compliance\n- Eliminating standing privileged access for contributors, reducing potential breach risk\n\nIndent’s free tier makes it easy for open-source projects and teams to secure their codebase. Here's what an access request looks like:\n\n
\n \n
\n\nYou can install it today from the [GitHub Marketplace](https://github.com/marketplace/indent-access). If you have any questions about setting up access control, [feel free to reach out](https://indent.com/demo)!\n\n## Next.js, the Secure Frontend Framework\n\nThe [Next.js project](https://github.com/vercel/next.js), run by [Vercel](https://vercel.com/), has over 2,700 contributors across the world and a core team of 20 who work on it full-time. This is the workflow for an example contributor to their project.\n\nEngie Engineer is a (hypothetical) member of the Next.js team and needs to approve a PR that’s currently blocked by a branch protection rule tripping over a known-to-be flaky test.\n\nThey open Slack and enter `/access` and request membership of the `@vercel/nextjs-bypass` team, citing the PR they are going to review as the reason and requesting access for the next hour.\n\nEngie’s request gets routed according to the project’s policies to Tim, the project lead. Tim is on a train with a spotty connection when they receive the Slack notification from Indent.\n\nThankfully, Tim can approve and grant access directly from the notification in Slack from his phone. Engie is notified and able to bypass the branch protection rule for the next hour.\n\nAt the one hour mark, Indent automatically removes Engie from the GitHub team. All the access and approval events get logged in a queryable way for security and compliance to review later.\n\n
\n
\n

{`“${`Using on-demand codebase permissions gives us the greatest amount of security and flexibility as a project, so when people need elevated access, we’re able to give them what they need, quickly and revoke automatically.`}”`}

\n
\n
\n \n
\n
Tim Neutkens
\n
\n Engineering Manager / Project Lead, Next.js\n
\n
\n \n
\n
\n\n## Getting Started\n\nReady to start granting access like the Next.js project? Here’s what you’ll need to do to get on-demand access set-up.\n\n1. **Create GitHub Teams**\n - First you’ll need to create GitHub Teams that correspond to different types of contributor roles. Some examples include managing issues, creating branches, approving PRs as CODEOWNER, etc.\n2. **Create an Indent Account**\n - Next you’ll need to create an Indent account. We’re big advocates for open source and think good security should always be accessible.\n - Indent is free forever for open-source projects. There’s a free tier and 30 day trial for other organizations.\n3. **Install Indent for GitHub**\n - During set up you’ll connect Indent with your messaging tools like Slack.\n - At this point can also start connecting Indent to your other tools, including GitHub. Once you’ve connected GitHub you’ll need to create a resource for each GitHub Team and assign one or more reviewers.\n\nIndent can also help manage access to your production infrastructure like AWS, GCP, or Azure. Many teams also choose to set up on-call auto approvals with our PagerDuty, Opsgenie, and Incident.io integrations.\n\nWant to see a demo first or have a guided onboarding? Our team is happy to help and [you can sign up for a demo](https://indent.com/demo?utm_source=gtm&utm_medium=blog&utm_campaign=github-onboarding).\n\n## Frequently Asked Questions\n\n**How long does this take to set up?**\n\nLess than 10 minutes.\n\n**Who can set this up and what are the prerequisites?**\n\nYou must have admin level permissions for both your organization’s GitHub and Slack accounts.\n\n**What if we don't use GitHub Teams for access today? Is there another way to use Indent?**\n\nWhile we generally recommend using role-based access control (like GitHub Teams), Indent for GitHub will soon let you request and grant access to specific repositories. Sign up to be notified when that’s released, by filling out [this form](https://forms.gle/xRvdwPYyRsfU2F3K7).\n\n**Starting Granting On-Demand GitHub Access**\n\nIndent allows you to grant temporary, right sized contributor access using GitHub teams, without slowing your project down.\n\nIt’s free and fast to get started!\n\n**Ready to get started?** [Set up Indent](https://indent.com/setup) or [install on GitHub Marketplace](https://github.com/marketplace/indent-access)\n\n**Want to learn more?** [Check out the Indent docs →](https://indent.com/docs/integrations/github)\n\n**Need additional help?** [Talk to our team →](https://indent.com/demo)\n","hero":{"pattern":"pattern-moon pattern-size-8 pattern-bg-blue-500 pattern-blue-50 pattern-opacity-80","bg":"bg-gradient-to-t from-black to-blue-900","text":"white","image":"/static/images/blog/content/blog-hero-github.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"q-dac","title":"Q&A Friday: Discretionary Access Control","ogTitle":"","fullTitle":"Q&A Friday: Discretionary Accesss Control","ogImageUrl":"https://og-images.indent-assets.com/Q%26A%3A%20What%20Is%20Discretionary%20Access%20Control%20(DAC)%3F.png?theme=light&md=1&fontSize=100px&images=https%3A%2F%2Findent.com%2Fstatic%2Ffavicon.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"What is discretionary access control?","noSidebar":false,"heading":"","date":"2023-07-28T18:00:00.000Z","content":"\nDiscretionary access control is a type of access control defined by the Trusted Computer System Evaluation Criteria as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.\n\n**Q:** What is discretionary access control?\n\n**A:** Discretionary Access Control (DAC) is a security model used to manage access to resources based on the discretion of the resource owner or administrator. \n\nIn DAC, the resource owner determines who is granted access to a particular resource and what level of permissions each user or entity is assigned. This model allows for a high degree of flexibility, as it places control in the hands of individual users or administrators, enabling them to set access permissions according to their own judgment. \n\nWhile DAC provides a straightforward way to manage access, it can also introduce potential security risks if resource owners do not adequately safeguard sensitive data or if there are lapses in permission management. As a result, many organizations combine DAC with other access control models, such as Mandatory Access Control (MAC), to create a more comprehensive and secure access control framework.\n\nA new access control model that takes elements from DAC is On-Demand Access Control (ODAC). In this model users are granted role-based, auto-expiring access to resources by the resource owner who can set the duration of access. Switching to ODAC can [reduce unnecessary access by up to 29x](https://indent.com/customers/knotapi), without creating bottlenecks that slow teams down. \n\nWant to learn more about On-Demand Access Control? Feel free to [schedule time](indent.com/demo) that works for you and we're happy to answer any questions you have!\n","hero":{"bg":"#2463ec","text":"white"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"sharepoint","title":"Temporary Employee and Guest Sharepoint Access","ogTitle":"","fullTitle":"Temporary Sharepoint Guest & Employee Access with Indent","ogImageUrl":"https://og-images.indent-assets.com/Temporary%20Employee%20%26%20Guest%20Sharepoint%20Access%20with%20Indent.png?theme=light&md=1&fontSize=100px&images=https%3A%2F%2Findent.com%2Fstatic%2Ffavicon.png&images=https://upload.wikimedia.org/wikipedia/commons/thumb/e/e1/Microsoft_Office_SharePoint_%282019%E2%80%93present%29.svg/512px-Microsoft_Office_SharePoint_%282019%E2%80%93present%29.svg.png?20190925170659","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"On-demand Sharepoint access requests and approvals.","noSidebar":false,"heading":"","date":"2023-07-27T17:30:00.000Z","content":"\n“Oh no, they still have access?!”\n\nThis is a situation you want to avoid when working with third parties (contractors, vendors, etc).\n\nWe’ve seen this so many times in organizations. A contractor will be brought in for a few months to work on a project and will be given access to very sensitive resources. Their contract ends and they go their way. Months or years later someone will discover that that contractor never had their access revoked.\n\nSituations like this make organizations wary of giving third parties Sharepoint access.\n\nThe first concern lies around persistent access. You want to be able to cut off access at the end of the engagement. Even if the third parties themselves are trustworthy, their accounts could be compromised via viruses, phishing, and social engineering, leaving your resources more vulnerable than they need to be.\n\nIt can also be hard to anticipate the exact access they’re going to need. You don’t want to let me have access to everything but manually giving access out piecemeal will slow them down.\n\nThere is a way though to put guardrails around access for third parties without slowing them down: on-demand Sharepoint access.\n\n## What Is On-Demand Access\n\nOn-demand access is an automated workflow for giving granular, auto-expiring access quickly and securely.\n\nWith Inden’t on-demand access, users are able to request access via Slack or web. The request gets routed to the correct approvers based on your security policies. The approver is then able to approve it for a specific period of time, and it triggers provisioning.\n\nAfter the approved time elapses, the access gets automatically revoked. It can also be manually revoked with a single click. All that access metadata: who requested, to what, why, when they had access is all logged for later security reviews and audits.\n\n## Benefits\n\nWith Indent + Sharepoint you can:\n\n- Ensure your security and compliance policies are followed\n - When configuring Indent you can create rules to govern how approvals should be handled for each workflow, including requiring one or more approvers, maximum duration lengths or auto-approvals.\n- More easily comply with data privacy regulations\n - By having third parties request granular access it’s easier to comply with regulations like the GDPR which mandates companies keep EU data within the EU and can only transfer it outside the EU if the country where it is being transferred has equally rigorous data privacy protections.\n- Auto-provision and revoke access\n - Approving access is easy. Jumping through the hoops to provision it and remembering later to revoke it though is another story. By using Indent, both provisioning and revocation is handled for you, letting you stay in your flow and ensuring access doesn’t persist longer than it should.\n- Simplify gathering audit data\n - Knowing who had access to what and when is critical for good security. When this data isn’t recorded and centralized that becomes much more difficult. The automatically generated access logs in Indent takes care of this for you, and can be filtered and exported for audit purposes.\n\n## Setting It Up\n\nTo get started with Indent + Sharepoint you’ll need to create an Indent account. During set up you’ll be asked to connect Indent with your stack. Indent has a native Microsoft Azure integration. Once you install that integration, you should be ready to start granting on-demand access. For more info, check out our [docs](https://indent.com/docs/integrations/azure-ad).\n\n## Getting Started\n\nReady to get started? You can either get a [personalized demo and onboarding](https://indent.com/demo) from our team or [get started on your own](indent.com/setup).\n","hero":{"pattern":"pattern-dots pattern-teal-600 pattern-bg-white pattern-size-8 pattern-opacity-60","bg":"teal-600","text":"white"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"entra-id","title":"Indent for Microsoft Entra ID / Azure AD: Temporary Access","ogTitle":"","fullTitle":"Indent for Entra ID and Azure AD: Temporary Access","ogImageUrl":"https://indent.com/static/og/indent-blog-microsoft-entra-id.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Overview of Microsoft Entra ID and how grant on-demand access.","noSidebar":false,"heading":"","date":"2023-07-20T18:30:00.000Z","content":"\nMicrosoft Azure recently announced [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/microsoft-entra) would be the new name for what is currently Microsoft Azure Active Directory (Azure AD). While the reasoning for this change might leave us [scratching our heads](https://www.reddit.com/r/sysadmin/comments/14wy3ab/azure_ad_name_change_microsoft_entra_id/), Azure remains an excellent choice as a cloud provider, combined with Microsoft 365.\n\nThe [name change](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/new-name#only-the-name-is-changing) is scheduled for October 1, 2023 and applications will start migrating to the new name in the coming months.\n\nLet's go through what you need to know about what comes included with Entra ID and how to augment those offerings with on-demand access control for extensible least privilege across your entire stack.\n\nMicrosoft Entra ID is a powerful identity and access management solution. It is designed to simplify identity and access management for organizations operating in the cloud. It serves as a central hub to manage user identities, enforce authentication and authorization policies, and control access to various resources.\n\n## What’s Included in Entra ID\n\nHere are some of its key access control features:\n\n- **Identity Governance**\n - Entra ID enables organizations to create and manage user accounts.\n- **Authentication**\n - Entra ID supports various authentication methods, including username and password, multi-factor authentication (MFA), and integration with external identity providers.\n- **Authorization and Role-Based Access Control (RBAC)**\n - RBAC is a fundamental aspect of access control in Entra ID. It allows organizations to define fine-grained access policies by assigning users to different roles and associating those roles with specific permissions.\n- **Delegatable Admin Roles**\n - Built into Entra ID are admin roles that can be delegated to give temporary admin permissions to users.\n- **Reporting**\n - Entra ID comes with basic security and usage reports that track who had what permissions in Azure.\n- **Password Management**\n - The password management functionality allows you to Centralize and secure passwords across the organization.\n\n## On-Demand Access Control\n\nThe security features included in Microsoft Entra ID gives you a solid foundation to build off to complete your access control.\n\nThe last step for a solid access control system is to make it reactive to your organization. Without it, you take on unnecessary risk by creating more opportunities for your systems to be compromised by phishing, viruses, and social engineering.\n\nTake for example engineering interns. You might get a few interns for the summer who are working on a project where they’ll occasionally need read access to your production database.\n\nAre you going to add those interns to your regular engineering group? Doing that gives them a lot of access to some of your most valuable IP. Or are you going to make the interns their own group? This is a little better, but it requires you to know ahead of time the exact access they’re going to need.\n\nNow replace interns in that example with contractors. Or really just any engineer who can be pulled onto new projects.\n\nIn order to reduce risk, access needs to be dynamic and precise rather than static and broad.\n\nEntra has a lot of what you need to make that happen, and the user-facing workflows can be filled in with on-demand access with Indent.\n\n- **Time-Bound Access for Employees**\n - With time-bound access, organizations can minimize the attack surface by granting access to resources only when needed.\n - This approach reduces the risk of prolonged exposure and minimizes the potential for misuse of privileges.\n- **In-Workflow Approvals with Automatic Provisioning and Revocation**\n - Users can request access to specific resources from Slack, Web, or CLI. After approval, temporary access is granted for the requested duration.\n - Creating a way for engineers to request access without opening a new window allows them to maintain their focus and the ease of getting access disincentivizes holding onto access longer than necessary.\n- **On-Call Auto Approvals**\n - Break glass accounts are a primary target by hackers for their elevated level of permissions.\n - With an on-demand access system, break glass and on-call access can be granted automatically after verification through an on-call provider. That access gets automatically logged for later review.\n- **Compliant-by-Default Access**\n - With on-demand access you can encode your security policies and controls within the system as rule to ensure access requests always route to the correct approvers.\n - This makes maintaining compliance simpler and reduces uncertainty on the part of the requester. These rules can be applied to multiple workflows, streamlining configuration and reducing time to value for the system.\n- **Temporary Access Contractor Access**\n - When collaborating with external partners, contractors, or temporary employees, on-demand access allows you to grant auto-expiring access.\n - By using on-demand access for third party organizations, teams can collaborate without leaving the door open for persistent access.\n- **Automatic Logging for Compliance and Security**\n - Detailed logs can help with incident investigation, compliance audits, and accountability.\n - In an on-demand access system like [Indent](/product), all the relevant access metadata is captured for later review.\n\n## Temporary Access for Entra ID / Azure\n\nOnce you've installed an on-demand access control system like Indent into your Entra tenant (formerly Azure AD tenant) teams will be able manage access in a way that's time-bound, audit logged — perfect for security and compliance.\n\nHere are some examples of what Indent enables:\n\n1. **Temporary Administrator Access:** A developer needs temporary Azure AD admin rights to debug an issue. They request access through Indent, which is then approved by their manager for a specific time frame.\n2. **Project-Based SharePoint Access:** A contractor needs access to a specific SharePoint site for the duration of a project. They get time-bound access via Indent, which automatically revokes the permissions when the project ends.\n3. **Audit Trail for Access:** To maintain compliance and security, the IT team uses Indent's audit logs to track all temporary access permissions granted in both Azure AD and SharePoint.\n4. **Access during Employee Absence:** An employee is on vacation, and their colleague needs access to certain Azure AD and SharePoint resources. Indent grants temporary access that ends when the absent employee returns.\n5. **Offboarding:** When an employee leaves the company, Indent can ensure their access to Azure AD and SharePoint is revoked immediately, reducing security risks.\n6. **Emergency Access:** In case of an emergency, a team member can be given immediate temporary access to crucial resources in Azure AD and SharePoint through Indent.\n\n## Conclusion\n\nWith Entra ID you get a robust identity and access management solution, offering a wide range of access control capabilities to protect organizational resources.\n\nShifting toward **on-demand access control** allows you to easily implement the principle of least privilege, and reduce risk from unauthorized access, strengthening your cloud security and helping you meet your compliance goals.\n\nReady to get started? You can either get a [personalized demo and onboarding](https://indent.com/demo) from our team or get started on your own: [indent.com/setup](https://indent.com/setup/onboarding-offboarding?email=azure-ad)\n","hero":{"pattern":"pattern-moon pattern-size-8 pattern-bg-blue-500 pattern-blue-50 pattern-opacity-80","bg":"#2463ec","text":"white","image":"/static/images/blog/content/blog-hero-entra-id.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"secure-ai-products","title":"Indent for AI Products: Security + Speed","ogTitle":"","fullTitle":"Indent for AI Products","ogImageUrl":"https://indent.com/static/og/indent-ai-product-security.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"User-friendly temporary access control for companies building AI products.","noSidebar":false,"heading":"","date":"2023-07-12T14:45:00.000Z","content":"\nOver the last year, teams have been racing to add \"AI\" to their product in some form and there's been a dramatic growth in the amount of surface area that they have to manage.\n\nIf you're using a proprietary model like OpenAI or Anthropic, who has access to embeddings, fine-tuning data, or prompts? Training your own AI models, who has access to the model weights?\n\nOr if you have to store customer data (e.g. video stream or code) as model inputs, who has access to that data?\n\nIt becomes really hard to manage, very fast.\n\nIndent helps accelerate the product development process by enabling you to focus on creating value with AI, rather than spending time on manually granting and revoking access.\n\n**“Indent has been game-changer for us. As an AI infrastructure product, we have to balance rigorous security and fast access to assist customers. We're more secure than ever and haven't had to sacrifice our pace — it's the best of both worlds.”**\n\n
\n — Vicki Cheung, Co-founder/CTO at Gantry\n
\n\nToday, we're excited to share **Indent for AI Products** to help companies improve their security, without sacrificing speed.\n\n## Security for AI products\n\nCompanies building AI products share a lot of similar risks as with any other market, like account compromise or [broken access control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/), but one of the biggest differences is the sheer volume of data and access.\n\nThe security risk is split across three layers of the stack:\n\n- **Production** — Where do the models run? How are they stored?\n- **Fine-tuning** — Where does RLHF data go? Single or multi-tenant?\n- **Development** — Who has access to the prompts or model code?\n\nWhether you're on AWS, Google Cloud, or Microsoft Azure, it's important to implement the \"principle of least privilege\", and not to treat it like it's just a checkbox for compliance. If most engineers on the team can SSH into the production servers, that's **fake least privilege**.\n\nThe first step is shifting engineers to read-only access to production, like viewing logs or checking server status, and requesting temporary access for SSH or write permissions in production infrastructure.\n\nThis can be as simple as two IAM groups like `prod-readonly` with everyone and `prod-admin` that people get for a short period of time after providing a reason for access.\n\nNext, there's fine-tuning and usage data that's likely stored in a cloud storage bucket or service provider like [Gantry](https://gantry.io). For companies using a proprietary model, the core differentiator between competitors is the fine-tuning data combined with the prompts.\n\nIt should be locked down like crown jewels in a vault, especially if that data is generated from customers. It could contain PII or confidential information, and access to that customer data should be logically separated from access to the running systems.\n\nJust because an engineer needs to restart a server, doesn't mean they should be able to see what queries users are submitting.\n\nFinally, when developing an AI product, engineers need test data that looks like production but, critically, **it should not be production data**.\n\nLocking production access behind an on-demand security firewall solves part of this problem and tools like [Gretel](https://gretel.ai) can help generate synthetic data for testing. The remaining risk is the code for the model itself or the system prompts that instruct model execution.\n\nTeams will typically implement role-based access control (RBAC) through GitHub Teams and grant the necessary level of permission based on team membership, for exampple:\n\n- `@exampleinc/platform-write` — `Write` permission on repo\n- `@exampleinc/platform-admin` — `Admin` permission on repo\n- `@exampleinc/platform` — Used in `CODEOWNERS` on `platform` repo\n- `@exampleinc/ai-triage` — `Read` + `Triage` on model repo\n\n## How Indent works for AI products\n\nIndent is built to grant temporary access to engineers quickly through a Slack-based workflow. Requests are automatically routed based on your compliance policies and revoked after the approver’s set duration.\n\nCertain resources can also be configured to instantly approve based on conditions like on-call status. With guardrails that expedite and protect the entire access lifecycle, your access control policies are followed every time without slowing engineers down.\n\nTeams use Indent to:\n\n- Grant temporary production access to engineers\n- Auto-revoke access after a configurable duration\n- Record comprehensive access logs for compliance audits\n- Manage time-bound, granular access to customer and internal data\n\nThese on-demand security controls enable teams to move fast, without breaking things. Audit logs for every access change, and time-based revocation that happens instantly based on security policies.\n\nThe Indent [free tier](/free) makes getting started easy and try on-demand access with your team. This can help your team complete requirements for compliance like SOC 2 and prepare for security audits.\n\nWith out-of-the-box integrations for your entire production stack, your team can shift toward temporary access without the management headache or disrupting engineers' workflows.\n\n## Set-Up Indent\n\nReady to get started? You can either get a [personalized demo and onboarding](https://indent.com/demo) from our team or get started on your own: [indent.com/setup](https://indent.com/setup)\n","hero":{"pattern":"pattern-cross pattern-size-6 pattern-bg-green-900 pattern-green-500 pattern-opacity-80","bg":"emerald-900","text":"emerald-100"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"reviewing-web-ui-prs","title":"The Ultimate Guide to Reviewing Web UI PRs","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"The ultimate guide to reviewing Web UI PRs","ogImagePlusLogo":"","description":"Our opinions on how to go about reviewing your Web UI PRs","noSidebar":false,"heading":"","date":"2023-06-21T13:00:00.000Z","content":"\n**Indent helps companies manage temporary access to production and other cloud resources.**\n\nImplementing the UI poorly for Indent carries significant risks and consequences:\n\n- In the worst-case scenario, inadequate quality in our engineering process poses a risk of creating **security vulnerabilities**.\n- If our UI is not intuitive and user-friendly for our customers, there is a possibility that they may **misconfigure** their system, potentially leading to unauthorized access.\n- Failing to deliver a delightful user experience could prevent us from establishing a solid **reputation** and building **trust** with our users.\n\nThis is why it’s been so important to us to put in place processes to ensure our UI updates are thoroughly reviewed and tested. We spent so much time thinking about this, we wanted to share our playbook. For the purposes of this guide, let’s use the Indent dashboard as an example.\n\nThe web application called [\"dashboard\"](https://indent.com/home) is the part of Indent that our customers interact with the most. They leverage the dashboard to view and manage many security controls important for their setup. This type of web application relies heavily on displaying and controlling system configuration using common web elements like forms, inputs, tables and lists.\n\n
\n
\n \n \n
\n
\n\nGiven the high importance of the correctness of the configuration in the dashboard, we deem it critical to always provide our users with:\n\n- relevant and up-to-date data\n- robust controls allowing for a predictable UX when affecting this data\n- a pleasant overall experience that delights our users\n\n## “Web app page-completeness” checklist\n\nWhen we implement a new feature in the dashboard, it usually consists of creating a new page to host it. To ensure we meet the requirements listed above, we need to get many different aspects of our pages just right. Occasionally we’ve missed the mark on an update because it was hard to keep track of what needed to be implemented on a particular page for it to be release-ready.\n\nThis is why we decided to take a page from NASA’s playbook and note all of the elements of a successful page update in a checklist. Checklists are a powerful and arguably an underutilized engineering tool, perfect for launching rockets and new features.\n\n
\n
\n \n
\n

\n One of the checklists from the Apollo missions\n

\n
\n\nWe call the checklist that we created the “Web App Page-Completeness” checklist. Utilizing this checklist as the guideline document keeps our team in\nsync about the important components of an update during the development process. Team members with different purviews can contribute to the checklist\nin their own unique ways:\n\n- Team members focusing on design use it to provide visual guidance in the interest of standardizing the UI visually. For example, we now require that a 404 (Not Found) page still displays the navigation menus.\n- Team members focusing on the logic provide coding guidance in the interest of standardizing the UI behavior, thus improving the development speed and the robustness of the UI. For example, we require the use of a specific Spinner component to represent the loading state.\n\nWe don't formally track each item for every code change, but instead rely on the familiarity and judgment of our team members that\nimplement and review the code. Alternatively, the checklist could be used as a metric, indicating the completeness of a page within the development\nteam in the PR implementing a page or within a code comment.\n\nIn an ideal world all of the requirements from the checklist could be checked automatically (via a lint rule), but we’ve yet to implement that. Some\nof the items in the checklist are applicable to all of the pages of a web app, while others are applicable only if the page meets certain conditions\n(for example, the page has a dynamic path).\n\nHere’s our Web App Page-Completeness checklist:\n\n- Clearly indicate states\n - entire page is loading\n - entire page is revalidating (while showing stale data)\n - entire page is being submitted (create, update, delete)\n - a page element is loading\n - a page element is revalidating (while showing stale data)\n- Handle data appropriately\n - indicate when data is missing (404 page)\n - ensure data is fresh (periodic update, live update or update on focus)\n - ensure data is robustly retrieved (re-fetched on failure)\n - Ensure common utilities are used consistently\n - in-app links between pages (next/link)\n - data fetching (SWR, TanStack Query)\n - local storage management\n - global state management\n- Indicate status where appropriate\n - notify on success\n - notify on recoverable failure\n - notify on unrecoverable failure\n- Forms\n - consistently validate forms\n - highlight invalid inputs\n - disallow saving if local data equals remote data\n - highlight inputs whose data differs from remote data\n- UX\n - page is responsive (renders well on mobile)\n - page is keyboard navigable\n - page is navigable by screen-readers\n - page code is semantic\n - page code is performant\n- Help\n - tooltips on hover where appropriate\n - “help” or “contact support” where appropriate\n\n## Tools > Process\n\nOur checklist is possibly the biggest offender to our general view that tools should be favored over process, since process can only go so far.\n\nTools help make doing the right thing easy by containing the codification of the principles that the team has agreed upon.\n\nHere’s a quick overview of some of the tools we find the most helpful:\n\n### Comments in Vercel for Feedback\n\nGetting feedback from your fellow teammates is a breeze when providing feedback is so easy, so we’ve been loving comments in Vercel Deployments. Since we started using this Vercel feature, we’ve found that previews speed up time-to-feedback by 80% ([Indent case study](https://vercel.com/customers/how-indent-delivers-secure-access-with-next.js-and-vercel)).\n\n### Lighthouse for Accessibility and Performance Tracking\n\nTo track the accessibility and performance of our app we frequently check our Lighthouse score. We’ve found that using Next.js as our UI framework is getting us a long way towards our goal by itself. In addition, it’s really easy to keep our app responsive since we’re styling our app almost exclusively with Tailwind CSS which is famous for its “mobile first” philosophy.\n\n### Playwright for E2E Testing\n\nThere are many tools that allow for E2E testing of a Web app, but our favorite is Playwright. We’ve found it really straightforward to write sophisticated checks that keep the core experience of our web app stable even when our app changes a lot.\n\n### Hemingway and ChatGPT for Copy Checking\n\nWhen we need to check a copy somewhere in the Indent app, [Hemingway](https://hemingwayapp.com) and ChatGPT are supremely useful.\n\n## Suggestions Welcome\n\nBy using the right tools, whether they be checklists or software, we’ve found that we’re able to release higher quality updates more quickly. We’re always eager to hear how other folks approach their releases. If we missed anything or if you have an amazing tool to share, please reach out!\n","hero":{},"authors":[{"id":"nataliemarleny","name":"Natalie Marleny","twitter":"nataliemarleny","image":"/static/images/blog/avatars/nataliemarleny.png","title":"Software Engineer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"tailscale-ondemand","title":"Faster Access, More Control with Tailscale + Indent","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-temporary-tailscale.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"On-demand access for Tailscale ACL Groups.","noSidebar":false,"heading":"","date":"2023-05-09T15:00:00.000Z","content":"\nA lot of products strive to have a solution that “just works.” Tailscale’s zero-config VPN is one of the products that actually delivers on\nthis promise. Whether it’s SSHing into production servers or connecting to your testing database in AWS, Tailscale really prioritizes an\nultra-smooth developer experience.\n\nWhen thinking about access control for Tailscale and how to grant access to resources within your Tailnet, you don’t want to ruin its\ndeveloper-friendliness by making it difficult to use.\n\nSo how do you strike that balance between fine-grained access control and frictionless\nconnection? The answer is time-bound, role-based Tailnet access — or what we call on-demand access control.\n\nHere’s an interactive demo of what that can look like using Indent:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : 680\n }\n/>\n\nBy entering `/access` in Slack your developers can get temporary access to your production\ndatabase or ssh into your staging environment, all without breaking their concentration.\nTheir requests either route to approvers automatically for approval or are instantly\napproved based on their on-call or group membership.\n\nWith friction-free temporary access, engineers can move quickly without endangering the security of the entire organization.\n\n## Set up on-demand access for Tailscale\n\nIs on-demand access hard to get set up? Nope! With Indent you can get started by simply creating a Tailscale OAuth client.\n\nTo address the usual admin chore of granting on-demand access across your engineering team, Indent can trigger policy updates to the Access\nControl List (ACL), adding and removing users automatically.\n\nRather than configuring each workflow or resource individually, create rules that can be applied across multiple workflows. Save yourself precious\ntime, and ensure uniformity across resources with similar security requirements.\n\nIndent also handles access lifecycle logging, capturing who requested access to what and why, who approved it, how long the user had access,\nand when they lost access. These logs can be exported into your compliance platform for audit evidence.\n\nBy managing the approvals workflow, provisioning, revocation, and compliance evidence generation, on-demand access control reduces privileged access\nby 80% while helping engineers get access 15x faster compared to managing it manually.\n\n## Customer Spotlight: Reclaim\n\n[Reclaim.ai](https://reclaim.ai) is an intelligent calendar assistant that helps teams and individuals optimize their schedules by automatically allocating time for their meetings, tasks and routines, while integrating with more of the places they already do their work. To do that, we process PII and Google calendar data for our 20k+ global customers.\n\nReclaim uses Tailscale for networking and Indent for temporary access control. They recently wrote a post about their experience managing access with Indent which you can check out [on the Tailscale blog](https://tailscale.com/blog/securing-customer-data-tailscale-indent/).\n\n## What will it cost?\n\nOn-demand production access should be affordable for everyone.\n\n- Small team trying to get started? [Start for free](https://indent.com/setup?utm_source=blog&utm_medium=website&utm_campaign=partner_tailscaleoauthblog)\n- Startup with less than $10M in funding? [Get 25% discount](https://indent.com/startups?utm_source=blog&utm_medium=website&utm_campaign=tailscaleoauthblog)\n- Nonprofit? [Get a 50% discount](https://indent.com/blog/nonprofits)\n\nYou can set up Indent for Tailscale in under 15 minutes.\n\n## Getting Started\n\n1. Set up [Indent with Tailscale](https://indent.com/setup/production-access?prod=tailscale)\n1. Choose which groups you want to manage in Tailscale ACL.\n1. Start granting temporary access!\n\nHave any questions? Feel free to reach out to our team over live chat, our [help desk](https://support.indent.com) or email us at [ask@indent.com](mailto:ask@indent.com).\n","hero":{"bg":"#1f2125","text":"white","image":"/static/images/landing/logos/tailscale-logo.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"vanta","title":"Compliant-by-Default Access with Vanta and Indent","ogTitle":"","fullTitle":"","ogImageUrl":"/static/og/indent-blog-vanta.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Faster access reviews and fewer exceptions.","noSidebar":false,"heading":"","date":"2023-04-20T15:30:00.000Z","content":"\nWhen it comes to compliance, [Vanta](https://vanta.com) is a leader in automating away the drudgery of preparing for audits.\n\nVanta’s platform is a central source of compliance and security truth. It provides a clear roadmap towards security certification, helping teams achieve compliance in weeks not months.\n\nAlong the way, Vanta continuously monitors your business system and flags security gaps as they arise, making them easier to squash.\n\nFrom easy to use policy templates that help you develop, implement and map your security policies, to access reviews, it takes the uncertainty out of compliance.\n\nLast year Vanta launched their Connectors API so teams could have total visibility into their compliance state across their tools and organization. Excited about the new API, and what it would mean for our mutual customers like Modern Treasury, we got to work on a direct integration. Here's their experience:\n\n**“Using Vanta for compliance, Okta for identity, and Indent for access feels like it’s given our team superpowers. The tools work seamlessly together and it’s made it so easy to maintain a compliant access management program with zero friction.”**\n\n
\n — Sam Aarons, Co-founder/CTO,{' '}\n Modern Treasury\n
\n\nToday we’re announcing that the Indent for Vanta integration is now publicly available! Now, you can find Indent on the [Vanta Partners](https://www.vanta.com/partners/find-a-partner?title=indent) and [Integrations](https://www.vanta.com/integrations?title=indent) pages.\n\n## Fewer Incidents and Exceptions\n\nWith this new integration you’ll be able to automatically push users and their roles from Indent into Vanta. This capability alongside the ability to upload your access logs into Vanta will allow you to perform access reviews alongside your other compliance tasks, making Vanta your security and compliance HQ.\n\nTraditionally, a company is the most secure and compliant right after a compliance audit or security breach, when access has been revoked en masse, and the fewest number of users have access to sensitive systems. Access reviews happen quarterly because users perpetually accumulate access.\n\nBy switching to on-demand access with Indent, your org performs access reviews in real time, access automatically expires, and access and change management controls evidence is generated and logged for export. Pairing Vanta with Indent allows companies to maintain a minimum viable level of access all the time, helping them prevent incidents and default to compliant access.\n\n**“Providing customers with continuous oversight of their security posture and simplifying compliance are core tenants of Vanta. Having an integration with a company like Indent to help streamline compliance documentation provides for an enhanced and powerful user experience.”**\n\n
\n — Josh Jones, Head of Corporate and Business Development,{' '}\n Vanta\n
\n\n## Getting Started\n\nWe're excited to share a special offer for Vanta customers:\n\n- Small team trying to get started on compliance? [Start for free →](https://indent.com/setup?utm_source=blog&utm_medium=website&utm_campaign=partner_vanta)\n- Startup with less than $10M in funding? [Get 25% discount →](/startups?utm_source=blog&utm_medium=website&utm_campaign=partner_vanta)\n- Raised over $15M? You can still get 15% off your first year!\n\nTo get started using on-demand access to meet your compliance and security goals, check out the [Vanta + Indent docs](https://indent.com/docs/integrations/vanta). Have any questions? Feel free to [book time](https://indent.com/demo?utm_source=blog&utm_medium=website&utm_campaign=partner_vanta) with our team to learn more.\n","hero":{"pattern":"pattern-rectangles pattern-purple-500 pattern-bg-purple-900 pattern-size-32 pattern-opacity-60","bg":"white bg-gradient-to-t from-purple-900 to-purple-600 border-b","text":"white","image":"https://indent.com/dashboard-assets/static/images/apps/vanta.png"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"free-security","title":"Why Being Secure-by-Default Should Be Free","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-free-security.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"It's Tax Day — have you paid the SSO tax?","noSidebar":false,"heading":"","date":"2023-04-18T18:30:00.000Z","content":"\nIt's Tax Day. Have you paid the [SSO tax](https://sso.tax)?\n\nIf you're a startup, you probably haven't. And that's okay — it's costly.\n\nBut it can also turn into a huge security risk, which can cost a lot more. And that's not what anyone wants.\n\nIn the early days, practically everyone's a super admin on everything. Engineers need to ship quickly to build the product and fix bugs for customers, so they end up with persistent access to production. Support needs access to customer accounts and data to help troubleshoot issues.\n\nTeams grow, people leave, and accidents happen. And when they do, they sometimes take their access with them. It's not until a periodic access review that you find a bunch of former teammates who still have access… a year later.\n\nWorking with larger companies and closing bigger deals brings a longer list of requirements and abbreviations to comply with. Whether it's SOC2, HIPAA, or PCI, they all require access reviews and record access requests with their history.\n\nSome high risk in-scope vendors like AWS/GCP or Microsoft/Google Workspace need single sign-on (SSO) to enable multifactor authentication (MFA) and other important security features.\n\nThere are some systems and apps that might not need SSO initially, so reducing costs by rotating floating licenses[^1] might not be a priority at first. But as you grow, the SSO tax accumulates. For example, Salesforce licenses can cost up to $1000 per user per year. At 50 users you'll spending $50k+ per year. At that point you'll start thinking about [how to spend less on SaaS](/blog/cost-savings).\n\nIn the meantime, who has direct access to the production environment is a much bigger risk. And thankfully, there's a way to solve both problems at once.\n\n## Persistent → Temporary Access\n\nEveryone having access to everything is the best for productivity but worst for security. Nobody having access is the most secure, but worst for productivity. The middle ground? temporary access.\n\nWith temporary access, you can grant access to any system or app on-demand, and auto-revoke it after the granted duration. This way, you can get work done without compromising security.\n\nPersistent access becomes forgotten in a matter of days or weeks. If requesting, granting, and revoking access is as easy as reauthenticating or using 2FA, then teams are able to eliminate the friction of elevating access. No more forgotten, forever access.\n\nWe believe so strongly in this approach that we've made it free for all startups and small teams. Our new free tier gives you access to the essential access control features like:\n\n- **On-demand access**: Request access to any system or app, and get it instantly. No more waiting for a ticket to be approved.\n- **Temporary access**: Access is automatically revoked after the granted duration. No more forgotten, forever access.\n- **Audit logs**: See who requested access, when, and for how long. No more wondering who has access.\n- **SSO integration**: Use your existing SSO provider to authenticate. No more passwords to manage.\n\n## Get Started for Free\n\nThat's why we're making [being secure-by-default](/pricing?utm_source=blog&utm_medium=website&utm_campaign=content_secure_by_default) free for all startups.\n\n- Small team trying to get started on compliance? [Start for free →](https://indent.com/setup?utm_source=blog&utm_medium=website&utm_campaign=partner_vanta)\n- Startup with less than $10M in funding? [Get 25% discount →](/startups?utm_source=blog&utm_medium=website&utm_campaign=partner_vanta)\n- Raised over $10M? We can still [work with](/demo?utm_source=blog&utm_medium=website&utm_campaign=content_secure_free) you for a discount.\n\nTo get started using on-demand access to meet your compliance and security goals, check out the [Indent](https://indent.com/docs/integrations/vanta). Have any questions? Feel free to [book time](https://indent.com/demo?utm_source=blog&utm_medium=website&utm_campaign=content_secure_free) with our team to learn more.\n\n[^1]:\n **floating licenses**: software licensing approach in which a limited number\n of licenses for a software application are shared among a larger number of users\n over time · [](https://en.wikipedia.org/wiki/Floating_licensing)\n","hero":{"pattern":"pattern-rectangles pattern-gray-900 pattern-bg-gray-400 pattern-size-4 pattern-opacity-60","bg":"white bg-gradient-to-t from-gray-900 to-gray-400 border-b","text":"white"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"github-break-glass","title":"Break Glass for Emergency Code Reviews in GitHub","ogTitle":"","fullTitle":"Break Glass for Emergency Code Reviews in GitHub","ogImageUrl":"/static/og/indent-blog-github.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Break glass in GitHub for emergency access using Indent.","noSidebar":false,"heading":"","date":"2023-03-30T16:00:00.000Z","content":"\nBreak glass is a security measure that allows users to bypass normal access controls in emergency situations.\n\nFor GitHub, break glass access means allowing developers to perform code reviews and merge pull requests in an emergency — usually in the midst of an incident.\n\nThere's a few different ways for handling break glass access on GitHub:\n\n1. Make everyone an admin (not recommended)\n1. Creating teams with the ability to override branch protection rules\n1. Automate granting temporary access to a GitHub team\n\nWe'll also share an [open-source template repo](https://github.com/indentinc/github-break-glass-template) that demonstrates a DIY approach to implementing break glass access. This repo uses GitHub Issues and Actions to automate the process of granting and revoking access to a GitHub team.\n\nIt's a good starting point for implementing break glass access, but it's missing production-ready requirements like approvals and time-bounded access. We'll cover how [Indent](/product) can help you solve this.\n\n## Make Everyone an Admin\n\nThe simplest method for granting break glass access is to make all developers administrators. However, this approach of persistent access is highly insecure and should be avoided.\n\nAdmin access grants users the ability to change organization settings, delete repositories, and perform other high-risk actions. This level of access should be reserved for a small group of individuals who need it as part of their day-to-day job function.\n\nUsually this list includes:\n\n- Co-founders / CTO / VP of Engineering\n- Head of Infra / DevOps\n- Head of Security / IT\n\n## Create a Break Glass Team (RBAC)\n\nA more secure method is to create a GitHub team that can override security or branch protection rules.\n\nThis team will have the ability to perform code reviews and merge pull requests even when other developers are unable to do so. To create a team with override access, follow these steps:\n\n1. Create a new team in your GitHub organization. If you want to allow emergency backend PRs, it could be named `backend-BREAKGLASS`.\n1. Add the appropriate developers to the team.\n1. If you want to implement using \"CODEOWNERS\" file:\n - In the `CODEOWNERS` file, you can put a team as a potential reviewer.\n - Add the team you created earlier as a collaborator with the \"Write\" permission to allow members to approve as a code owner.\n1. If you want to implement using \"Admin\" permission:\n - In the repository settings section, requiring break glass access, navigate to the \"Collaborators and Teams\" tab.\n - Add the team you created earlier as a collaborator with the \"Admin\" permission to allow overriding the approval.\n\nWhile this method is more secure than making everyone an admin, it still has its drawbacks. Most notably, members of the team have persistent access, increasing the potential for a compliance violation, unauthorized action, or a simple mistake.\n\n## Better Break Glass Code Review using GitHub Issues and Actions\n\nOne approach for implementing break glass access on GitHub is to automate the process of granting and revoking access to the team. This ensures that access is only granted when necessary and is automatically revoked after a specified period.\n\nTo achieve this, you can use the GitHub API to create a script that:\n\n1. When an issue is opened, add them to `backend-BREAKGLASS` team\n1. When the issue is closed, remove the user from the team\n\nCheck out this open-source GitHub repository that uses GitHub Issues/Actions for a DIY solution: **[github-break-glass-template →](https://github.com/indentinc/github-break-glass-template)**\n\nThe issue with the Issue/Action-based approach is that it has no approval process and it's up to the user to decide when to open/close the issue. It's better than nothing, but the next step is to make the access temporary.\n\n## Temporary GitHub Access with Indent\n\nIndent provides temporary access and facilitates team approvals for systems like GitHub. With Indent, you can easily manage break glass access by setting up temporary access policies and automatically granting or revoking access as needed.\n\nHere's an interactive demo of how Indent works:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\nWe've covered a few different ways for break glass access on GitHub:\n\n1. Make everyone an admin (not recommended)\n1. Creating teams with the ability to override branch protection rules\n1. Automate granting temporary access to a GitHub team with Indent\n\nReady to start managing temporary break glass access?\n\nCheck out Indent and [request a demo →](https://indent.com/demo#schedule)\n","hero":{"bg":"black","text":"white","image":"/static/images/blog/content/blog-hero-github-break-glass.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"keeper","title":"Indent + Keeper Security: On-Demand Password Access","ogTitle":"","fullTitle":"","ogImageUrl":"https://og-images.indent-assets.com/Indent%20%2B%20Keeper%20Security%3A%3Cbr%20%2F%3E%20On-Demand%20Access%3Cbr%20%2F%3Efor%20Passwords%20.png?md=1&images=https://indent.com/static/favicon.png&images=https://dashboard.indentapis.com/static/images/apps/keeper-logo-gold.svg","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Get time-bound access to passwords in Keeper.","noSidebar":false,"heading":"","date":"2023-03-23T16:00:00.000Z","content":"Everybody at some point has slacked/emailed/messaged credentials – despite knowing better — it was just “easier.”\n\nWhen security and convenience go head to head, convenience often wins. So when choosing a password manager, you need to optimize for both convenience and security.\n\nThat’s why we’re excited to be partnering with [Keeper](https://www.keepersecurity.com/)! \n\nTrusted by tens of thousands of teams, Keeper Security is an award-winning solution for password management. It’s user-friendly and meets the most rigorous security standards (e.g. FIPS 140-2, SOC 2 certified, FedRAMP Authorized).\n\nBuilt to work seamlessly across all platforms, the solution encrypts and decrypts passwords locally at the device level, not on Keeper's servers or in the cloud. It also allows you to share records and folders to anyone, even if they aren’t a Keeper user. \n\nWith Keeper + Indent, getting access to a given cloud app or infrastructure is as simple as entering `/access` in Slack. Users request time-bound membership of identity groups that correspond to a vault or resource. \n\nAccess requests are automatically routed to approvers based on security policies, then approvers set the access duration. Users can also instantly get time-bound access based on attributes like on-call status. \n\n With the Keeper + Indent integration, you can:\n\n- Give users time-bound, auto-expiring access to specific apps and environments\n- Grant automatic access to users based on attributes like on-call status in PagerDuty, Incident.io, and Opsgenie\n- Allow temporary access to SSH, RDP, databases, and Kubernetes resources as authorized by your access controls and connected identity provider\n- Auto-revoke access after a configurable duration \n- Record comprehensive access logs for compliance audits\n\n\n## Try it out\n\nWant to see the workflow in action? Check out the demo below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : 680\n }\n/>\n\n## Set up Indent for Keeper\n\nTo get started, you’ll need both a [Keeper Enterprise](https://www.keepersecurity.com/enterprise.html) or [Keeper Business](https://www.keepersecurity.com/business.html) account and an Indent account. Then, follow these steps:\n\n- First, [create an Indent space](https://indent.com/signup) (and choose Slack / email)\n- Follow the instructions in the [Keeper + Indent docs](https://indent.com/docs/integrations/keeper) for installation\n- Start making requests for short-lived password access\n \n
\n\n---\n\n
\n\nNot yet a Keeper Business customer? We're excited to partner with Keeper to offer 15% off for new customers who sign up! Click this link to [get 15% off](https://www.keepersecurity.com/checkout/?product=enterprise&enterpriseTierType=false&users=5&promo_code=K4GINDENT15&slots=true).\n","hero":{"bg":"black","text":"yellow-400","pattern":"pattern-isometric pattern-yellow-400 pattern-bg-white pattern-opacity-100 pattern-size-16"},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"nonprofits","title":"Indent for Nonprofits","ogTitle":"","fullTitle":"","ogImageUrl":"https://i.imgur.com/8P9msj5.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Maximize your resources with on-demand access.","noSidebar":false,"heading":"","date":"2023-03-21T18:30:00.000Z","content":"\nAs a nonprofit organization, every penny counts towards achieving your mission. You're constantly searching for ways to save money and increase efficiency while still delivering high-quality services.\n\nIt’s no surprise then that nonprofits and NGOs are experts at doing more with less. Unfortunately, that gets complicated when the work you do involves sensitive information like a person’s medical records or some other customer data.\n\nAccess control to sensitive resources can be a major drain of resources. For example, it can take days for a user to find the right approver for their access request, and get it approved and provisioned. Admins and approvers often have to coordinate behind the scenes to close the loop on the access request, eating even more time.\n\nOrgs looking to increase security and lock down access control, and reduce friction and wait times, can use on-demand access.\n\n## What is On-Demand Access?\n\nOn-Demand Access is time-bound, role-based access that is policy-controlled. Users can easily find what they're looking for, request access, and be kept in the loop automatically like they're used to with on-demand delivery.\n\nFor nonprofits, it makes it a lot easier to manage all the different access requests that come from full-time staff, part-time contractors, and volunteers. Instead of sifting through Slack DMs, checking on `#help` channel, or keeping an eye on a shared email inbox, you can get notified when someone needs access and instantly grant time-bound access without leaving Slack.\n\n## What is Indent?\n\nWith Indent, teams can get secure, time-bound access to cloud apps and infrastructure in seconds, not days. You can think of it as time-bound, role-based access control.\n\n## How does Indent work?\n\nUsing Slack, Indent, or browser extension, users specify what they need access to, why, and for how long. Managers and admins can also request on behalf of another user.\n\nPetitions are routed to the correct approvers based on your security and compliance policies, with support for multi-stage approvals. Approvers can review requests wherever they are and grant access for a specified duration from Slack, email, or Indent.\n\nAccess can also be automatically approved based on attributes like the requester’s on-call status or group membership. Approval automatically triggers provisioning, reducing unnecessary admin work of manually changing access in a system.\n\nAfter the approver specified time, Indent triggers deprovisioning, revoking the user’s access. If a user completes their task early or if access was incorrectly granted, the “revoke access” button triggers immediate access expiration while generating audit evidence.\n\nAll the relevant information is logged for every access attempt, so you always have the full story. Those logs can then be reviewed by security or exported as compliance audit evidence.\n\n## Nonprofit Use Cases for Indent\n\nWhat could this look like for your team?\n\n- On-demand access to production (AWS, GCP, Azure) for engineers\n- Temporary, auto-expiring access for contractors and volunteers\n- Lock down sensitive mailing groups (e.g. gdpr@ or security@)\n- Auto approvals for common workflows (e.g. on-call or low risk)\n- Time-bound, role-based customer data access for support teams\n\nThese use cases can benefit teams in a few different ways:\n\n**Get Your Team Access Faster**\n\nReduce access wait time from days to seconds, without compromising on security. Configuration is policy-based and Indent integrates with all of your tools, making it easy to start granting compliant access.\n\n**Prevent Over-Permissioned Users**\n\nSustainably implement least privilege and address the underlying issue of users with too much access by granting minimum viable access that auto-expires.\n\n**Cut Costs, Not Access**\n\nPay less for SaaS by auto-rotating licenses amongst occasional users, reducing the number of seats you need to purchase.\n\n**Simplify Compliance**\n\nAuto-expiring access reviewed in real-time makes user access reviews fast. Your access logs can be easily filtered and exported for compliance audit evidence.\n\nIndent recently helped [CommonLit](https://www.commonlit.org) lock down their production environment by granting on-demand access to their engineers:\n\n\n
\n
\n

{`“${`Fast implementation, smooth team onboarding, and the convenience of auto-approval – Indent exceeded our expectations in streamlining temporary access management.\\n\\nThe deep integrations with AWS, Tailscale, and OpsGenie made setup a breeze!`}”`}

\n
\n
\n \n
\n
Geoff Harcourt
\n
CTO, CommonLit
\n
\n \n
\n
\n
\n
Want to see how they did it?
\n \n Get a Demo →\n \n
\n
\n
\n\n\n## Save 50% on Indent\n\nIndent's on-demand application and infrastructure access can be a game-changer for nonprofits. By using Indent to give least-privilege, on-demand access in a way that also reduces their SaaS costs, nonprofits have the resources to focus on their core mission — not managing access.\n\nWe believe Indent should be accessible to everyone, especially those trying to do good in the world. Nonprofits can receive 50% off their Indent subscription to help them further their missions.\n\nWant to see a personalized demo? You can [schedule a demo](https://indent.com/demo) in seconds. Or you can [talk to our team](https://support.indent.com/) if you have any questions.\n","hero":{"pattern":"pattern-none bg-gradient-to-t from-blue-100 to-blue-600","bg":"white bg-gradient-to-t from-blue-100 to-blue-600 border-b","text":"white md:max-w-sm md:mr-auto md:ml-40"},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"cost-savings","title":"Do More With Less (SaaS)","ogTitle":"","fullTitle":"","ogImageUrl":"https://og-images.indent-assets.com/Do%20More%20With%3Cbr%20%2F%3ELess%20(SaaS).png?theme=light&md=1&fontSize=100px&images=https%3A%2F%2Findent.com%2Fstatic%2Ffavicon.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Rotate expensive licenses with on-demand access.","noSidebar":false,"heading":"","date":"2023-03-16T17:00:00.000Z","content":"\nFinance just said you need to cut a SaaS contract by 20-30% because “only half the users logged in the last month”. But, you know that as soon as you cut it, everyone’s going to ask for it back because they still use it occasionally.\n\nWhat do you do?\n\nThe easiest thing to do might seem to be cutting the seats anyway and letting people figure it out.\n\nUnused and underutilized licenses add up fast. For the following common examples, 100 extra seats cost your organization:\n\n- Salesforce — $1k/year per seat ($100k loss)\n- Netsuite – $1.2k/year per seat ($120k loss)\n- LaunchDarkly –$900/year per seat ($90k loss)\n\nWhen users lose access it’s generally because of three scenarios:\n\n1. During an access audit where the reviewer didn’t know why they had the access in the first place\n1. Part of response to an incident, where access is revoked broadly to reduce impact\n1. Finance request to deactivate low use accounts because of budget\n\n## The Cost of Losing Access\n\nFor users, it doesn't really matter \"why\" they lost access. They know they had the access and want it back to do their work.\n\nIt often means IT is asked to sort it out. Alternatively the user bypasses the loss of access by delegating work or borrowing credentials. Neither of those situations are good from a productivity, security, or compliance perspective.\n\n## Reducing Licenses Without Compromise\n\nSo, how do you minimize unused and underutilized licenses without compromising security, compliance, or productivity?\n\nBy making the licenses available on-demand and auto-expiring.\n\nWith Indent, you can let users request access as they need it. Think of it like a digital library. Users can check out access for a set amount of time. When they’re done, the access to that resource automatically expires. If they need access again, they can just request again through that centralized system.\n\nWhen you manage licenses in this way, occasional users can share them. This means you need fewer licenses, while still having them available to everyone.\n\nUsers and Finance are happy. Security and Compliance are happy.\n\nPeople aren’t sharing credentials to make this all work. Users are still getting access with their own credentials through your identity provider.\n\n## Do More with Less\n\nBy granting users time-bound, role-based access (that can be automatically approved based on factors like team membership, seniority, situation, etc) — you can be confident that you’re getting the most out of every product you’re paying for.\n\nWant to see a personalized demo? You can [schedule a demo](/demo) in seconds. Or you can talk to our team if you have any questions.\n","hero":{"pattern":"pattern-triangles pattern-size-8 pattern-bg-green-500 pattern-green-50 pattern-opacity-80","bg":"","text":"green-600 w-max"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"onboarding-offboarding","title":"Indent for Access Onboarding and Offboarding","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-onboarding-offboarding.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Streamlined onboarding and offboarding with on-demand access.","noSidebar":false,"heading":"","date":"2023-03-15T17:00:00.000Z","content":"\nOnboarding can feel like it never ends.\n\nThere's always one more thing.\n\nThere's always one more Google Drive shared folder that you didn't know about, GitHub repo that you've never seen, or an Okta group that would've made your life easier two weeks ago. Unlike during your first week, it's hard to know who or where to ask.\n\nIt's even harder to know what you don't know. Every time there's a new app, tool, or system that's mentioned, new hires have to guess what it is, do they need access to it, and where to ask for it.\n\nThe IT and security teams have to figure out what you're looking for, like which Okta group corresponds to a specific AWS account or role in Salesforce. Then, they have to find who has admin permissions and the context to decide if you should get access, leading to days waiting for approval. Finally, you get access … until the next access audit and then VP doesn't know why you have access and just clicks revoke to be safe.\n\nFor users, it's hard to see the point of a process that just adds friction and slows down getting work done. They're usually not taking into account the **coordination tax** that turns a \"simple decision\" of whether or not to grant access into a multi-day ordeal of back-and-forth.\n\nThe **coordination tax** is the delta between how long someone needs to access something versus how long they had to wait to get the access. Depending on the system, team, and compliance policies, this ranges from a couple hours to days and, sometimes, weeks.\n\nAt some point, you have to pay a license for everyone to get access to the ticketing system, just so they can ask a centralized IT team for access, and create more work. It's exhausting for everyone involved.\n\nThere's a way out — use **on-demand access** to grant people access to what they need, when they need it.\n\n## What is On-Demand Access?\n\n**On-Demand Access** is time-bound, role-based access that is policy-controlled. Users can easily find what they're looking for, request access, and be kept in the loop automatically like they're used to with on-demand delivery.\n\nAdmins can implement their least-privilege and access control requirements from SOC 2, HIPAA, SOX, and the endless list of abbreviations and numbers. Security and compliance can decide what the policies should be, and IT can define a policy-based structure for processing requests — instead of defining every workflow.\n\nSet up a new hire's user accounts, then show them how they can request access and route to the right person to review automatically. Grant indefinite access or auto-approve if it's part of someone's job.\n\nFor critical services or expensive SaaS licenses, you can grant time-bound, role-based access without giving everyone a headache. No more tickets, email forward chains, or reminders to revoke access.\n\n\n\nUsing Indent for on-demand access, you can simplify onboarding:\n\n- Self-serve via Slack and web app\n- Admins can onboard groups of users (new hire)\n- Enable new hires to take action faster and more confidently\n - Grant sensitive access or expensive SaaS licenses based on different factors like compliance training (via Okta Group) or on-call status\n - If they're an engineer, enable them to respond incidents or view production logs without giving them keys to the kingdom\n\nWhen it comes time for offboarding, it's even easier:\n\n- One-click revoke button in Slack or web app\n- Time-bound, role-based access makes everything easier to manage\n- Generate audit evidence for compliance requirements, e.g. revoke employee access within 24 hours of departure\n\n**\"Part of every new hire's onboarding, we show them Indent. Using the /access command in Slack, all new hires are able to get day one access to resources like 1Password or AWS access for engineers.\"**\n\n
\n — Adnan Alam, IT at PlanetScale, former\n IT Manager at GitHub\n
\n\n## Speed up Onboarding Now\n\nYou can streamline your onboarding and offboarding workflows today with Indent. Our team is happy to help review your existing process and automate as much as possible with **On-Demand Access**.\n\nWant to see a personalized demo? You can [schedule a demo](/demo) in seconds. Or you can talk to our team if you have any questions.\n","hero":{"pattern":"pattern-diagonal-lines pattern-size-4 pattern-bg-pink-500 pattern-pink-50 pattern-opacity-80","bg":"pink-500 pattern-diagonal-lines pattern-size-12 pattern-bg-pink-500 pattern-pink-100 opacity-100","text":"pink-50 shadow-xl bg-pink-500 rounded-lg sm:px-12 py-12"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"azure-ad","title":"Least Privilege for Azure: Temporary Access","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-azure-ad.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Grant temporary access to Azure AD.","noSidebar":false,"heading":"","date":"2023-03-07T17:00:00.000Z","content":"\nManaging user permissions and group membership within Azure is a time suck. The weeks of back and forth between requesters, managers, and admins cuts into valuable work time.\n\nWhen pursuing least privilege, you multiply the complexity and time necessary to do that management. Automation is the only way to dynamically manage permissions and roles for your cloud resources in a scalable way.\n\nWith Indent’s new native integration, you can easily automate least privilege within [Azure Active Directory](https://azure.microsoft.com/en-us/products/active-directory).\n\nIndent is built to get temporary access to engineers quickly through a Slack or email-based workflow. Requests are automatically routed based on your compliance policies and revoked after the approver’s set duration. Certain resources can also be configured to instantly approve based on the requester’s on-call status.\n\nWith guardrails that expedite and protect the entire access lifecycle, your access control policies are followed every time.\n\nRather than slowing teams down, moving to on-demand, least-privilege access has helped teams like Modern Treasury give access to their production resources securely in [under one minute](https://indent.com/customers/modern-treasury).\n\nBy implementing time-bound, role-based access control for Azure with Indent, you give valuable time back to your team while also protecting against resource misuse and attacks.\n\nIf you’re ready to automate least privilege in Azure: [Get early access →](/waitlist/azure-ad)\n\n## What Does Using Microsoft Azure AD + Indent Look Like?\n\nLet’s look at an example of how Indent can help your team get access faster and more securely. Story time!\n\nAlex is an engineer at Acme Corp, which uses Azure for their cloud resources. This week Alex is on-call.\n\nAt the beginning of their on-call rotation week, Alex opens Indent, and requests membership of the on-call mailing list.\n\nBy requesting membership of the list for only when Alex is on-call, their inbox is less cluttered, and there’s less sensitive information floating around needlessly.\n\nA few days later, Alex gets pinged. There’s an outage on the website which requires SQL server access to resolve.\n\nAgain, Alex opens Indent and requests access to the “Engineering: Production” Active Directory group for three hours and gives the following reason: “On-call to resolve issue #5543”.\n\nIf Alex wasn’t on-call, that request would get routed according to Acme’s policies to Alex’s manager, the VP of Engineering, for approval.\n\nBecause Alex is on-call though, Indent is able to verify Alex’s on-call status in PagerDuty. Then Alex is instantly granted access to the “Engineering: Production” group which has admin SQL server permissions, so they can get to work investigating the incident.\n\nAlex is able to resolve the outage within those three hours and goes back to bed. At the three hour mark, Indent goes in and automatically deprovisions Alex’s elevated access to the SQL server by moving them out of the “Engineering: Production” group.\n\nAll those access changes gets logged in an easily exportable way for security and compliance purposes. At the end of the week, Alex is also automatically removed from the on-call mailing list.\n\nAt the end of the quarter, admins at Acme Corp do not need to review Alex’s elevated SQL server permissions because it was automatically deprovisioned.\n\n## Microsoft Azure + Indent Use Cases\n\nHere some examples of how Indent can help you manage resource access within Azure:\n\n- **Grant and revoke access to resources in Azure**\n - Indent is able to move users in and out of groups in Azure AD.\n- **Lock down access in Microsoft 365 to implement least privilege**\n - Set up Azure AD groups that grant role-based access to documents in Sharepoint or a Power BI workspace.\n- **Add and remove users from sensitive mailing lists**\n - When a user has a specific need to be part of a sensitive mailing list (gdpr@) they can request time-bound membership on-demand.\n- **Streamline contractor onboarding and offboarding**\n - Allow contractors to request only the access they need and automatically expire their permissions after the end of their contract.\n\n## Benefits of Azure + Indent\n\nBy managing Azure resources with Indent you can:\n\n1. **Simplify Management of Azure Resources**\n - Indent provides a centralized platform to manage cloud apps and infra.\n - This means that businesses can easily manage access to their resources inside and outside Azure through Indent.com or Slack, rather than navigating multiple portals.\n1. **Automate Provisioning and Deprovisioning**\n - With Indent you can automatically provision and deprovision users for Azure services, automatically ensuring that users have access only to the resources they presently need.\n1. **Enhance Security & Simplify Compliance in Microsoft 365**\n - Complementing Microsoft Entra's Security features, Indent helps teams enforce their access control policies across their cloud resources, ensuring that access is granted only to authorized users when they need it.\n - All access related data is logged for a later security review or for inclusion in compliance audits.\n - By allowing users to request access on-demand, your team is doing real-time access reviews, greatly reducing the amount of user access reviews at the end of the quarter to maintain compliance.\n1. **Optimize Spend**\n - With Azure’s group policies, you can install software on a user’s machine based on their membership of an Active Directory group.\n - By dynamically moving users in and out of those groups, teams are able to save on money on unused software licenses.\n\n## Join the Early Access Program\n\nAt this point, you might have two questions:\n\n1. What does set up look like? How do I start using Indent for Azure?\n2. How do I start using Indent for Azure?\n\nSetting up the Indent integration for Azure is as easy as clicking through an OAuth flow for your Azure AD tenant. From there you can set up your policies and start granting group membership.\n\n\n\nStart automating least privilege in Azure and help shape the future of Indent for Azure, [sign up now](/waitlist/azure-ad) or [talk to our team for a demo](/demo).\n","hero":{"pattern":"pattern-zigzag pattern-size-8 pattern-bg-blue-500 pattern-blue-50 pattern-opacity-80","bg":"#2463ec","text":"white"},"authors":[{"id":"ethernetdan","name":"Dan Gillespie","twitter":"ethernetdan","image":"/static/images/blog/avatars/ethernetdan.jpeg","title":"CTO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"google-admin","title":"Least Privilege for Google: Temporary Admin Roles","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-google-admin.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Grant temporary access to Google Admin Roles on-demand.","noSidebar":false,"heading":"","date":"2023-03-02T16:45:00.000Z","content":"\nEvery email, document in drive, and calendar – downloaded.\n\nAll groups, drives, and users – deleted.\n\nGoogle Workspace Super Admin users have an incredibly powerful set of permissions that can turn into a major catastrophe from a single phishing attack or accident.\n\nThey can effectively do anything within a Google Workspace setup, including remove and lock out other Super Admins.\n\n**“Too many Google Super Admins is like having too many cooks in the kitchen. It can create a lot of chaos and confusion, and can impede the ability of IT to properly manage data and security protocols. It also makes it difficult to ensure that all users follow the same best practices and policies, leading to a lack of consistency across the organization. Just making sure all of them have 2FA can be hard enough.”**\n\n
\n — Head of IT, 500-1000-person Financial Services Startup\n
\n\nManaging admin roles has been an entirely manual or custom-implemented process. Often, most of the IT team ends up accumulating admin roles like Super Admin to do basic everyday tasks.\n\nOr they set up provisioning with Okta, just to find that it’s not possible to set admin roles — you need to use Okta Workflows or another workflow automation product to do that.\n\nUnfortunately, they only support “makeAdmin” which will make a user a Super Admin permanently because there’s no remove or “unmakeAdmin” action.\n\n## Least Privilege for Google Admin Roles\n\nWe’re excited to announce Temporary Google Admin Roles. Teams can get time-bound admin and super admin privileges in Google Workspace via Slack, Indent.com, or the Indent browser extension — eliminating the need for too many Super Admin users.\n\nWith the ability to grant admin access that auto-expires, organizations can all but eliminate persistent admin or super admin privileges. This reduces their organization’s potential attack surface, risk of unintentional changes, and abuse of privileges.\n\nIt’s perfect for:\n\n- Speeding up onboarding and common helpdesk issues like password reset\n- Temporarily elevating privileges for non-IT teams (e.g. Security or HR)\n- Allowing junior IT admins to borrow access routinely as needed\n- Giving temporary admin access to IT or security contractors\n- Automatically generating logs for security and compliance purposes\n\n**“Having a tool like this would have made all the difference as we scaled from 500 > 3000 users and got acquired into a public company. Compliance & access control became more granular and important than ever”**\n\n
\n — Adnan Alam, IT at PlanetScale, former IT Manager at GitHub\n
\n\n## Try it Out\n\nWant to see the workflow in action? Check out this interactive demo:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n## Set-Up Temporary Admin Roles\n\nReady to get started? You can either get a [personalized demo and onboarding](https://indent.com/demo) from our team or get started on your own.\n\nTo get this set up you’ll need super admin privileges in a Google Workspace account. From there you’ll:\n\n- [Create an Indent space](https://indent.com/signup) (and choose Slack/email)\n- Follow the [Google Admin Roles documentation](https://indent.com/docs/integrations/google-roles)\n- Start making requests for temporary Google admin roles\n","hero":{"pattern":"pattern-wavy pattern-size-6 pattern-bg-green-900 pattern-green-500 pattern-opacity-80","bg":"emerald-900","text":"emerald-500"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"smallstep","title":"Indent for Smallstep: On-Demand SSH Certificates","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for Smallstep:
On-Demand SSH Certificates","ogImagePlusLogo":"","description":"Get time-bound SSH certificates.","noSidebar":false,"heading":"","date":"2023-02-22T16:45:00.000Z","content":"\nA lot of people know they should be using SSH, especially as their organization grows. But rotating SSH public keys is a pain. You have to hunt down every machine with your old ssh private key and correctly swap it out for the new one. It's clunky, prone to error, and frankly, insecure. But there's [a better way to SSH](https://u.step.sm/use-ssh-certificates-indent) - with certificates.\n\nWelcome to [Smallstep](https://smallstep.com/sso-ssh/#overview). With Smallstep you use SSH certificates, negating the need to gather, ship, and rotate SSH public keys. When a user needs to SSH, they can OAuth and be issued an SSH certificate for a specific amount of time, allowing them to SSH like normal into hosts.\n\nBut, what if rather than mapping hosts to users from your identity provider you want users to be able to just request access on-demand?\n\nThis is where the new Smallstep + Indent integration comes in!\n\n## How Indent and Smallstep work together\n\nBy adding Indent’s on-demand access control to Smallstep, approvers can review requests and initiate the certificate generation process right from Slack. Users are able to get access by entering `/access` in Slack and are kept in the loop about the status of their request. When their access expires, it’s super simple to request another certificate. They can just click the “renew access” button in the expired access Slack notification.\n\nWith Smallstep and Indent you can:\n\n- Use SSH certificates instead of public keys without mapping users to hosts in an identity provider\n- Manage time-bound SSH access right from Slack and\n- Get your on-call team access without the wait with auto approvals\n\nWant to check out the workflow? Try it below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : 680\n }\n/>\n\n## Start using Smallstep + Indent\n\nTo get started, you’ll need [Smallstep](https://u.step.sm/indent-smallstep-SSH-signup) and Indent accounts.\n\nThen follow these steps:\n\n- First, create an Indent space (and choose Slack / email)\n- Follow the instructions in the [Smallstep + Indent docs](https://indent.com/docs/integrations/smallstep) for installing the integration\n- Start making requests for short-lived and secure SSH access\n\nWant to get started? [Talk to to our team](/demo) and we're happy to help!\n","hero":{"pattern":"pattern-cross pattern-size-8 pattern-bg-white pattern-red-500 pattern-opacity-80"},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"least-privilege","title":"Least Privilege in Practice","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Least Privilege in Practice","ogImagePlusLogo":"","description":"The do's and don'ts of actually implementing the principle of least privilege.","noSidebar":false,"heading":"","date":"2023-02-16T16:30:00.000Z","content":"\nAt Indent, we’re committed to helping you get to a state of actual Least Privilege, not just faking it. The \"principle of least privilege\" is not a monolith or a checkbox, and describing it this way is a disservice to organizations who are trying to adopt it.\n\nYou can agree with it in principle, but in practice it tends to fall apart.\n\nHere’s what Least Privilege **is not**:\n\n- Creating two groups “Admins” and “Users” then adding everyone to “Admins” anyway\n- Every engineer can open production Rails console whenever they want\n- Whenever someone has an analytics question, they query the production database\n- Anyone can open 1Password to find all the social media account passwords\n\nBut we get it, doing the right thing is hard. And getting others to do the right thing is practically impossible if it’s slower and more inconvenient than doing it the easy way. That’s why the secure process has to be the easiest, fastest way to get things done.\n\nThe Indent Platform is shaped by principles that can help teams put Least Privilege in practice:\n\n### 1. Everyone’s access should default to zero\n\nEverytime you change someone’s access, you should think of it as running a migration on your access and security state. This becomes very difficult to do when it’s impossible to tell what access people need, why they have it, and who granted it.\n\nIt’s more secure to default everyones’ access to zero, and have them request on-demand access to what they need in the moment.\n\nIn practice with Indent:\n\n- During onboarding grant indefinite access to only high frequency, low risk apps\n- Have people request auto-expiring access to everything else\n- No executive or admin exceptions since they usually pose an even greater threat if compromised\n\n### 2. Minimum viable access\n\nRight-sized access is a valuable guardrail against resource misuse and attacks. This means making sure that people only have enough permissions to accomplish the task they are currently working on and only for the length of time that they’re working on it.\n\nIn practice with Indent:\n\n- Create groups in your identity or single-sign on provider (Google, Okta, etc) that map to a specific set of permissions for a given role\n- Give people an easy way to request membership of those groups\n- Automate moving people in and out of groups based on their access grant duration\n\n### 3. Don’t keep people waiting if they should have access\n\nContext switching, hunting down and following up with approvers, and uncertainty around the status of the request all incentivize “access hoarding” - holding onto permissions indefinitely because they were hard to get the first time. To avoid this, access should be easy to request and be granted in urgent situations.\n\nIn practice with Indent:\n\n- Set auto-approvals for critical moments like if someone is on-call\n- Make reviews simple for approvers - collect all the info they need to make a decision up front and provision changes quickly\n- Don’t require approvers to context-switch to approve access\n\n### 4. Changes should be logged\n\nThe back and forth that comes with getting access not only slows teams down, it also makes security and compliance more complicated. When all access doesn’t flow through a system like Indent, you’re not centralizing the relevant data behind each access attempt, making it difficult to understand what access is necessary.\n\nIn practice with Indent:\n\n- Have all access flow through a centralized system\n- Collect who (requester and approver), what (resource), why, and how long behind each access attempt — and when it got revoked\n- Have that access data logged in a queryable and exportable way\n\n### 5. Minimize exceptions\n\nThe more exceptions and alternative ways there are of requesting access, the less your access solution works as a single source of truth. This is most important when doing security reviews of access, and when complying with regulatory demands.\n\nIn practice with Indent:\n\n- Have that central access control system integrate with the services you already rely on\n- Adopt an extensible system that you can add more services to, if needed\n- Regularly test your access solution for auditability, and whether the logs give enough information for a thorough review\n\n### 6. Automate the boring stuff\n\nTo implement all of this, every time someone needs access, you need automation. When going through the proper processes takes too much time, people start taking shortcuts that open teams up to major security risks.\n\nIn practice with Indent:\n\n- Access requests automatically route to the correct approvers\n- Provisioning is triggered by the final approval\n- After the approver designated access duration, the access automatically expires. Manual revocation is a waste of resources.\n- Access data is automatically logged in a centralized place\n\nIf you agree with these principles, but haven’t found the time to make it happen yet or worried if it’ll add friction for your team, you’re probably closer than you think. If done correctly, your team will get the access they need to ship faster without the risk of breaking production.\n\nWe've built everything in the \"in-practice\" sections into Indent, making it an out-of-the-box solution for getting to a place of real least-privilege.\n\nAt Indent, our mission is to prevent avoidable security incidents. We view ending the era of \"Fake Least Privilege\" as a critical first step in the journey.\n\nWhen organizations have fewer (ideally zero) users with long-lived admin roles, there's a lower risk from credential compromise. One compromised user doesn't have to lead to a catastrophic company-wide incident.\n\nThis is our vision of the Least Privilege in Practice. If we’ve missed something, tell us about it! Let us know on [Twitter](https://twitter.com/intent/follow?screen_name=indent) or [talk to our team](/demo).\n","hero":{"bg":"#070d0b","text":"#0b4bd5","image":"/static/images/blog/content/blog-hero-least-privilege.png"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"ethernetdan","name":"Dan Gillespie","twitter":"ethernetdan","image":"/static/images/blog/avatars/ethernetdan.jpeg","title":"CTO"}],"kind":"blog/post"},{"name":"planetscale","title":"Indent + PlanetScale: Temporary Database Access","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-planetscale.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Get time-bound access to PlanetScale on-demand.","noSidebar":false,"heading":"","date":"2023-02-16T16:00:00.000Z","content":"\nDatabase management is notoriously difficult.\n\nFrom scaling to version control, it’s incredibly easy to mess it up.\n\nWith PlanetScale, the MySQL-compatible database built on the Vitess Open Source project, you get a database that feels like it wants you to succeed.\n\n- Database branching? - you bet’cha!\n- Non-blocking schema changes? - of course!\n- Auto-scaling & Horizontal sharding? - yes and yes!\n\nCompared with AWS RDS, PlanetScale is leagues ahead in terms of developer experience.\n\nBut, what about managing access to databases?\n\nLast year, PlanetScale announced their [teams functionality](https://planetscale.com/blog/announcing-teams-an-easier-way-to-manage-database-administrator-access), which provided a way to manage database administrator access.\n\nWith the new PlanetScale integration for Indent, you can amplify the Teams functionality with your favorite SSO provider’s SCIM capabilities, and grant\ntemporary permissions in PlanetScale.\n\nIndent is built to get temporary access to engineers quickly through a Slack-based workflow. Requests are automatically routed based on your compliance\npolicies and revoked after the approver’s set duration. Certain resources can also be configured to instantly approve based on the requester’s on-call\nstatus.\n\nWith guardrails that expedite and protect the entire access lifecycle, your access control policies are followed every time without slowing engineers down.\n\n## With PlanetScale + Indent you can:\n\n- Protect your data from unauthorized views or updates with auto-expiring access\n- Grant instant database access to on-call teams based on their on-call status\n- Automatically log changes to role-based access for security and compliance purposes\n\n## Hooking up Indent to PlanetScale\n\nTo get started, you’ll need PlanetScale and Indent accounts. Then follow these steps:\n\n- First, create an Indent space (and choose Slack / email)\n- Follow the instructions in the [PlanetScale + Indent docs](https://indent.com/docs/integrations/planetscale) for installing the integration\n- Start making requests for short-lived and secure database access\n\nWant a hand? Our team is a happy to help: [get a demo now →](/demo)\n","hero":{"pattern":"pattern-isometric pattern-size-6 pattern-bg-gray-500 pattern-gray-900 pattern-opacity-80","bg":"gray-900","text":"gray-500"},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"zero-trust-networking","title":"VPNs vs Bastion Hosts vs Zero Trust Networking","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"VPNs vs Bastion Hosts
vs Zero Trust Networking","ogImagePlusLogo":"","description":"Why so many orgs are talking about replacing VPNs","noSidebar":false,"heading":"","date":"2023-02-15T17:00:00.000Z","content":"\nGoogle first implemented their internal version of Zero Trust in 2009. The first paper on Zero Trust was published in [1994](https://www.cs.stir.ac.uk/~kjt/techreps/pdf/TR133.pdf). So, why did it take all those years for it to catch on?\n\nIn Google’s case, they adopted Zero Trust at a time when they saw an [increase in cyberattacks][operation-aurora] from hacking groups in China. That increased threat put pressure on them to change how they protect user data.\n\n## We all feel an increased threat\n\nIf you follow tech news, you know that security breaches like this are a regular occurrence. According to one source [2022 had the highest number of data breaches][data-breach] ever -- up to 50% more than the prior year. What was once seemed like a dripping faucet, is starting to look more like a burst pipe.\n\nWhy are people switching away from VPNs while there's an increased threat? Zero Trust requires not only a change in philosophy, but also in implementation. Technologies like Wireguard and HashiCorp’s Boundary are two open source Zero Trust solutions that many consider. As such, they’re a great way to understand the concept.\n\nModern Zero Trust solutions focus on authenticating every connection to a device or service. In other words, just because someone is inside of your castle walls that does NOT necessarily make them trustworthy. If someone does get phished, or credentials get compromised in some other way, the amount of damage that can be done is isolated to just one server.\n\n## The Traditional VPN Strategy\n\nWhy do we need to change VPN technology? It has to do with that castle and village metaphor.\n\nTraditional VPNs are similar to a castle. A single gateway server controls access in and out of the system. All traffic must flow through the VPN gateway, just as all traffic in and out of a castle must go through a gate.\n\nThat single point of ingress and egress makes for a convenient place to check things. Who is this person? Are they authorized to be here?\n\nOnce they pass, they’re in the network – err, castle — for good.\n\nOpenVPN is an example of a popular approach. Many organizations rely on OpenVPN style technologies, and it is a good defensive strategy compared to just leaving everything open on the public internet. Or worse, using \"special\" ports as \"security\" — hint: it's not.\n\nThat said, can we do better? What if we don’t just want good, but we’re actually aiming for great?\n\n## The Modern Zero Trust Strategy\n\nInstead of just checking things at the castle gate, we could do our security checks at every door. Every home, and every room does the check. Further, when someone knows where they’re going, they can walk directly to the house that they want to visit. No need for them to change their route, and first head through the castle gate.\n\nThis is a big part of the shift that modern Zero Trust strategies embrace. Wireguard is a nice open source example of a modern solution, and is also useful as a contrast against the traditional approach of OpenVPN.\n\nWireguard is a much smaller codebase, since its only aim is to solve the problems of establishing a connection and encrypting traffic. Concerns like LDAP and any business logic are left for an admin to figure out.\n\nThat specific focus is reminiscent of a UNIX-like philosophy. Do one thing and do it well. In fact, WireGuard is so UNIX-y that as of version 5.6 of the Linux Kernel, it’s included by default.\nSimilar to how UNIX processes get composed together with pipes, Wireguard gets composed together with a control plane. It’s the control plane where LDAP and the other neat features live.\n\n### It’s a Village, not a Castle\n\nZero Trust’s more direct type of connection and security check is more akin to a village, or a city. You’re encouraged to connect directly to a resource, rather than through a VPN gateway or a bastion host.\n\nSecurity checks happen more frequently, and are scoped more precisely. That’s because the connection is more specific to just you, as opposed to the shared bridge – err, VPN, used by all of your co-workers.\n\nThe castle vs village visual is a great model, because it also illustrates the challenge of handling a large amount of traffic. How difficult is it to expand a castle’s walls? You can see the difficulty of this in the real world with multiple clusters, across multiple time zones and cloud providers. Do you run multiple VPN networks?\n\nSimilarly, how easy is it for traffic to overwhelm and take down a single gate into the castle? VPN Gateways and bastion hosts can become single points of failure. Although, to be fair, there are well tested strategies for fixing that.\n\n### Bastion Hosts and VPNs are Monolithic\n\nThe challenge of maintaining a single massive server is something most folks in infrastructure are familiar with. Sometimes this is framed as vertical scaling versus horizontal scaling. A vertical server can be simpler to manage, up to a point.\n\nOnce a large amount of traffic starts flowing, then the switch to a horizontal architecture is common. Expanding vertically is difficult. Expanding horizontally mostly means just adding more servers. The castle, or VPN’s expansion is more akin to a vertical strategy.\n\nZero Trust’s recent rise in popularity coincides with the advent of infrastructure-as-code (IaC). It would be tedious to manually manage the software and settings required for Zero Trust across hundreds or thousands of servers. Since a lot of us are already automating these kinds of horizontal changes through IaC, Zero Trust fits in naturally.\n\n## How are Companies Implementing Traditional Strategies?\n\nTo be clear, traditional strategies are popular. VPNs work quite well, up to a point. So, when is that point, and when should you start considering Zero Trust at your business? You can take some guidance from some real world examples of the traditional approach, and the places who've shared the story about their choice to transition away from it.\n\n- OpenVPN case study\n - [A Better Alternative to Usernames and Passwords](https://openvpn.net/case-study/devsquad/)\n- Segment’s approach to infrastructure\n - [The Segment AWS Stack](https://segment.com/blog/the-segment-aws-stack/)\n - [Bye bye bastion hosts...Hello AWS IAM!](https://segment.com/blog/infrastructure-access/)\n- Teleport's approach to traditional bastion hosts\n - [Setting Up an SSH Bastion Host](https://goteleport.com/blog/ssh-bastion-host/?ref=indent)\n\n### Your organization should consider Zero Trust Networking if:\n\n- Your dev’s connection to servers and services are slow\n- You are struggling to manage a VPN Gateways or Bastion Hosts\n- You are worried about the increasing number of attacks and breaches\n- You already embrace infrastructure-as-code or a solution like Terraform\n- The amount of user data that you manage makes your business stakeholders nervous\n\n## Zero Trust is More than Direct Connections\n\nZero Trust is more than just Wireguard or direct connections to servers. We partner with a number of organizations dedicated to simplifying and creating robust Zero Trust solutions. If you’re curious about the various approaches, here are some additional resources from our partner’s about Zero Trust networking.\n\n- [Tailscale][tailscale-zero-trust]\n - Popular solution built on Wireguard protocol\n- [HashiCorp Boundary][hashicorp-zero-trust]\n - Created by talented engineers from a company most folks already trust\n- [Twingate][twingate-vs-vpns]\n - Built for the Enterprise from the ground-up, and relies on split tunnel networking\n- [Smallstep][smallstep-zero-trust]\n - Innovating on traditional SSH with a cert-based connectivity approach\n\nFor more detailed guides on Zero Trust, both NIST and NCSC (US and UK government agencies), have detailed guidance. [NIST’s guide is here][nist-zero-trust], and [NCSC’s guide is here][ncsc-zero-trust].\n\nAdditionally, Google has released [their own Zero Trust framework][google-beyondcorp], which they call BeyondCorp.\n\n## Is it bad if you Still use VPNs and Bastion Hosts?\n\nNo. These are reliable and trustworthy technologies. Many of the solutions that power Zero Trust are new, and only appeared within recent years.\n\nAs we said, these solutions are good. Zero Trust should be seen as an improvement that pushes your organization towards being great.\n\n## Where does Indent fit with Zero Trust?\n\nIndent is a nice addition to any Zero Trust strategy. Similar to how Zero Trust limits the amount of damage that can happen if credentials are compromised, Indent also limits damage. How can an attacker do damage if the credentials automatically expired?\n\n## Conclusion\n\nIndent fits in as part of a Defense in Depth strategy. Overall security strategies, which includes Zero Trust, are always made by combining multiple solutions.\n\nHow are you planning to architect your networking setup? Let us know, [send us a tweet](https://twitter.com/intent/tweet?text=Hi%20%40indent%20-%20The%20solutions%20I'm%20considering%20for%20my%20networking%20strategy%20are...).\n\nHave questions about what's the best networking solution for your team? We're happy to help you think through the options — [book time with out team →](https://indent.com/demo#schedule)\n\n[wireguard-linux-kernel]: https://9to5linux.com/linux-kernel-5-6-officially-released-new-features\n[twingate-vs-vpns]: https://www.twingate.com/docs/twingate-vs-vpn/\n[nist-zero-trust]: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.20.pdf\n[ncsc-zero-trust]: https://www.ncsc.gov.uk/collection/zero-trust-architecture/introduction-to-zero-trust\n[zero-trust-thesis]: https://en.wikipedia.org/wiki/Zero_trust_security_model\n[openvpn]: https://openvpn.net/\n[hashicorp-zero-trust]: https://developer.hashicorp.com/boundary/docs/overview/vs/zero-trust\n[tailscale-zero-trust]: https://tailscale.com/kb/1123/zero-trust\n[smallstep-zero-trust]: https://smallstep.com/docs/practical-zero-trust\n[phd-thesis-zero-trust]: https://en.wikipedia.org/wiki/Zero_trust_security_model\n[aws-vpn]: https://aws.amazon.com/what-is/vpn/\n[operation-aurora]: https://en.wikipedia.org/wiki/Operation_Aurora\n[google-beyondcorp]: https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf\n[uber-hacked]: https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell\n[data-breach]: https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/\n","hero":{"pattern":"pattern-paper pattern-size-16 pattern-bg-purple-500 pattern-blue-800 pattern-opacity-80","text":"purple-500","bg":"blue-900"},"authors":[{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"temporary-infrastructure-access","title":"Temporary Infrastructure Access with Indent","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Temporary Infrastructure Access
with Indent","ogImagePlusLogo":"","description":"Get time-bound access to AWS, Google Cloud and Azure on-demand.","noSidebar":false,"heading":"","date":"2023-02-14T16:30:00.000Z","content":"\nFamous last words:\n\n“Oh I thought I was on staging”\n\nMaybe it was the production index, maybe it was a VPC. But you’ve accidentally deleted some critical piece of infrastructure. Hopefully you have backups, but it could take hours to reconstruct.\n\nMistakes and breaches happen All. The. Time.\n\nGranting persistent infrastructure access is then an absolutely insane proposition given the multi-faceted cost of outages.\n\nIn DevOps culture, teams are encouraged to move quickly, and ownership over running code is shared between developers and operators. Asking for, getting, and revoking ad-hoc permissions takes time. To try to circumvent this, engineers become over-permissioned.\n\nImplementing [RBAC alone won’t fix that](https://nvd.nist.gov/vuln/detail/CVE-2021-28113). In fact, [traditional Least Privilege won’t either](https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell).\n\nUsing Indent with AWS Identity Center, Google Cloud, or as of today, Azure through our Early Access Program, you can implement least privilege in a practical way.\n\nAutomation is the key to granting fast, compliant access. It allows engineers to maintain minimum viable access at any given time without getting annoyed.\n\nGetting access can be urgent, especially for on-call teams.\n\nIndent is built to get temporary access to engineers quickly through a Slack-based workflow. Requests are automatically routed based on your compliance policies and revoked after the approver’s set duration. Certain resources can also be configured to instantly approve based on the requester’s on-call status.\n\nWith guardrails that expedite and protect the entire access lifecycle, your access control policies are followed every time without slowing engineers down.\n\n## Indent for AWS Identity Center\n\nAWS Identity Center (formerly AWS SSO) can be used to authenticate access to AWS resources as either a standalone identity provider or through connecting to providers like Okta or Google.\n\nWithout Indent, administrators manage access through the AWS admin console, manually needing to add and revoke permissions for users.\n\nBy using Indent’s AWS Identity Center integration, access provisioning and revocation can be triggered based on actions taken by approvers in Slack or through the Indent Dashboard.\n\nSee the new [AWS Identity Center Integration →](https://indent.com/demo)\n\n## Indent for Google Cloud\n\nTo grant Google Cloud access the smart way, all you need are some Google Groups that map to your resources and Indent. The Google Group integration can pull those groups as resources and allow your team to request access to them.\n\nOnce approved, Indent is able to move engineers in and out of those groups, granting and revoking their access to those resources.\n\nGet a demo from our team of the [Google Cloud Integration →](https://indent.com/demo)\n\n## Indent for Azure\n\nWhether you’re running your infrastructure on Azure, using the latest Azure OpenAI Service, or just using Azure for data pipelines like Power BI, it’s important to ensure only the necessary people have access to sensitive data stored and Indent can help.\n\nWe’re excited to offer the ability to manage temporary access with Azure AD through a native integration with Indent. If you’d like to see a demo of how it would work for your organization, our team is [happy to show you →](https://indent.com/demo)\n\nOr if you’re interested in being an early tester, [join our waitlist now](https://forms.gle/RbAgpusvXZh8gP3y7).\n","hero":{"image":"/static/images/blog/content/blog-hero-temporary-infra-access.png"},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"production","title":"Nobody Should Have Production Access","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-production.png?v=2","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Nobody should have access to production. Unless they want to accidentally break it.","noSidebar":false,"heading":"","date":"2023-02-13T20:30:00.000Z","content":"\nNobody would ever recommend that most of their engineers keep a connection open to their production database throughout the day.\n\nPractically speaking, there’s not much of a difference if you can’t say for certain why an engineer SSH’ed into production at 1am on Saturday.\n\nDid they get paged from an incident? Or was it just a spurt of curiosity?\n\nBack when I was an engineer at Segment, we talked with a number of companies about their data architecture and how data flowed from point A to B.\n\nI’m going to tell you something you probably already know: _way too many people have access to confidential, sensitive data_.\n\nEven at companies that claim to be practicing least privilege, a disturbing yet unsurprising number of folks have supersized access.\n\n## Why should I care?\n\nWe talked to hundreds of engineering and security leaders to understand the common root causes of security and engineering incidents. We heard so many horror stories that were part customer discovery, part therapy that we even started hosting a [regular event to talk about it](https://unplannedmaintenance.com/?ref=indent-blog).\n\nOne of the core issues we consistently heard is “We don’t know who has access to what and why, until S#!% hits the fan and we have to take it all away” causing a complete business disruption or a major security incident.\n\n## Faking Least Privilege\n\nTurns out in a lot of these situations, the engineering team is **faking least privilege**.\n\nThe benefits of least privilege access control are obvious. Reduce the risk of human error, surface area for credential compromise, or unauthorized changes that could compromise the system. It also makes it easier to audit and monitor the system, and to troubleshoot and fix issues when they occur.\n\nWhen teams fake least privilege by giving every engineer `AdministratorAccess` in their production AWS account, it’s practically giving people permission to break production.\n\n## Starting from Zero\n\nOne of the complicated parts of least privilege is keeping track of what access people have, let alone what they should have.\n\nIt’s easiest for you (+ IT and Security) to know what you do or don’t have access to on Day 0 when you have nothing. The problem here is that no one really knows what “right-sized access” looks like, aside from “just give them what we gave the last person” — unfortunately that’s usually full access to production.\n\n## Minimum Viable Access\n\nPeople try to implement “right-sized access” with RBAC. Implementing RBAC usually looks like creating read only and admin roles, with the goal of only giving people read only access. But, all the work required for mission-critical operations requires admin access, and sooner or later everyone is an admin again.\n\nThe real goal here is to get to a place where at any given time a user has the minimum viable access to accomplish the task that they are presently working on. No more. No less.\n\nThe problem in most teams is that it takes forever to get access. They wait so long that they don't want to give it up, even when they don't need it anymore.\n\nSo how do you get to a place of Minimum Viable Access?\n\n1. Create groups in your identity or single-sign on provider (Google, Okta, etc) that map to a specific set of permissions for a given role\n1. Give people an easy way to request membership of those groups\n1. Prevent approval bottlenecks. Set up peer-reviews or auto-approvals with security and compliance controls where it makes sense\n1. Make reviews simple for approvers - collect all the info they need to make a decision up front and notify them of requests where they’re already working\n1. Have approvers set an access duration if they approve access\n1. Automate moving people in and out of those groups based on their access grant duration\n\n## Practice of Least Privilege\n\nTwo phrases we haven’t mentioned yet are “Zero Trust” (ZT) and “Principle of Least Privilege” (PoLP) because they represent the goals, not necessarily the tools to get there.\n\nIn 2014, Google engineers released the seminal [BeyondCorp research paper](https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf) that dropped the idea of a “privileged network” in favor of dynamically verifying multiple factors as part of network requests.\n\nInstead of assuming that “private” networks like an office can be trusted through static controls like IP address allowlisting, we can verify devices and user authentication.\n\nZero Trust took this a bit further and says you should also implement least privilege among other goals like security monitoring and risk-based verification. But what are you supposed to do with that?\n\nIt’s pretty hard to put least privilege into practice so we came up with some principles of our own based on what we’ve seen in the wild:\n\n1. Everyone’s access should start at zero\n1. Grant minimum viable access that’s easy to revoke\n1. Don’t keep people waiting if they should have access\n1. Changes should be logged\n1. Automate the boring stuff\n\nIf you agree with these principles, but haven’t found the time to make it happen yet or worried if it’ll add friction for your team, you’re probably closer than you think. If done correctly, your team will get the access they need to ship faster without the risk of breaking production.\n\nBack at Segment, the security team built a tool called “Access Service” to provide engineers with temporary access to their cloud resources and wrote a great [blog post](https://segment.com/blog/access-service/) about the process of building it themselves. They also mention some of the areas for future development like policies and dynamic roles.\n\nMost teams don’t have the capacity to build their own internal tool like Segment’s, so we built it for you! With policies and batteries-included, Indent can solve the core problem of zero long-lived access without adding friction for your team to ship faster.\n","hero":{"pattern":"pattern-wavy transform rotate-180 pattern-size-6 pattern-bg-white pattern-black","bg":"gray-800","text":"gray-50","image":"/static/images/blog/content/blog-hero-production.svg"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"aws-sso-setup","title":"Setting Up AWS Identity Center (SSO) The Right Way","ogTitle":"","fullTitle":"","ogImageUrl":"https://indent.com/static/og/indent-blog-aws-sso-part-1.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Setting up single sign-on with AWS Identity Center can be confusing — this guide can help you choose the ideal configuration for your team.","noSidebar":false,"heading":"","date":"2023-02-02T17:00:00.000Z","content":"\nOnce your team reaches a certain size, creating and managing AWS IAM users directly becomes a point of friction in getting people access on day one or cleaning up permissions during the offboarding process.\n\nThankfully, AWS has a service for single sign-on called [AWS Identity Center](https://aws.amazon.com/iam/identity-center/) ([formerly known](https://aws.amazon.com/about-aws/whats-new/2022/07/aws-single-sign-on-aws-sso-now-aws-iam-identity-center/) as AWS SSO) that can act as a standalone identity provider for logging into AWS accounts or connect to an existing provider like Okta and Google.\n\nThe great part about using Identity Center is that instead of coming up with usernames like `jane-prod` you can just have people sign in with their company email (`jane@example.com`) and their role will be automatically provisioned.\n\nHere's a quick demo video of what that would look like:\n\n\n \n\n\n## When should I consider using AWS SSO?\n\nAWS IAM can get you and your team pretty far. It helps that it's the default way to set up authentication with AWS when you first set up your account.\n\nOver time, you'll likely develop the need for multiple accounts. One for development where everyone has access, one for production that's \"locked down\"... and maybe one for staging? Oh, and the new infra engineer mentioned they might need an extra account for some load testing... Does the frontend team need to have full admin access to production?\n\n## How do I configure AWS Identity Center / AWS SSO?\n\nYour AWS account must be managed by AWS Organizations. If you haven't set up an organization already, you can choose whether to have AWS create an organization for you.\n\nIt's recommended that you complete this process with standalone root AWS account that is only used for setting up the AWS Organization and SSO, for example `cloud-accounts-root@example.com` that is a Google Group or mailing list.\n\nBefore users can start using single sign-on, you need to first enable AWS IAM Identity Center:\n\n1. Sign in to the AWS Management Console with your AWS account root user credentials.\n1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).\n1. Under **Enable IAM Identity Center**, choose **Enable**.\n1. IAM Identity Center requires AWS Organizations. If you haven't set up an organization, you must choose whether to have AWS create one for you. Choose **Create AWS organization** to complete this process.\n1. AWS Organizations automatically sends a verification email to the address that is associated with your management account. There might be a delay before you receive the verification email. Verify your email address within 24 hours.\n\n## Should I use AWS Identity Center with Google or Okta?\n\nDeciding if you want your users to be provisioned based on their Google Workspace or Okta accounts all depends on your situation.\n\nThere is no one **right** answer, but just tradeoffs given your situation.\n\n**If you have Okta**, you should probably connect Okta as your identity provider.\n\nYour IT and security teams will thank you later. You can follow [AWS official documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html) for setting up Okta.\n\n**If you use Google Workspace** as your only identity provider, you may want to consider using [Okta Developer](https://developer.okta.com/demo/) which has a generous free tier of up to 7,000 users.\n\nOne of the primary tradeoffs between Okta and Google is support for System for Cross-domain Identity Management (SCIM) which Google generally does not have out-of-the-box. The difference between SAML support and SCIM support is that SAML handles the authentication ensuring you are who you say you are, but SCIM is the provisioning that creates your user profile or groups assignments in AWS.\n\nYou can still use Google, thanks to an open-source AWS Labs project called [ssosync](https://github.com/awslabs/ssosync). You can read more about installation and configuration in the [project README](https://github.com/awslabs/ssosync#installation) but the TLDR is that it works by syncing the data on a recurring schedule.\n\n> **Caveat:** when someone gets added to a Google Group that provisions their access, they won't be able to access it until the next scheduled sync - which can be anywhere up to 59 minutes if you sync hourly, which is the default. You can solve this issue by using solutions like [Indent](https://indent.com/demo?utm_source=gtm&utm_medium=website&utm_campaign=blog-aws-sso-setup) that can trigger a sync whenever access is granted or revoked.\n\n## Can I use AWS Identity Center by itself?\n\nYep — AWS Identity Center also supports standalone usage, so you can just manage users and groups directly from the Identity Center section in the AWS admin console.\n\nIf you do this as part of your initial configuration, you can always migrate to a custom identity provider like Okta or Google, but your team's workflow and usernames (which would be their email address) doesn't change — which is awesome.\n\nWith AWS Identity Center, you can ensure that only the right people have access to the right resources, while still keeping your environment secure. Overall, setting up AWS Identity Center is an important part of managing your AWS environment.\n\nIf you have any issues or questions going through this process, [feel free to reach out](https://indent.com/demo?utm_source=gtm&utm_medium=website&utm_campaign=blog-aws-sso-setup)! We're happy to help even if you're still at the exploration phase for your access control structure.\n\nOnce you've set up single sign-on with AWS Identity Center, you might find it tedious to keep going into the admin console to grant someone access or setting reminders to revoke it the next day. That's where our product [Indent](https://indent.com/demo?utm_source=gtm&utm_medium=website&utm_campaign=blog-aws-sso-setup) can help — users can request and reviewers can grant without even leaving Slack.\n","hero":{"pattern":"pattern-wavy pattern-size-6 pattern-bg-orange-600 pattern-yellow-200 pattern-opacity-80","bg":"orange-500","text":"yellow-200"},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"doppler","title":"Indent for Doppler: SecretOps On-demand","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for Doppler:
SecretOps On-demand","ogImagePlusLogo":"","description":"Get on-demand access to secrets and configurations.","noSidebar":false,"heading":"","date":"2023-01-24T17:00:00.000Z","content":"\nWorking with secrets day-to-day can be painful.\n\nKeeping staging secrets separate from production can be hard enough without needing to keep them synced across environments like AWS, GCP, or engineers’ laptops. Or you’re left building custom tooling and scripts to make it all fit together.\n\nMany teams choose [Doppler](https://www.doppler.com/) to keep their secrets and app configuration in sync. It ensures secrets and configs are secure across devices, environments, and even team members.\n\nThe Doppler + Indent integration adds an additional layer of protection for your secrets and configurations, without slowing your team down.\n\nThis integration lets employees get quick, temporary access to role-specific secrets and configurations by requesting time-bound membership of corresponding identity groups through Slack.\n\nAccess requests automatically route to approvers based on security policies, then approvers set the access duration. Users can also instantly get time-bound access based on attributes like on-call status.\n\nWith Doppler + Indent you can:\n\n- Make access to secrets temporary and auto-expiring\n- Streamline onboarding new hires\n- Standardize permissions across roles\n- Holistically transfer permissions when an employee moves to a new role\n- Securely offboard users by instantly revoking access\n\nConnecting SecretOps and access controls has never been easier!\n\n## Try the interactive demo below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : 680\n }\n/>\n\n## Get Started Using Doppler + Indent\n\nTo get started with Doppler and Indent, you’ll need a Doppler account then follow these steps:\n\n- First, create an Indent space (and choose Slack / email).\n- Follow the instructions in the [Doppler + Indent docs](https://indent.com/docs/integrations/doppler) for installing the integration\n- Start making requests for temporary or permanent access to Doppler secrets\n","hero":{},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"boundary","title":"Indent for Boundary: Secure Identity-based Remote Access","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for Boundary:
Secure Identity-based
Remote Access","ogImagePlusLogo":"https://www.datocms-assets.com/2885/1533837661-hashicorpiconwhite.svg","description":"Get time-bound, identity-based remote access.","noSidebar":false,"heading":"","date":"2023-01-19T17:30:00.000Z","content":"\nToday we’re excited to unveil the new [HashiCorp Boundary](https://www.boundaryproject.io/) + Indent integration.\n\nBoundary keeps up with the dynamism of cloud infrastructure.\n\nRather than granting blanket access to instances, databases, and other sensitive systems, Boundary can authenticate users and control access to resources\nusing user identity, instead of relying on constantly changing abstract IP addresses.\n\nUsers are able to authenticate through their identity provider and authorize access based on roles and services. With Boundary you can also manage dynamic\ninfrastructure and integrate service registries, so hosts and service catalogs are kept up-to-date.\n\nSo what do you get by pairing Boundary and Indent?\n\nOn-demand,least-privilege access to production environments.\n\nThe combination of Boundary + Indent helps you keep pace with the dynamism of the cloud, while providing access to just what you need to get the job done.\nNo blanket permissions to large swathes of infrastructure, and no more indefinite and untracked access.\n\nWith the HashiCorp Boundary + Indent integration, you can:\n\n- Give users time-bound, auto-expiring access to specific apps and environments\n- Grant automatic access to users based on attributes like on-call status in PagerDuty, Incident.io, and Opsgenie.\n- Allow temporary access to SSH, RDP, databases, and kubernetes resources as authorized by your access controls and connected identity provider\n- Auto-revoke access after a configurable duration\n- Record comprehensive access logs for compliance audits\n\n## Try the interactive demo below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n## Set up Indent for Boundary\n\nTo start you’ll need Boundary and Indent accounts. After that, granting time-bound access is just a few steps away:\n\n- First, create an Indent space and choose Slack / email notifications\n- Go to [HashiCorp Boundary + Indent integration documentation page](https://indent.com/docs/integrations/boundary)\n- Start granting temporary access to Boundary services!\n","hero":{},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"text2iam","title":"Introducing text2iam: Generate AWS IAM Policies with GPT-3","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Introducing text2iam:
Generate AWS IAM Policies
with GPT-3","ogImagePlusLogo":"","description":"Use GPT-3 from OpenAI to generate and explain IAM policies","noSidebar":false,"heading":"","date":"2022-12-02T18:30:00.000Z","content":"\nWriting AWS IAM policies can be split into 50% figuring out what you need it to do and 50% figuring out how to take what you can describe and translate into the AWS IAM policy schema.\n\nInstead of searching different phrases like \"S3 read only access policy\" on Google, we put together an experiment called: text2iam — the easiest way to generate and explain AWS IAM policies by using OpenAI GPT-3 under the hood.\n\nWith text2iam, you can describe the policy you’d like to create using natural language and it will generate the corresponding AWS IAM policy in JSON.\n\n\n
Give it a try!
\n
\n\nHere are some examples:\n\n[![Example AI generated IAM policies](/static/blog/text2iam/example-iam-policies.png)](https://text2iam.com)\n\nWhile we were developing this experiment and validating with test cases, we realized that being able to explain existing AWS IAM policies could be just as helpful as creating new ones.\n\nYou can now convert:\n\n`Allows users to rotate their own credentials (api keys, passwords)`\n\nInto an AWS IAM policy like:\n\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AllowUserToRotateCredentials\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateAccessKey\",\n \"iam:UpdateAccessKey\",\n \"iam:DeleteAccessKey\",\n \"iam:CreateLoginProfile\",\n \"iam:UpdateLoginProfile\",\n \"iam:ChangePassword\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/${aws:username}\"\n }\n ]\n}\n```\n\n\n\nObvious disclaimer: like all AI generated work, it’s not going to be perfect every time. You should review the policies before putting them in production.\n\nLet us know if you have any thoughts or feedback on text2iam and the rise of AI-assisted security policy generation. Mention us @indent on Twitter, or email us at open@indent.com.\n\nInterested in talking with our team about the security of your AWS account? Feel free to schedule time that works for you: indent.com/demo/request\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"gpt-3","name":"GPT-3","image":"https://github.com/openai.png","twitter":"openai"}],"kind":"blog/post"},{"name":"break-glass","title":"How to Break Glass: Choosing an Access Escalation Solution","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"How to Break Glass:
Choosing an Access
Escalation Solution","ogImagePlusLogo":"","description":"We've outlined the key questions all IT and security leaders need to ask as they evaluate break glass software for their business.","noSidebar":false,"heading":"","date":"2022-11-07T16:30:00.000Z","content":"\nIt’s hard to break glass without making a mess, or worse — getting cut.\n\nWe’ve talked to some of the brightest security minds in the business about the requirements they look for in an access management solution and made a break glass solution cheat sheet based on what they shared.\n\nAutomation can prevent unnecessary shattering of safeguards. With products like Indent, teams can reduce the need to break protocol while keeping the most-sensitive access under control `In Case Of Emergency`.\n\nIt doesn't take more than a quarter or two on a growing team to realize you can have all the “right” roles defined but when life happens, everything including those roles break too. Maintenance, either planned or unplanned, is required.\n\nShipping awesome features, fixing customer bugs quickly, and resolving incidents all require timely access to sensitive resources.\n\nTime to break some glass?\n\nEnsuring elevated access doesn’t persist after the incident is over can be difficult. Unblocking your on-call team with the access they need shouldn’t involve paging their skip-level in the middle of the night or tracking down the tiny shards from “breaking glass” during an audit.\n\nPlatforms like Indent work by granting time-bound role-based access in a user and compliance-friendly way. Indent connects tools across the stack from notifications, auto approvals, identity providers to networking.\n\nDefining what you need in a “Break Glass” solution can be difficult – what are the must-haves vs nice-to-haves? What should excellent vs passing look like?\n\nCut through the noise with our vendor evaluation worksheet and get insight into whether a given solution meets industry best practices and if it would work for your needs. From 20 employees to teams in the thousands, here’s what to look for on your journey to safer, faster access:\n\n
\n\n[![Access Escalation Solution Scorecard](/static/images/blog/content/indent-scorecard-copy.png)](https://docs.google.com/spreadsheets/d/1hyhNRK2RS804g3vLea2jncE15xWhMj2CYMX3R_ySGrs/view)\n\nIf you'd like your own copy to fill out or add more questions, follow these links:\n\n
\n \n View the scorecard →\n \n \n \n Make a copy →\n \n
\n\nTo get a copy of the evaluation form with Indent’s answers or if you have other questions/comments, you can [schedule time with our team here →](/demo#schedule)\n","hero":{},"authors":[{"id":"indent","name":"Indent","image":"/static/images/blog/avatars/indent.png","twitter":"indent"}],"kind":"blog/post"},{"name":"unplanned-maintenance-november-2022","title":"Unplanned Maintenance: Off-the-record Storytelling","ogTitle":"","fullTitle":"","ogImageUrl":"https://unplannedmaintenance.com/og-image.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Hear the honest account from some of the worst outages, vulnerabilities, and other engineering nightmares.","noSidebar":false,"heading":"","date":"2022-11-02T20:00:00.000Z","content":"\nHave you ever had an outage, SEV, or engineering disaster so bad that it haunts you months or years later?\n\nWe’re teaming up with our friends at [Tailscale](https://tailscale.com) to host an off-the-record “Unplanned Maintenance” event about some of the worst incidents and technical nightmares folks have encountered on Tuesday November 8th at 5:30pm PT in SoMa, San Francisco.\n\nCome listen to and share war stories, eat some tasty food, and have a distraction as the East Coast election results roll in. Win-Win-Win.\n\nSpace is super limited, so an invite is required for every person attending. We want this evening to feel more like friends shooting the breeze than a traditional meetup. Being vaccinated is required, but sharing a story isn’t.\n\nTo sign up for the waitlist for this event (or future ones) go to:\n\n
\n
\n \n \n \n \n \n unplannedmaintenance.com\n \n
\n
\n\n
\n
\n\nIf we aren’t able to fit you in or you’re not available / in SF this time, don’t worry!\n\nWe’re planning more “Unplanned Maintenance” events like this soon, so keep an eye out for those announcements.\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"figma","title":"Indent for Figma: Collaboration On-Demand","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for Figma:
Collaboration On-Demand","ogImagePlusLogo":"https://upload.wikimedia.org/wikipedia/commons/thumb/3/33/Figma-logo.svg/800px-Figma-logo.svg.png?20190122211436","description":"Get time-bound access to view designs in Figma.","noSidebar":false,"heading":"","date":"2022-10-26T22:00:00.000Z","content":"\nFriction naturally occurs when teams collaborate on design.\n\nIn the book “Discussing Design”, Connor and Irizarry describe a common scenario:\n\n> Reactions and responses turn up in Reply All bullet points, fragments of disjointed and combined discussion threads, and even worse, piecemeal over a period of time. — [Discussing Design](https://bookshop.org/p/books/discussing-design-improving-communication-and-collaboration-through-critique-adam-connor/8126855?ean=9781491902400)\n\nThis is a nightmare when trying to iterate quickly.\n\nTo maintain flow while they create, share, test, and iterate designs, teams turn to [Figma](https://www.figma.com/).\n\nFigma is a popular tool that connects everyone in the design process so teams can deliver better products, faster. That’s why today we’re excited to announce the Figma + Indent Integration is now available.\n\nWith Figma, everyone involved in the design lifecycle from designers to implementers and stakeholders can be kept in the loop throughout an iterative design workflow.\n\nOptimized for sharing, presenting, and gathering feedback, and paired with real-time collaboration, it simplifies cross functional collaboration.\n\nAll design work, from ideation to execution, can be found in one place with searchable assets and shareable styles. This results in increased consistency across projects and teams, making it a great solution for organizations of all sizes.\n\nWith Indent, users can safely borrow auto-expiring Figma viewer access right from Slack. Admins are able to easily grant temporary access for users via time-bound membership of a corresponding identity group.\n\nRequests get automatically routed to approvers based on security policies, then approvers set the access duration. Indent logs all access related data and provides admins automated compliance audit evidence generation and streamlined user access reviews.\n\nWith Figma + Indent you can:\n\n- Share viewer access to design files that is time-bound and audit-logged\n- Secure files from unauthorized internal access by limiting indefinite permissions\n- Streamline onboarding for new hires who need to view in-progress designs\n\n## Set up Figma + Indent\n\nYou’ll need both an Indent account and a Figma Enterprise account. After that, granting time-bound access to Figma files is just a few steps away:\n\n- First, [create an Indent space](https://indent.com/demo) (and choose Slack / email)\n- Follow the instructions in the [Figma + Indent documentation](https://indent.com/docs/integrations/figma)\n- Start making requests for temporary access to Figma files\n","hero":{},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"vercel","title":"Indent for Vercel: Temporary Access Roles","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for Vercel:
Temporary Access Roles","ogImagePlusLogo":"https://assets.vercel.com/image/upload/front/favicon/vercel/180x180.png","description":"Get time-bound access to Vercel.","noSidebar":false,"heading":"","date":"2022-10-25T13:00:00.000Z","content":"\nFlow and automation.\n\nFlow is when devs are most productive, and automation is the key to unlocking flow.\n\nFor front-end devs, there is always flow-disrupting friction between coding and deploying.\n\nThat’s where [Vercel](https://vercel.com/) comes in.\n\nVercel is a developer platform that closes the gap between development and production, allowing developers to deploy to edge networks with no configuration required.\n\nAll the backend minutia to actually run the web application like scaling, caching, and failover gets automatically handled.\n\nAs a central component of the software supply chain, protecting your Vercel instance from unauthorized changes is critical. A well meaning employee or bad actor with too much access would be able to negatively impact both the security and operation of your web application. They would also be able to modify your other sensitive systems like serverless and edge functions that contain important business logic.\n\nThat’s why we’re excited to announce the Indent + Vercel integration.\n\nWith the integration, developers can request secure, time-bound Vercel access to develop, preview, and ship their code.\n\nUsing the Vercel + Indent integration you can:\n\n- Protect your web application and enforce change management controls\n- Give secure, on-demand production access in seconds\n- Make on-boarding & off-boarding front-end developers easier\n\nVercel also built [Next.js](https://nextjs.org) and is hosting [Next.js Conf](https://nextjs.org/conf) today (October 25, 2022) — you can see us there at the hybrid events in San Francisco and London.\n\nFeel free to say hi:\n\n
\n
\n \n \n \n \n \n nextconf@indent.com\n \n
\n
\n\n
\n
\n\n## Interactive Demo\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n
\n\n## Using Vercel + Indent Together\n\nGetting access to Vercel can happen in two main ways. You can join a team using your Vercel account, or you can be automatically added to a team through your identity provider (SSO).\n\nFor repos with sensitive deployments, organizations often want to reduce the number of members to a team, and the best way to do that is with temporary access. Easy to use temporary access is what Indent does.\n\nOnce you have the Vercel + Indent integration setup, requesting access looks like:\n\n1. Typing `/access` in Slack, or clicking the **request** button in your browser\n1. Indent’s policy engine approves you in seconds, or routes your request to the right person\n1. On approval, your account is added to the team with the right role, and the everything from grant to revocation is recorded in a petition for auditing compliance\n\nOnce you have access, you’re able to do what you need. You can tweak your Git setup, view billing info (if you’re a billing role), or modify serverless functions. These tasks can involve sensitive data, or have a lot of other parts of the system depending on them.\n\nThe temporary, secure, and request process of Indent should keep everyone happy, while maintaining their state of flow.\n\n## Set up Vercel + Indent\n\nYou’ll need both an enterprise Vercel account and an Indent account. After that, granting time-bound access to vaults is just a few steps away:\n\n- First, [create an Indent space](https://indent.com/demo) (and choose Slack / email)\n- Follow the instructions in the [Vercel + Indent documentation](https://indent.com/docs/integrations/vercel)\n- Start making requests for temporary or permanent access to Vercel\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"nataliemarleny","name":"Natalie Marleny","twitter":"nataliemarleny","image":"/static/images/blog/avatars/nataliemarleny.png","title":"Software Engineer"}],"kind":"blog/post"},{"name":"opsgenie","title":"Indent for on-call: Instant Access Escalation with Opsgenie","ogTitle":"","fullTitle":"Indent for on-call: Opsgenie Integration","ogImageUrl":"","ogImageTitleHtml":"Indent for on-call:
Opsgenie Integration","ogImagePlusLogo":"","description":"We’re delighted to announce the Opsgenie + Indent integration.","noSidebar":false,"heading":"","date":"2022-10-14T16:45:00.000Z","content":"When your service is down, who you gonna call? Outagebusters (aka your on-call engineers)! To be able to respond quickly, it’s crucial that the people on-call have all of the necessary permissions. While we might all wish that things only broke during business hours, unfortunately that isn’t reality. \n\nSo how do those folks get access?\n\nNobody wants to be woken up at 2 am just to grant production database access to an on-call engineer. You could manually add and remove privileges based on on-call schedule, but who has time for that? And just passing out standing admin access to sensitive systems is clearly not the answer. \n\nSo what do you do? Pair Opsgenie + Indent! \n\n[Opsgenie](https://www.atlassian.com/software/opsgenie) gives your scheduled Outagebusters a heads up when things are broken and gives them the critical information they need to jump in and get to fixin. More specifically, it facilitates on-call scheduling, notifications, and incident analytics. \n\nHow does it work? It ingests data from your monitoring, ticketing and chat tools and groups similar alerts into incidents. Yay less noise! It then references your on-call schedule and pings the appropriate parties that it’s time to rise and shine. \n\nIt also gives you visibility into the nuts and bolts of your on-call response. What’s breaking the most? How fast did folks respond? Who’s being pinged too much? Opsgenie adds clarity and accountability when outages happen. \n\nUsing Opsgenie + Indent you can:\n- Notify the correct people to respond to an incident\n- Give secure, on-demand production and customer data access in seconds based on Opsgenie on-call status \n- Auto-revoke access after a configurable duration \n- Record comprehensive access logs for compliance audits\n\n## Opsgenie + Indent In Practice\n\nSo, your app blew up. How do you get access to it? You might be in an organization where you have standing access to Prod (yikes!), or an org where you need to contact someone in IT and get them to elevate your permissions (also yikes).\n\nHere’s what getting access looks like with the Opsgenie + Indent integration. Indent confirms you’re on-call and need access. You now have access, and an auditable log of events is saved for future review or regulatory compliance. It’s that easy!\n\nOr, in a bit more detail, here’s the chain of events from an incident kicking off:\n\n1. You’re on-call and your app starts misbehaving\n1. Opsgenie detects the issue, and alerts you\n1. You type `/access` in Slack or click the “request access” button on Indent.com\n1. Indent automatically elevates your privileges since the Opsgenie + Indent integration indicates you’re currently on-call\n1. You SSH into the server (likely using a secure service like Tailscale or Twingate)\n\n```sh\n$ ssh ec2-user@prod-apac-kermit\n…\n$ ps aux | grep misbehaving_process\n```\n\n## Getting Started\n\nCool, so what do you need to do to get that setup? You’ll obviously need Opsgenie and Indent. After that, it’s really your choice for how you prefer to grant access. Is it behind SSO with Okta? Maybe, through a secure networking service like [Tailscale](https://indent.com/blog/tailscale) or [Twingate](https://indent.com/blog/twingate)? Or, possibly directly through something like AWS. Indent integrates with all of the above. What’s needed follows:\n\n1. Create Indent space (choose Slack / email).\n1. Go to indent.com/catalog/opsgenie to get the webhook secret for the integration.\n1. Follow our documentation for instructions on setting up Indent with Opsgenie.\n1. Pick your method of granting access, and follow the guide for setting that up on Indent. [Okta Groups](https://indent.com/docs/integrations/okta-groups), [Tailscale](https://indent.com/docs/integrations/tailscale), and [AWS](https://indent.com/docs/integrations/aws-iam) are all great options.\n1. Start automatically granting secure and temporary access during incidents.\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"bitwarden","title":"Indent for Bitwarden: On-Demand Vault Access","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for Bitwarden:
On-Demand Vault Access","ogImagePlusLogo":"","description":"Get time-bound access to Bitwarden vaults.","noSidebar":false,"heading":"","date":"2022-10-11T18:30:00.000Z","content":"\nOut of all the ways for a team to store and share passwords, the most secure way is with a password manager. [Bitwarden](https://bitwarden.com/) is a popular open source password manager with cutting edge security features. That’s why today we’re excited to announce the Bitwarden + Indent Integration is now available.\n\nAvailable with cross platform support and in 50 languages, Bitwarden works wherever you are. Users are able to store all types of sensitive data, transmit it securely to anyone, and get health reports for their vaults, making it a great solution for organizations of all sizes.\n\nWith Indent, Bitwarden users can securely borrow auto-expiring access to shared accounts like social media, content distribution networks, and app store publisher accounts, all from Slack. Access requests get automatically routed to approvers based on security policies, then approvers set the access duration. Users can also instantly get time-bound access based on attributes like on-call status. Indent logs all access related data and provides admins automated compliance audit evidence generation and streamlined user access reviews.\n\nToday we’re excited to release the Bitwarden + Indent integration. This allows employees to quickly get fast, temporary access to role-specific Bitwarden Vaults by requesting time-bound membership of the corresponding identity groups.\n\nWith Bitwarden + Indent you can:\n\n- Make access to sensitive resources temporary and auto-expiring\n- Streamline onboarding new hires\n- Standardize permissions across roles\n- Holistically transfer permissions when an employee moves to a new role\n- Securely offboard users by instantly revoking access\n\n## Try it below\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>{' '}\n\n## Set up Bitwarden + Indent\n\nYou’ll need both Bitwarden and Indent accounts. After that, granting time-bound access to vaults is just a few steps away:\n\n- First, [create an Indent space](https://indent.com/demo) (and choose Slack / email)\n- Follow the instructions in the [Bitwarden + Indent documentation](https://indent.com/docs/integrations/bitwarden)\n- Start making requests for temporary or permanent access to password vaults\n","hero":{},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"1password","title":"Indent for 1Password: Time-bound Vault Sharing","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Indent for 1Password:
Time-bound Vault Sharing","ogImagePlusLogo":"","description":"Get time-bound access to 1Password vaults on-demand.","noSidebar":false,"heading":"","date":"2022-10-06T16:30:00.000Z","content":"\nRemember the last time you wrote a password down on a sticky note? Or sent one over Slack? A nightmare for security and IT teams is a daily practice for some users.\n\nThis barely works initially when a company is in its earliest stages to store credentials for shared accounts. But it's simply not secure, and definitely won't scale as the team grows.\n\nMost companies end up selecting a password manager to solve that problem. However, this makes for yet another thing new hires need to be granted access to during their onboarding.\n\nAdnan Alam, Head of IT for [PlanetScale](/customers/planetscale), runs point for onboarding new PlanetScale employees into their technology stack. At the rate that PlanetScale is growing, that often means he’s doing concurrent onboarding for multiple new hires.\n\nPlanetScale uses 1Password vaults to store credentials, secrets and shared account passwords for their entire organization. Millions of people and over 100,000 businesses trust 1Password to safeguard their most sensitive information.\n\n1Password makes it easy to create and use strong passwords, and log in to sites and services with a single click. In one of our chats with Adnan, he mentioned that he’d like an integration between 1Password and Indent.\n\n> “Ideally, we want a way to have people request access to the Okta group that corresponds with the vault they need, which would make onboarding really easy.” - Adnan Alam, Head of IT, [PlanetScale](/customers/planetscale)\n\nThat made sense to us, so we got to work.\n\nThe 1Password + Indent integration, available now, allows employees to quickly get temporary access to role-specific 1Password vaults by requesting time-bound membership of the corresponding identity groups.\n\nAccess requests get automatically routed to approvers based on security policies, then approvers set the access duration. Users can also instantly get time-bound access based on attributes like on-call status.\n\nWith 1Password + Indent you can:\n\n- Streamline onboarding new hires\n- Standardize permissions across roles\n- Holistically transfer permissions when an employee moves to a new role\n- Securely offboard users by instantly revoking access\n\n> “With Indent, now we can easily grant time-bound access to any of our 1Password vaults without any extra headache.” - Adnan Alam, Head of IT, [PlanetScale](/customers/planetscale)\n\nTry the interactive demo below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n### Using 1Password + Indent\n\nYou’ll need a 1Password account with admin permissions and be on the Business tier. After that, granting time-bound access to vaults is just a few steps away:\n\n- First, [create an Indent space](https://indent.com/demo) (and choose Slack / email)\n- Follow the instructions in the [1Password + Indent documentation](https://indent.com/docs/integrations/1password)\n- Start making requests for temporary or permanent access to password vaults\n\n
\n\n---\n\n
\n\nNot yet a 1Password Business customer? We're excited to partner with 1Password to offer 25% off the first year for new customers who sign up! You can use coupon code `INDENT251Y` or click this link to [get 25% off a Teams or Business subscription](https://start.1password.com/sign-up/plan?c=INDENT251Y).\n","hero":{},"authors":[{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"},{"id":"paulburt","name":"Paul Burt","image":"/static/images/blog/avatars/paulburt.png","title":"Customer Engineer","twitter":"ThatMightBePaul"}],"kind":"blog/post"},{"name":"scan","title":"Introducing Indent Scan: do you know who has access?","ogTitle":"","fullTitle":"Indent Scan: do you know who has access?","ogImageUrl":"","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Introducing Indent Scan to easily find potential security issues.","noSidebar":false,"heading":"","date":"2022-10-05T21:30:00.000Z","content":"\nWhen companies are just starting out, everyone practically has access to everything; with one or two people setting things up and sharing with the team along the way.\n\nIt doesn't take long before there's a group for **finance@**, **legal@** or **privacy@** and yet everyone still has access. When the CEO creates an **exec@** group for their newly minted exec team, do they know that the default settings are \"Anyone can view conversations\" and \"Anyone can join the group\"? What about the **auth-prod@** group that gates access to internal tools?\n\nRead on to learn why we built a free tool [**Indent Scan**](https://indent.com/scan) to make finding potential security violations in your stack as easy as possible — starting with Google Groups.\n\n[![Screenshot of example scan report](https://indent.com/static/images/features/scan/feature_report.png)](https://indent.com/scan)\n\nAt a certain point, it becomes challenging to keep track of all of the groups handling sensitive matters. It’s easy for users _cough_ executives _cough_ to spin up new groups and not understand the implications of the default settings.\n\nWhen trying out the scanner, some admins discovered executive, compliance, and legal groups left wide open for anyone to view their conversations or join. It would only take one bad actor finding those groups to cause a major incident.\n\nWe built [**Indent Scan**](https://indent.com/scan) to give admins a tool to uncover key resources with problematic settings for their risk levels and a way to easily remediate them.\n\nInitially, you can use the scan tool to find which sensitive groups in your Google Workspace have overly permissive viewing and joining settings. We’ll also make recommendations for the correct settings, and show you how to update them.\n\nThis is just the beginning of [**Indent Scan**](https://indent.com/scan) though. Misconfigured permissions are pervasive beyond Google Groups. We’ll be expanding the Indent Stack Scanner’s functionality to work with additional tools like Okta, GitHub Repos/Teams, and other in-scope vendors.\n\nIn the future, [**Indent Scan**](https://indent.com/scan) will have the ability to automatically update the settings and route to group owners for approval. Stay tuned for updates!\n\nHere’s an [interactive example scan report →](https://indent.com/scan/example)\n\nOnce you're ready to see your own scan results:\n\n- **Step 1: Install the Indent Scan tool** — [start now →](https://indent.com/scan/install)\n - Log into Indent or create an account\n - Connect your Google Workspace\n- **Step 2: Scan your Google Workspace**\n - View suggested risk categorizations for each google group\n - Surface high and medium risk groups with default or misconfigured settings\n- **Step 3: Remediate and lock down**\n - Review and adjust risk levels or implemenent security recommendations\n - Shift to an [On-Demand Access Control (ODAC)](/blog/announcing-indent) model to limit access\n\n
\n\n---\n\n
\n\nHave questions, need any help or want to see a demo?\n\nFeel free to [schedule time with our team →](https://indent.com/demo?ref=scan-blog#schedule)\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"nataliemarleny","name":"Natalie Marleny","twitter":"nataliemarleny","image":"/static/images/blog/avatars/nataliemarleny.png","title":"Software Engineer"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"compliance-platforms-secureframe-vanta-drata","title":"Indent for Compliance: Better Audit Evidence Without Exception","ogTitle":"","fullTitle":"Indent for Compliance: Better Audit Evidence Without Exception","ogImageUrl":"","ogImageTitleHtml":"Indent for Compliance:
Better Audit Evidence
Without Exception","ogImagePlusLogo":"","description":"Becoming and staying compliant with one or more compliance frameworks is critical for the growth of any organization","noSidebar":false,"heading":"","date":"2022-09-27T19:00:00.000Z","content":"\nBecoming and staying compliant with one or more compliance frameworks is critical for the growth of any organization. Getting up-to-speed on compliance requirements and defining (let alone understanding) controls is incredibly time-consuming. This results in a high opportunity cost for DIY-ing your audit prep.\n\nWorking with a compliance platform will save you valuable time and allow you to stay focused on the pieces of your business that you do best. \n\nToday we’re excited to share our workflows for three of the leading compliance platforms: Secureframe, Vanta, and Drata. \n\nBy using a compliance platform + Indent together you can have:\n- Fast, time-bound on-demand access\n- Auto generated audit evidence for access and change management controls\n- Remote-friendly onboarding and offboarding\n- Low-effort access reviews\n\n## Simplifying compliance with Indent\n\nA friction-free approvals workflow allows approvers to grant and set access duration via Slack. This means requesters get access in seconds, not days. By granting time-bound access, fewer users retain access that needs to be reviewed. This simplifies quarterly access reviews, which can also be completed in Indent. \n\n**Start by setting up your policies:** Indent’s policy engine is just one more tool that helps teams stay compliant with whatever framework you’re pursuing. For instance, setting access requests to notify the requester’s manager for approval is as easy as checking a box. Once you have your policies in place, your team can start requesting and approving access. \n\n**Complete periodic access reviews:** Everytime someone requests access, Indent automatically documents it.\n- Access request details such as: who requested, business reason, which system or permission, and for how long\n- Reviewer details such as: who, when, and if necessary, remedial actions taken\t\n\nTo perform an access review, you can use filters to review access on a per-system or per-user basis. You can filter and select personnel, view the access they have, and perform any necessary revocations. On a per-user basis, you can offboard them and revoke all their access in just two clicks. \n\n![Audit evidence ready to export from Indent into your compliance platform](/static/blog/access-reviews/access-control-report.png)\n\n**Export your evidence:** Your access review data and your aggregated access logs get compiled into the Access Control Report page in the Indent dashboard. There you can easily configure the date ranges for the audit and download your evidence. All that’s left to do then is to upload it into your compliance platform. Some auditors will ask for screenshots of the export parameters or follow-up with requests for sample selection, all of which you can do easily in the Indent dashboard.\n\n## Choose a platform and get started\n\n\n\n[Secureframe](https://secureframe.com) helps you automate and streamline security, privacy and compliance. They provide automated guardrails and give you greater visibility of compliance across your stack. Get detailed risk reports and real-time alerts on non-conformities in your tech stack as they appear—so you have the information you need to achieve and maintain continuous compliance. \n\nYou can also design and bootstrap security policies from their library to satisfy compliance requirements like SOC 2, HIPAA, ISO 27001, PCI DSS, GPDR, CCPA, and regional privacy laws. \n\nSoon, Secureframe will release their [Trust API](https://secureframe.com/blog/trusted-partner-program), allowing us to build an integration that will remove all of the manual steps described above. We’re excited that our customers will be able to automatically sync audit evidence into Secureframe without any extra work. \n\nGet started: [Secureframe + Indent docs →](https://indent.com/docs/integrations/secureframe)\n\n
\n\n\n\nWith [Vanta](https://vanta.com) teams can become compliant in weeks not months, and get the certifications they need to build trust and close deals. It integrates with the tools you already love so you have total visibility into what is going on across your organization. Vanta runs hourly checks and flags gaps as they arise, making them easier to squash. It even simplifies the development, implementation, and mapping of your security policies with policy templates.\n\nRecently Vanta announced their [Connectors API](https://www.vanta.com/resources/introducing-vantas-connectors-api). We’re stoked that we’ll soon be able to automate the above steps by integrating directly with Vanta. Stay tuned for that announcement! \n\nGet started: [Vanta + Indent docs →](https://indent.com/docs/integrations/vanta)\n\n
\n\n\n\n[Drata](https://drata.com) continuously monitors and collects evidence of a company’s security controls, while streamlining compliance workflows end-to-end to ensure audit readiness. It integrates with many popular tools, so you have total visibility into what is going on across your organization. \n\nGet started: [Drata + Indent docs →](https://indent.com/docs/integrations/drata)\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"access-reviews","title":"Simplifying compliance with User Access Reviews","ogTitle":"","fullTitle":"Indent for Compliance: User Access Reviews","ogImageUrl":"https://indent.com/static/og/indent-blog-reviews.png","ogImageTitleHtml":"","ogImagePlusLogo":"","description":"Introducing Access Reviews for compliance teams.","noSidebar":false,"heading":"","date":"2022-09-15T18:00:00.000Z","content":"\nThere is no off season for compliance work.\n\nEven with an annual reporting period, SOC 2 and other major regulatory frameworks require periodic access reviews for sensitive systems. For many growing teams, this can eat up a handful of precious days of each quarter.\n\nAt Indent, we create workflows that simplify access controls, without adding friction for end users. With on-demand access, you’ll spend less time reviewing access requests. Due to the time-bounded nature, it also reduces the surface area of your periodic user access reviews.\n\nTo perform periodic access reviews while simultaneously gathering audit evidence, today we’re launching user access reviews and exportable access reports.\n\nWithin the Indent dashboard you’ll now have a complete workflow to document change management for your access controls.\n\n## Access Reviews and Audit Evidence with Indent\n\nLet’s take a look at the workflow!\n\nFirst, Indent continuously logs every access request. This documents:\n\n- Access request details such as: who requested, business reason, which system or permission, and for how long\n- Reviewer details such as: who, when, and if necessary, remedial actions taken\n\nSo, now that the quarter is over, you need to review all the production access that was granted within a specific timeframe (e.g. 90 days). If an end user is identified as having unauthorized access, that access needs to be revoked.\n\nTo perform an access review, you can use filters to review access on a per-system or per-user basis. You can offboard terminated employees and revoke all their access in just two clicks.\n\n![View the user's existing access and offboard in two clicks](/static/blog/access-reviews/resource-page-showing-user.png)\n\nOnce you’ve completed the access review, navigate to the Access Control Report. There you can easily configure your audit period and download CSV/XLS export of your evidence:\n\n![Generate audit evidence with the Indent Access Control Report](/static/blog/access-reviews/access-control-report.png)\n\nFinally, upload the export into your compliance platform to centralize your audit evidence. Some auditors will ask for screenshots of the export parameters or follow-up with requests for sample selection, all of which you can do easily in the Indent dashboard.\n\nStay tuned for automated scheduled reviews coming in the next few months. Based on the compliance framework(s) that you’ve chosen, Indent will be able to automatically identify and surface access to be reviewed based on your compliance requirements.\n\nHere’s a sneak peek:\n\n![Continuously manage access with quarterly reviews](/static/blog/access-reviews/detailed-access-review.png)\n\nBy granting time-bound access that’s reviewed upon request, you’ll be able to strengthen your security practices and avoid audit exceptions. Win-Win.\n\n## Stay compliant with Indent\n\nIndent can help you satisfy your compliance initiatives and requirements for frameworks such as SOC 2, SOX, HIPAA, and FINRA. Here’s how Indent supports access controls:\n\n| Sample Controls
(Access Control and Change Management) | Indent |\n| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Production cloud infrastructure is restricted to only team members. | • Time-bound, on-demand production access
• Instant on-call access escalation |\n| Administrative access to production servers and databases are restricted to the Engineering team and Senior Management. | • Time-bound, on-demand production access
• Access approval routing via defined policies |\n| Users are provisioned access to systems based on the principle of least privilege. The Engineering team approves any access to production systems. | • Time-bound, on-demand production access
• Password vault access provisioning based on role type and responsibilities
• Access approval routing via defined policies |\n| Upon termination of personnel or when internal users no longer require access, infrastructure and application access is removed within one business day. | • Time-bound, on-demand production access
• Bulk persistent access revocations through access reviews page or password vaults |\n| System owners conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation. | • Access reviews page
• Access Control Report |\n| Code merge requests are independently peer reviewed prior to integrating the code change into the master branch. | • Time-bound, on-demand production access |\n| System users who make changes to the development system are unable to deploy their changes to production without independent approval. | • Time-bound, on-demand production access |\n\n\n\n
\n\nFor users, admins, and compliance DRIs, Indent has the workflows that make getting, approving, and reviewing access a compliant breeze. The evidence generated in the Indent Access Control Report is tailored to exactly what auditors want. With a single click you can export that evidence as a CSV, upload it, and move on to the next thing on your to-do list.\n\n## Get Started\n\nTo learn more about how Indent can help you solve access control and provide audit evidence, talk to our team for a 1:1 demo and walkthrough of your use cases: [indent.com/demo →](https://indent.com/demo)\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"pagerduty","title":"On-Call Access Escalation with PagerDuty + Indent","ogTitle":"","fullTitle":"Indent for on-call: PagerDuty Integration","ogImageUrl":"","ogImageTitleHtml":"Indent for on-call:
PagerDuty Integration","ogImagePlusLogo":"","description":"We’re delighted to announce the PagerDuty + Indent integration.","noSidebar":false,"heading":"","date":"2022-08-30T13:00:00.000Z","content":"\nThings break, and when they do, your on-call team jumps into motion like the capeless heroes they are (unless you count the hood on a hoodie as a cape). A key element to fast response is elevated privileges to access production and customer data.\n\nBut if it’s 2 am, who is granting that access?\n\nManagers don’t want to be woken up just for that. They also don’t want to manually add and remove admin privileges at the start of each new on-call schedule. And you certainly don’t want to give standing production and customer data access to every engineer.\n\nThat is a recipe for Things Going Wrong™.\n\nSo what do you do? Pair [PagerDuty + Indent](https://pagerduty.com/integrations/indent)!\n\nWhen using PagerDuty and Indent together, you can:\n\n- Notify the correct people to respond to an incident\n- Give secure, on-demand production and customer data access in seconds based on PagerDuty on-call status\n- Auto-revoke access after a configurable duration\n- Record comprehensive access logs for compliance audits\n\n“We're excited about Indent’s new integration and solution for getting on-call engineers’ production and customer data access quickly in a secure, time-bound way. This can reduce incident response times and make sensitive systems more secure.”\n\n— Steve Gross, Sr. Director of Global Technology Ecosystem, PagerDuty\n\nGive it a try in our interactive demo below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n[PagerDuty](https://www.pagerduty.com/) helps teams improve service quality for their customers. It facilitates on-call scheduling and escalations and ensures that the right individual or teams are notified when operational issues and incidents happen.\n\nHow does it work? It ingests data from your IT Service Management (ITSM) and other customer service tools. It can group similar alerts into incidents, and only send what’s relevant to on-call teams via whichever channel they prefer. Those on-call folks can be pinged from their device of choice, so unless they’re really into that whole retro thing, no actual pagers need to be involved.\n\nPagerDuty saves your teams’ sanity by eliminating noise from multiple tools, creating a clear signal for your team to follow during incidents. Services and components are mapped to your actual infrastructure, so you aren't getting redundant pings. It also centralizes important information for each service like team ownership, the present on-call team member, historical alerts and incidents, dependent services, and preferred communication channels.\n\n## PagerDuty + Indent In The Wild\n\nSo, your app blew up. How do you get access to it? You might be in an organization where you have standing access to Prod (yikes!), or an org where you need to contact someone in IT and get them to elevate your permissions (also yikes).\n\nHere’s what getting access looks like with the PagerDuty + Indent integration. Indent confirms you’re on-call and need access. You now have access, and an auditable log of events is saved for future review or regulatory compliance. It’s that easy!\n\nOr, in a bit more detail, here’s the chain of events from an incident kicking off:\n\n1. You’re on-call and your app starts misbehaving\n1. PagerDuty detects the issue, and alerts you\n1. You type `/access` in Slack or click the “request access” button on Indent.com\n1. Indent automatically elevates your privileges since the PagerDuty + Indent integration indicates you’re currently on-call\n1. You SSH into the server (likely using a secure service like Tailscale or Twingate)\n\n```sh\n$ ssh ec2-user@prod-apac-kermit\n…\n$ ps aux | grep misbehaving_process\n```\n\n## Getting Started\n\nCool, so what do you need to do to get that setup? You’ll obviously need PagerDuty and Indent. After that, it’s really your choice for how you prefer to grant access. Is it behind SSO with Okta? Maybe, through a secure networking service like Tailscale or Twingate? Or, possibly directly through something like AWS. Indent integrates with all of the above. What’s needed follows:\n\n1. Create Indent space (choose Slack / email)\n1. Go to https://indent.com/catalog/pagerduty to get the webhook secret for the integration\n1. Follow our documentation for instructions on setting up Indent with PagerDuty\n1. Pick your method of granting access, and follow the guide for setting that up on Indent. Okta Groups, Tailscale, and AWS are all great options\n1. Start automatically granting secure and temporary access during incidents\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"incidentio","title":"Indent for on-call: Auto approvals with incident.io","ogTitle":"","fullTitle":"Indent for on-call: incident.io Integration","ogImageUrl":"","ogImageTitleHtml":"Indent for on-call:
incident.io Integration","ogImagePlusLogo":"","description":"We’re delighted to announce the incident.io + Indent integration.","noSidebar":false,"heading":"","date":"2022-08-25T13:00:00.000Z","content":"\nIncidents can be as chaotic as a pack of puppies trying to get to a bowl of peanut butter. Engineers can see the goal, the issue is coordination. And that chaos is expensive- lost time results in missed revenue and lower customer satisfaction.\n\nTeams need centralized communication and automation to reduce chaos.\n\nThat’s why we’re excited to announce our integration with [incident.io](https://incident.io).\n\nBy using incident.io and Indent together you can:\n\n- Spin-up an incident Slack channel with all the appropriate stakeholders\n- Allow responders to claim roles and responsibilities during incidents\n- Get your response team secure on-demand access in seconds during an incident\n- Maintain SOC 2 compliance by having a bot auto approve the necessary access\n- Record accurate logs during incidents for compliance audits\n- Auto-revoke access after the incident is closed\n\nGive it a try in our interactive demo below:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\nincident.io empowers teams to run incidents from start to finish, so they can rapidly fix and learn from incidents. It enables you to quickly spin up a dedicated Slack channel and call-bridge for your incident, so you can collaborate in one place and focus on running your incident without losing context.\n\nincident.io provides the guardrails to run incidents, by providing best practice automation and nudges. Within incident.io, you can assign key roles like Incident lead, and create and assign actions to ensure accountability. Need additional help? You can easily escalate an incident to the right person with a single click from within your incident channel.\n\nWhen your incident is over, incident.io generates a post-mortem and timeline for you so you can follow-up effectively and learn from your incidents.\n\n## Auto approvals with incident.io\n\nLet’s say you’re seeing higher than normal latencies on prod. You register an incident with the `/incident` command. incident.io creates your command center in Slack, and team members start filing in. How do those team members get access to Grafana and the other resources they need to start investigating?\n\nThey’re able to type `/access` in Slack, and request access to the Operations Okta group to view more in-depth logs or system metrics in a tool like Grafana.\n\nThe incident.io + Indent integration makes all of this work:\n\n1. Someone opens an incident in incident.io\n1. On-call engineer requests access, and Indent automatically approves based on their incident role assignment to grant secure access to necessary resources\n1. All of this happens from Slack and is recorded for full auditability\n\n## Getting Started\n\nCool, so what do you need to do to get that setup? You’ll obviously need incident.io and Indent. Then you should:\n\n1. [Schedule a demo](/demo#schedule) or [sign up](https://indent.com/demo) for Indent\n1. Go to [indent.com/catalog/incidentio](https://indent.com/catalog/incidentio) to install the integration\n1. Follow [our documentation](https://indent.com/docs/integrations/incidentio) for instructions on setting up Indent with incident.io\n1. Configure the auto approval policies for resources to grant temporary on-call access\n1. Start granting temporary access during incidents!\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"twingate","title":"Indent for production access: On-demand access in Twingate","ogTitle":"","fullTitle":"Indent for Twingate","ogImageUrl":"","ogImageTitleHtml":"Indent for production access:
On-demand access in Twingate","ogImagePlusLogo":"","description":"We’re delighted to announce the Twingate + Indent integration.","noSidebar":false,"heading":"","date":"2022-08-03T16:30:00.000Z","content":"\nToday we’re excited to unveil the new [Twingate](https://www.twingate.com/?utm_source=indent&utm_medium=partner&utm_campaign=indent-integration&utm_content=blog) + Indent integration. Twingate replaces traditional corporate VPNs with a modern Zero Trust Network (ZTN).\n\nSupporting fast-growing cloud-native companies like Blend.com, Chargebee, and Bloomreach, Twingate allows companies to easily implement granular access controls, while providing performant peer-to-peer connections for end users. By [pairing Indent and Twingate](https://www.twingate.com/?utm_source=indent&utm_medium=partner&utm_campaign=indent-integration&utm_content=blog) you can have on-demand, least-privilege access to production environments.\n\nWith the Twingate + Indent integration, you can:\n\n- Give users time-bound, auto-expiring access to specific apps and environments\n- Allow temporary SSH connections between devices as authorized by your access controls and connected identity provider\n- Set up closed-by-default rules for the most sensitive nodes in your network to allow only senior engineering staff the ability to approve access for 30 minutes at a time or auto-approve while someone is on-call\n\nTry the interactive demo below and request access as me:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n## Purpose-driven Twingate access\n\nDuring onboarding employees are given access to the tools and environments they need to do their jobs. For engineers at smaller companies, that often means being granted admin level privileges to sensitive systems like production environments. This helps the team move quickly.\n\nIn a smaller team, it’s easy to have the illusion that the chance of intentional or unintentional unapproved updates is small. However mistakes and breaches happen even on small teams.\n\nThe awareness of the riskiness of standing admin permission grows with the number of folks who have those permissions until the organization reaches a critical inflection point, whether it’s SOC 2 compliance, a breach, or an honest mistake. At that point, access goes from a free for all to being manually granted. This can be extremely painful for both the requesters and reviewers and incentivizes keeping/granting elevated privileges for longer than necessary.\n\nUsing Twingate with Indent helps change those incentives. Together they enable you to have a frictionless connection flow and add additional controls and automation to ensure compliance policies are adhered to and to create an additional layer of protection. For instance, you can ratchet up the controls for production vs staging to require that requests are approved by senior engineering staff or leadership.\n\n## Auto approvals for Twingate\n\nUsing an on-call provider as a source of truth, you can set up a bot to approve access based on a user’s on-call status while still producing auditable access evidence. Setting up on-call auto approvals facilitates fast access during incidents while maintaining compliance best practices.\n\nYou can set up auto approvals for Twingate with common on-call providers like PagerDuty, OpsGenie or even a list of authorized email addresses.\n\n## Using Twingate + Indent\n\nLet’s consider an example where your co-worker You need your co-worker Jane’s feedback on some work in progress. You’re developing a new feature for a web app, so she needs to view that work in her browser. This kind of thing can sometimes be accomplished with duct tape, bash scripts, and some mental gymnastics.\n\nBut, the Twingate + Indent integration simplifies things.\n\nTwingate manages the connection details, and does so without the fuss of port forwarding or VPNs. Indent makes it easy for you to grant access when Jane needs to view your work. They have the option of granting indefinite access, or (for the privacy appreciators) access within a window of time. On demand access is also kind of nice for ensuring Jane and other reviewers are not accidentally viewing a stale version of your work.\n\nTo make the magic happen, you'll need to:\n\n1. Make sure your dev server has a [Twingate connector running as a Docker container](https://docs.twingate.com/docs/connectors-on-linux). For first-time setup, that includes setting a few environment variables from your Twingate Connector page.\n\n2. Install the [Indent integration for Okta](https://indent.com/docs/integrations/okta).\n\n3. Setup your [Twingate Okta integration](https://docs.twingate.com/docs/okta-configuration).\n\n4. Start granting temporary access!\n\nAny questions? Feel free to reach out and we're happy to [schedule time for a demo](https://indent.com/demo).\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"tailscale","title":"Indent for production access: On-demand access in Tailscale","ogTitle":"","fullTitle":"Indent for Tailscale","ogImageUrl":"","ogImageTitleHtml":"Indent for production access:
On-demand access in Tailscale","ogImagePlusLogo":"https://tailscale.com/files/apple-touch-icon.png","description":"We’re delighted to announce the Tailscale + Indent integration.","noSidebar":false,"heading":"","date":"2022-07-26T16:30:00.000Z","content":"\nToday we’re delighted to announce the Tailscale + Indent integration. Tailscale is a popular mesh Virtual Private Network (VPN) that uses the WireGuard® protocol to provide end to end encryption for your network connections.\n\nUsing Tailscale, you can connect from your laptop to your enterprise server, even behind firewalls, without additional networking configuration. We're excited to [partner with Tailscale](https://tailscale.com/blog/indent) so that members of your team can easily request, and reviewers can easily approve, time-bounded access to these resources without ever leaving Slack.\n\nIn fact, Tailscale was designed for non-technical users to be able to easily create secure VPNs. Tailscale allows you to manage remote access to your servers, computers and cloud instances, in addition to authenticating SSH connections using WireGuard®.\n\nWith the Tailscale + Indent integration, you can:\n\n- Grant users on-demand access to specific Tailscale networks\n- Allow temporary SSH connections between devices in your Tailscale network as authorized by your access controls without managing SSH keys\n- Set up closed-by-default rules for the most sensitive nodes in your tailnet to allow only senior engineering staff the ability to approve access for 30 minutes at a time or auto-approve while someone is on-call.\n\nTry the interactive demo below and request access as me:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\n## Tailscale ‘just works’ with Indent\n\nAs an organization matures, engineers often go from the convenience of default admin permissions in cloud providers like AWS or GCP to needing to request permissions to prevent unapproved updates to sensitive systems.\n\nAdditionally, while engineers can use Tailscale to easily access an ephemeral EC2 or database instance, that access can unnecessarily persist on production environments. Indent is able to help solve both of these problems by eliminating the friction that comes with access control so teams can continue to move quickly.\n\nUsing Tailscale with Indent helps change those incentives. Together they enable you to have a frictionless connection flow and add additional controls and automation to ensure compliance policies are adhered to and to create an additional layer of protection. For instance, you can ratchet up the controls for production vs staging to require that requests are approved by senior engineering staff or leadership.\n\n## Using Tailscale SSH and Indent\n\nLet’s take an example situation where our production database seems to be responding slowly to certain queries. In order to debug what’s going on, we need to open a connection to the database and view the query logs. Before we get started, we’ll need to:\n\n1. Follow Tailscale documentation to install Tailscale on the database server, and [enable Tailscale SSH access](https://tailscale.com/kb/1193/tailscale-ssh/#configure-tailscale-ssh). If we can't install Tailscale directly on the server, we can use a subnet router (for example, to access [AWS RDS](https://tailscale.com/kb/1141/aws-rds/))\n1. Install the Indent integration for Tailscale - [indent.com/catalog/tailscale](http://indent.com/catalog/tailscale)\n\nOnce we've configured Tailscale and Indent, we can request access via the Slack `/access` command to the group `group:prod-database` that grants network connectivity for the EC2 instance with database access. Now we can use [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh/) to access the RDS:\n\n```\n$ ssh root@prod-db-server\n\n$ mysqlsh --uri=admin@database-2.0129ab.us-west-2.rds.compute.internal:3306\n MySQL database-2.0129ab.us-west-2.rds.compute.internal:3306 ssl JS > \\sql\nSwitching to SQL mode... Commands end with ;\nMySQL database-2.0129ab.us-west-2.rds.compute.internal:3306 ssl SQL > show databases;\n+--------------------+\n| Database |\n+--------------------+\n| demo |\n| information_schema |\n| mysql |\n| performance_schema |\n| sys |\n+--------------------+\n5 rows in set (0.0297 sec)\n```\n\nNow we can run the troublesome query, view the logs and perform any necessary changes while securely connected to the database. Once the access grant expires, the SSH connection will be automatically terminated and we’ll get a link to quickly request again in Slack.\n\n## Auto approvals for on-call engineers using Tailscale\n\nUsing an on-call provider like PagerDuty or OpsGenie as a source of truth, you can set up a bot to check a user’s on-call status and auditable access control evidence. Setting up on-call auto approvals facilitates fast access during incidents while maintaining compliance best practices.\n\nFollow this guide: [indent.com/docs/policies/auto-approvals](https://indent.com/docs/policies/auto-approvals)\n\n## Set up Indent for Tailscale\n\n1. Set up [Indent with Tailscale](https://indent.com/setup/production-access?prod=tailscale)\n1. Choose which groups you want to manage in Tailscale ACL.\n1. Start granting temporary access!\n\n## Get started\n\nTo learn more about how Indent and Tailscale are being used together in the wild, [read the Reclaim.ai case study](https://indent.com/customers/reclaim). When you're ready to get started, check out the [integrations page](https://indent.com/integrations/tailscale).\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"elsiephillips","name":"Elsie Phillips","image":"/static/images/blog/avatars/elsiephillips.jpeg","title":"Product Marketer"}],"kind":"blog/post"},{"name":"security-for-startups-exceptions-noted","title":"Security for Startups: Exceptions Noted","ogTitle":"","fullTitle":"Security for Startups: Exceptions Noted","ogImageUrl":"","ogImageTitleHtml":"Security for Startups:
Exceptions Noted","ogImagePlusLogo":"","description":"Scaling your team means scaling your security model.","noSidebar":false,"heading":"","date":"2022-07-20T14:00:00.000Z","content":"\nAs your startup begins to scale, it's important to keep security controls in mind in order to maintain compliance. Here are eight key considerations for implementing security controls as you scale:\n\n1. Define your security strategy and governance framework.\n2. Implement security controls at each stage of the development process.\n3. Foster a culture of security and awareness among employees.\n4. Automate security controls and monitoring.\n5. Conduct regular security audits and risk assessments.\n6. Stay up-to-date on security threats and vulnerabilities.\n7. Partner with a trusted security provider.\n\nBy following these best practices, you can ensure that your startup's security controls are effective and up-to-date as you scale.\n\n## 1. Define your security strategy and governance framework\n\nA startup's security strategy should be designed to protect the company's information assets and infrastructure from unauthorized access or theft. The strategy should also ensure compliance with any applicable laws and regulations.\n\nThe governance framework should define the roles and responsibilities of those responsible for security, as well as the procedures for implementing and monitoring the security strategy. The framework should also address any security risks and vulnerabilities, and how they will be managed.\n\n## 2. Securing the Software Development Lifecycle (SDLC)\n\nTeams face increasing pressure to ensure their software development processes are secure and compliant. This is especially true for companies that develop software for critical infrastructure, such as healthcare, finance, and energy.\n\nThere are a number of security and compliance risks that need to be considered during the software development lifecycle. These include:\n\n1. **Insecure coding practices**: Poorly written code can introduce security vulnerabilities that can be exploited by attackers.\n2. **Lack of security testing**: Security testing should be an integral part of the software development process to identify and fix potential security issues.\n3. **Insufficient change management**: Uncontrolled changes to code and configurations can introduce new security vulnerabilities.\n4. **Poorly managed third-party components**: Third-party components, such as libraries and frameworks, can introduce security vulnerabilities if they are not properly managed.\n5. **Insecure deployments**: Incorrectly configured servers and applications can leave them exposed to attack.\n\nTo address these risks, organizations need to implement security controls throughout the software development lifecycle. This includes secure coding practices, security testing, change management, and secure deployments.\n\n## 3. Culture of Security\n\nA culture of security is essential for any startup. It should be ingrained in the company from the very beginning, and all employees should be aware of the importance of security. There are a few key things that a startup can do to develop a culture of security:\n\n1. **Make security a priority**: Security should be one of the top priorities for the company, and should be reflected in its policies and procedures.\n\n2. **Educate employees**: All employees should be educated on the importance of security and what they can do to help keep the company safe.\n\n3. **Encourage a security-minded culture**: Employees should feel comfortable reporting any security concerns they have, and the company should encourage a culture of security by rewarding employees who identify potential risks.\n\nUltimately, security is everyone's job. It's not something that can be done by a single person. It's a team effort.\n\n## 4. Automate security controls\n\nAs a startup, it is important to have security controls and monitoring in place to protect your business from potential threats. There are a number of ways to automate security controls and monitoring, which can help save time and resources.\n\nOne way to automate security controls and monitoring is to use a security information and event management (SIEM) system. This type of system can help you collect, monitor, and analyze data from a variety of sources, including your network, servers, applications, and user activity. By using a SIEM system, you can more easily identify potential security threats and take steps to mitigate them.\n\nAnother way to automate security controls and monitoring is to use a vulnerability management system. This type of system can help you identify and track potential vulnerabilities in your systems and applications. By using a vulnerability management system, you can more easily identify and fix potential security issues before they become major problems.\n\nFinally, you can also use a security orchestration automation and response (SOAR) platform to automate security controls and monitoring. A SAO platform can help you automate various security tasks, such as patch management, incident response, and compliance management. By using a SAO platform, you can more easily manage your security posture and reduce the risk of potential security vulnerabilities.\n\n## 5. Conduct regular security audits\n\nAs your startup grows, it becomes increasingly important to ensure that your systems are secure. One way to do this is to conduct regular security audits and penetration tests.\n\nA security audit is a review of your systems to identify potential security risks. A penetration test, also known as a pen test, is a simulation of an attack on your system to test its security.\n\nConducting regular security audits and penetration tests can help you find and fix potential security risks before they are exploited. They can also help you assess the effectiveness of your security measures and identify areas that need improvement.\n\nRegular security audits and penetration tests are an important part of keeping your startup safe from hacking and other security threats.\n\nThere are a lot of great resources for conducting your first pen test — we recommend using [HackerOne](https://hackerone.com?ref=indent) to open up your environment to cast a wide net of potential testers to identify vulnerabilities in your platform.\n\n## 6. Keep your software up-to-date\n\nIt's no secret that software needs to be kept up-to-date to be secure. But for startups, with limited resources and a fast-paced environment, it can be difficult to prioritize security updates. Here are a few tips for keeping your software up-to-date and patching software supply chain vulnerabilities:\n\n1. **Make security a priority**: Don't wait until there's a security breach to start thinking about updates. Make security a priority from the start, and build it into your development process.\n\n2. **Automate updates**: If possible, automate updates so that they're released as soon as they're available. This way, you can be sure that your software is always up-to-date.\n\n3. **Keep an eye on the supply chain**: Vulnerabilities in the software supply chain can be just as dangerous as vulnerabilities in the code itself. So, it's important to keep an eye on both. Be sure to vet your third-party providers and stay up-to-date on security threats.\n\n## 7. Partner with trusted security vendors\n\nWhen it comes to data security, startups can't afford to cut corners. Partnering with a trusted security vendor is a essential for keeping sensitive information safe. Not only will a good security vendor have the latest and greatest tools to protect your data, but they will also have the experience and expertise to help you implement a comprehensive security strategy.\n\nA good security vendor will work with you to understand your specific needs and tailor a security solution that meets them. They will also keep up with the latest security threats and vulnerabilities, and provide you with timely updates and advice on how to protect your data. In short, partnering with a trusted security vendor is the best way to keep your startup's data safe.\n\nInterested in learning more or have questions? Feel free to reach out to our team and we're happy to help you figure it out. You can either [schedule a demo](/demo) or [contact us](/contact).\n\nFor example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.\n\nPlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out [their case study](/customers/planetscale).\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"about-scim","title":"Who Gives a S#!% About SCIM?","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Who Gives a S#!%
About SCIM?","ogImagePlusLogo":"","description":"When it comes to security, size doesn’t always matter.","noSidebar":false,"heading":"","date":"2022-07-14T14:00:00.000Z","content":"\nSystem for Cross-domain Identity Management (SCIM) is a standard protocol for provisioning and managing identity data across multiple identity providers (IdPs) and service providers (SPs).\n\nSCIM was originally designed to simplify the provisioning and management of user accounts in cloud-based applications and services. However, SCIM can be used to provision and manage any type of identity data, including but not limited to:\n\n- User accounts\n- Groups\n- Devices\n- Applications\n\nThe SCIM standard is maintained by the SCIM working group of the Internet Engineering Task Force (IETF). The latest version of the SCIM protocol is SCIM 2.0, which was published in July of 2015.\n\nThe SCIM protocol is based on the principle of schema-on-read, which means that identity data is not required to conform to a specific schema in order to be provisioned or managed. This allows for a high degree of flexibility when provisioning and managing identity data.\n\nSCIM uses the HTTP protocol for all communication between IdPs, SPs, and SCIM servers. SCIM servers are responsible for translating SCIM requests and responses into the appropriate format for the IdP or SP.\n\nThe SCIM protocol defines a number of different operations that can be performed on identity data, including:\n\n- Create\n- Read\n- Update\n- Delete\n- Search\n\nEach of these operations is performed using an HTTP verb (e.g., POST for create, GET for read, etc.). In addition, the SCIM protocol defines a number of different resources that can be managed, including:\n\n- Users\n- Groups\n- Devices\n- Applications\n\nThe SCIM protocol also defines a number of different attributes that can be associated with each resource, including:\n\n- Name\n- Description\n- Email address\n- Phone number\n\nThe SCIM protocol is designed to be extensible, which means that new resources and attributes can be added as needed. You can think of it as a spec that companies implement to enable interoperability between their system and third party identity providers.\n\n## Watered Down SCIM\n\nSCIM is like skim (or skimmed) milk, it's great in theory. But like with all great ideas, there are a few things that are not quite as good as they should be.\n\nFirst, it requires a high level of integration between different IT systems. This can be difficult to achieve, especially in larger organizations with complex IT architectures.\n\nSecond, SCIM is designed to work with enterprise-level identity management solutions, which can be expensive and difficult to implement. A lot of software vendors will charge an extra fee for SCIM / single sign-on support — commonly known as the [SSO Tax](https://sso.tax). This means as a customer you have to pay extra for your users to be able to sign in using your chosen identity provider.\n\nFinally, SCIM is designed to be used by a single identity provider. This means that you can only use SCIM to provision and manage data for one identity provider.\n\nSoftware vendors will sometimes only support the create and update operations of SCIM but not delete / deactivate, which means you can only grow in usage but you can't deprovision users automatically from your identity provider.\n\n## SCIM in the Real World\n\nSCIM is used by Identity Providers (IdPs) to provision and manage user accounts in cloud-based applications. When a user authenticates to an application, the IdP uses SCIM to create or update the user's account in the application. This allows the application to have an up-to-date view of the user's identity, which is essential for security and compliance.\n\nBy supporting SCIM, an application can be used with any IdP that also supports SCIM. This makes it easy to switch IdPs, or to use multiple IdPs for different users.\n\nSCIM is an important part of the identity management landscape, and is poised to become even more important as cloud-based applications become more prevalent.\n\nHave questions about SCIM and how it could fit into your organization?\n\nFeel free to reach out to our team and we're happy to help you figure it out. You can either [schedule a demo](/demo) or [contact us](/contact).\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"security-for-startups-outgrowing-open-by-default","title":"Security for Startups: Outgrowing Open-by-Default","ogTitle":"","fullTitle":"Security for Startups: Outgrowing Open-by-Default Access Control","ogImageUrl":"","ogImageTitleHtml":"Security for Startups:
Outgrowing Open-by-Default Access Control","ogImagePlusLogo":"","description":"When it comes to security, size doesn’t always matter.","noSidebar":false,"heading":"","date":"2022-07-08T14:00:00.000Z","content":"\nMost startups begin with an open by default security model, which means that anyone can access and use the company’s data and resources. However, as the company grows and becomes more successful, it’s important to transition to a closed access security model. This model is more secure and helps to protect the company’s data and resources from unauthorized access.\n\nThere are a few key steps that startups should take to transition from an open by default security model to a closed access security model:\n\n1. Define who should have access to the company’s data and resources.\n2. Implement security measures to control access to the data and resources.\n3. Train employees on the new security measures and procedures.\n4. Monitor access to the data and resources on a regular basis.\n\nBy taking these steps, startups can transition to a closed access security model and help to protect their data and resources from unauthorized access.\n\nAs organizations grow, their security models need to adapt to changing needs. One area that often needs to be addressed is the move from an open by default internal security model to a more closed model. This change is usually driven by a need to increase security and reduce the risk of data breaches.\n\nThere are a few key considerations when making this transition. First, you need to understand what your security risks are and how they have changed as your organization has grown. Next, you need to develop a security strategy that takes into account these risks. Finally, you need to implement controls that will help mitigate these risks.\n\nOne of the biggest challenges in making this transition is ensuring that all employees understand and buy-in to the new security model. This can be a challenge if employees are used to an open environment and may not be comfortable with the new restrictions. It is important to communicate the rationale for the change and help employees understand how the new model will improve security.\n\nMaking the transition to a more closed internal security model can be a challenge, but it is often necessary as organizations grow and their security needs change. By taking the time to understand your risks, develop a security strategy, and implement controls, you can make the transition successfully.\n\nInterested in learning more or have questions? Feel free to reach out to our team and we're happy to help you figure it out. You can either [schedule a demo](/demo) or [contact us](/contact).\n\nFor example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.\n\nPlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out [their case study](/customers/planetscale).\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"security-for-startups-the-starting-five","title":"Security for Startups: The Starting Five","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Security for Startups:
The Starting Five","ogImagePlusLogo":"","description":"When it comes to security, size doesn’t always matter.","noSidebar":false,"heading":"","date":"2022-07-05T14:00:00.000Z","content":"\nWhen it comes to security, size doesn’t always matter.\n\nIn fact, small companies are often at a greater risk for security breaches than their larger counterparts. That’s because small businesses usually have fewer resources and less experience dealing with security threats.\n\nDespite these challenges, there are a number of things small businesses can do to protect themselves from security threats. Depending on your risk profile, you may want to consider adopting security practices meant for larger companies:\n\nIf your risk profile is high, or you want to jump right into the deep end of security, you can adopt the advice catered towards large companies. For instance, we cover some of this in our posts about [outgrowing open-by-default](/blog/security-for-startups-outgrowing-open-by-default) (meant for 10 to 50 employees) and [achieving compliance with exceptions noted](/blog/security-for-startups-outgrowing-open-by-default) (meant for 50 to 150 employees).\n\nFor startups looking for minimum viable security, we have five suggestions. These are all low effort to implement, and can have a big impact on putting you (and your customers who rely on you) at ease about your baseline security:\n\n1. [Create a security policy](#create-a-security-policy)\n2. [Train employees on security](#train-employees-on-security)\n3. [Implement security measures](#implement-security-measures)\n4. [Use single sign-on, where possible](#use-single-sign-on-where-possible)\n5. [Grant access on-demand](#grant-access-on-demand)\n\n## 1. Create a security policy\n\nOne of the first steps any company should take to improve security is to create a security policy. This document should outline the company’s approach to security and explain how employees are expected to safeguard company information.\n\nIf you're considering a compliance framework like SOC 2, HIPAA, PCI, or other standards, you may want to consider looking at the controls you'll need to produce evidence for when you establish your security policy.\n\nThere are a number of companies that can help you with this, check out our [SOC 2 overview](/soc2) or [integrations with compliance partners](/integrations) like Secureframe, Vanta and Drata.\n\n## 2. Train employees on security\n\nOnce you have a security policy in place, it’s important to make sure all employees are aware of it and understand their role in protecting company information.\n\nEmployees should be trained on things like password security, phishing scams, and how to spot and report suspicious activity.\n\n## 3. Implement security measures\n\nIn addition to employee training, small businesses should also implement some basic security measures. This might include things like installing firewalls and anti-virus software, using encryption, and creating backups of important data\n\n## 4. Use single sign-on, where possible\n\nSingle sign-on (SSO) is typically thought of a sign of growing from a team into an enterprise, but there are a few reasons why even a small startup should use single sign-on:\n\n1. **It saves time and energy.** Instead of having to remember multiple usernames and passwords, employees only have to remember one set of credentials.\n1. **It increases security.** By using a single sign-on solution, businesses can track activity and better monitor who is accessing what information. This can help prevent data breaches and unauthorized access to sensitive information.\n1. **It improves productivity.** When employees don't have to waste time logging in and out of multiple systems, they can be more productive and get their work done more quickly.\n1. **It simplifies IT management.** Single sign-on can make it easier for IT staff to manage user accounts and access to different systems.\n\nUsing SSO is like future-proofing your identity stack. It makes it a lot easier to manage onboarding new team members and their access to your systems.\n\nWe generally recommend using [Okta](https://okta.com) (especially their [free developer tier](https://developer.okta.com)) because it comes with out-of-the-box features like [SCIM provisioning](/blog/about-scim) and a bunch of other nice-to-have security features.\n\nBut, if you’re not sure, you can always start with \"Continue with Google\", which even supports [SAML apps](https://support.google.com/a/answer/6087519), and then migrate to Okta for the necessary apps.\n\n## 5. Grant access on-demand\n\nMost companies will add a security policy control called \"least privleged access\" with the goal of limiting how many people have access to sensitive resources. In theory, this would mean that only the people who absolutely need certain access have it, but in practice, everyone in the engineering team has access to production.\n\nWhy does this happen? Well, it turns out that the most important thing for startups is to make sure that the people who need access have it.\n\nIf a customer reports a bug and the engineer who needs to fix it doesn't have access to the bug, they'll have to ask for access and wait for someone else to get it for them.\n\nIt's hard to know who needs access, teams have to consider:\n\n- Who needs standing access?\n- Who should be able to review access requests?\n- Why does an engineer need access to production?\n- How long is reasonable to wait for access?\n- How long should they have it for?\n\nWhen a company is still building the product and it's not really being used for anything critical yet, everyone on the team might just have access to everything. But, as the product grows, it becomes more and more important to make sure that you're not opening .\n\nIf someone has access to something they shouldn't, it could cause an accident like running a query meant for staging in production or, in the worst case, a security incident. If that access is only granted for a certain amount of time, then it minimizes the chances of something bad happening.\n\nAt [Indent](/), we've been working with a few different ways to grant access on-demand. We think you shouldn't have to choose between prioritizing security and productivity — the most secure workflow has to also be the best user experience.\n\nHere are some of the common use cases for granting access on-demand:\n\n- **On-demand production access**: Secure production with least privilege access model that facilitates time-bound access based on immediate need. Access requests are routed to approvers based on predefined policies, ensuring compliance. Approvers can grant and set the access duration via Slack, expediting access for the requester.\n- **On-call auto approvals**: Adjust privileges based on change of responsibilities related to on-call status. On-call status triggers a bot to grant the necessary access, ensuring compliance principals are maintained while the access is logged for later review.\n- **On-demand admin access**: Secure Okta with least privilege access model that grants admins time-bound access based on immediate need. Admins are able to get access quickly when they need it, without needing to continually maintain their elevated privileges, keeping the organization’s most sensitive systems secure.\n- **Uniform day one access**: Grant access to new internal and external users based on roles and responsibilities. Protect against privilege creep and make sure that new users have access to the necessities for their role, while being able to request additional access on-demand.\n- **Automated audit evidence collection**: Automates your evidence collection by storing all access related data in immutable logs. They can then be easily exported with a single click and shared with your auditor.\n\nInterested in learning more or have questions? Feel free to reach out to our team and we're happy to help you figure it out. You can either [schedule a demo](/demo) or [contact us](/contact).\n\nFor example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.\n\nPlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out [their case study](/customers/planetscale).\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"sanity-plugin-referenced-by","title":"Sanity Studio Plugin: Referenced By","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Sanity Plugin: Referenced By","ogImagePlusLogo":"","description":"Introducing a Sanity Studio plugin for viewing documents which reference a particular document","noSidebar":false,"heading":"","date":"2022-06-27T20:20:56.018Z","content":"\n**Indent provides on-demand access for cloud apps and infrastructure.**\n\nGiven the size of our team and the need to revamp the marketing content for our website, we've decided to move the marketing content to a headless CMS.\nWe've chosen Sanity.io for this purpose.\n\n\n {' '}\n\n\nSanity.io is an excellent developer tool and CMS. We thought a plugin which would show at a glance which documents reference a specific document would extend its capability even further.\nThink of this functionality as \"backlinks\", a concept popularised by Roam Research.\n\nThis plugin was built as an internal tool for Indent and subsequently we decided it would be useful to share with the community.\n\n\n\nThe `sanityio-referenced-by` plugin is available on [NPM](https://www.npmjs.com/package/@indent-oss/sanityio-referenced-by\"), and the source is available on [GitHub](https://github.com/indentinc/sanityio-referenced-by). Included is an [example](https://github.com/indentinc/sanityio-referenced-by/tree/main/example) directory to help with getting started. We'd love to hear your feedback:\n\n
\n
\n \n \n
npmjs.com/package/@indent-oss/sanityio-referenced-by
\n \n
\n
\n\n
\n
\n \n \n
github.com/indentinc/sanityio-referenced-by
\n \n
\n
\n\n## Credit\n\nThank you to [Devin Halladay](https://www.sanity.io/exchange/community/theflowingsky) for writing up a recipe: [List Referring Documents (Backlinks) in Sanity](https://www.sanity.io/schemas/list-referring-documents-backlinks-in-sanity-1a8ada64).\nThis plugin builds upon Devin's recipe on how to setup backlinks for a specific document. The \"Referenced By\" plugin differs from Devin's receipe in that the backlinks are extracted into their own dedicated view. This view has been conveniently packaged into an easy to install plugin.\n\n## Installing the plugin:\n\n1. Install the `@indent-oss/sanityio-referenced-by` plugin using the command line:\n\n - NPM\n\n ```bash\n npm i @indent-oss/sanityio-referenced-by\n ```\n\n - Yarn\n\n ```bash\n yarn add @indent-oss/sanityio-referenced-by\n ```\n\n2. Add `@indent-oss/sanityio-referenced-by` to `sanity.json` \"plugins\":\n\n```json\n // /sanity.json\n \"plugins\": [\n \"@indent-oss/sanityio-referenced-by\"\n ],\n```\n\n3. Add `sanity-structure.js` reference to `sanity.json` \"parts\":\n\n```json\n // /sanity.json\n \"parts\": [\n {\n \"name\": \"part:@sanity/desk-tool/structure\",\n \"path\": \"./sanity-structure.js\"\n }\n ]\n```\n\n4. Create and/or update `sanity-structure.js` in the root directory:\n\n```js\n// /sanity-structure.js\nimport { ReferencedByView } from 'part:@indent-oss/sanityio-referenced-by'\nimport S from '@sanity/desk-tool/structure-builder'\n\nexport const getDefaultDocumentNode = () => {\n return S.document().views([\n S.view.form(),\n S.view.component(ReferencedByView).title('Referenced by'),\n ])\n}\n\nexport default () => S.list().title('Base').items(S.documentTypeListItems())\n```\n\nThe \"Referenced By\" plugin tab will now appear in your Sanity.io Studio Project.\n","hero":{},"authors":[{"id":"nataliemarleny","name":"Natalie Marleny","twitter":"nataliemarleny","image":"/static/images/blog/avatars/nataliemarleny.png","title":"Software Engineer"}],"kind":"blog/post"},{"name":"soc-2-type-2","title":"Announcing SOC 2 Type II compliance","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Announcing Indent
SOC 2 Type II Compliance","ogImagePlusLogo":"","description":"","noSidebar":false,"heading":"","date":"2022-06-16T16:00:00.000Z","content":"\nWe're incredibly excited to share that Indent has achieved our [SOC 2 Type II certification](/soc2).\n\nSince we wanted a rigorous evaluation, we selected Moss Adams as our auditor and chose a full twelve month audit period instead of the more common three months. The Trust Services Criteria we certified were security, availability, and confidentiality.\n\n## Why did we decide to become SOC 2 compliant?\n\nStarting out, compliance isn’t exactly one of the highest priorities on the path to product-market fit. There are certain categories of products that require compliance from day one, like healthcare (HIPAA) or finance (PCI / FINRA) — it's not just nice-to-have, it's a launch requirement. What about for everyone else?\n\nIn B2B software, there is a lot of data that needs to be protected. The data is stored in databases, business systems and sometimes shared with other vendors.\n\nThe purpose of SOC 2 compliance is to ensure that the data is protected and handled in a manner that is consistent with the company’s business needs.\n\nSince a lot of our customers are pursuing SOC 2 as part of the reason for shifting to an [on-demand access model](/blog/announcing-indent), we decided to become compliant ourselves.\n\nThis was a great opportunity to build our customers' confidence in our operations and develop a deeper empathy for the workflows we're designing.\n\n## What is SOC 2?\n\nService Organization Control (SOC) 2 is a report generated by an independent auditor that attests to a company’s safe customer data handling practices. Companies work with their auditor to choose which Trust Services Criteria (TSC) to certify based on multiple factors.\n\nSOC 2 reports can include up to five categories:\n\n- **Security**: these are common criteria required for any SOC 2 report\n- **Availability**: ensures customers have consistent access to the product\n- **Processing Integrity**: protects data from corruption and manipulation\n- **Confidentiality**: regulates how customer data should be stored, accessed, and shared\n- **Privacy**: verifies the means of customer data collection and use\n\nAfter TSC selection, a company defines controls around those criteria and determines the evidence to prove the effectiveness of those controls. The SOC 2 audit can then be kicked off. There are two stages of reports:\n\n- **SOC 2 Type I** tests how the controls would operate on a given day\n- **SOC 2 Type II** analyzes the effectiveness of controls over several months\n\n## What was SOC 2 Type I like?\n\nOne of the most challenging parts of going through your first SOC 2 audit is you don’t know what you don’t know. For example, which types of vendors auditors care about vs the ones they don’t (in-scope vs out-of-scope) and which vendors you need to be on the enterprise plan for in order to get single sign-on.\n\nThere are a lot of specific operational processes that are required to get your SOC 2. Because of this we would strongly recommend partnering with a compliance vendor. They’ve seen it all and can make the process a lot easier — we worked with [Secureframe](https://secureframe.com/customers/indent).\n\n## What was SOC 2 Type II like?\n\nAfter SOC 2 Type I certification, you’re not out of the woods. You have to continue maintaining the controls and enforcing policies put in place for certification.\n\nWe’ve found that common frustrations post certification include:\n\n- Reduced velocity due to increased access wait times\n- Time consuming manual access reviews every quarter\n- Inconsistent onboarding and offboarding processes leads to later findings\n\nThe key to tackling these challenges is automation.\n\nAccess control automation reduces wait times by ensuring requests are routed to the correct person. This can be done through a channel like Slack, reducing the loss of productivity associated with context switching and needing to log into a web portal.\n\nTime-bound access eliminates unnecessary persistent access by automating revocation after a set period of time, making access reviews faster and ensures offboarded employees don’t retain access. While automating day one access ensures that new employees have access to only the resources they need.\n\n## How does Indent help with SOC 2?\n\nIndent automates the manual processes associated with managing and documenting access. Put another way, Indent automates change management for your access control.\n\nWith the Indent Platform you can have:\n\n- **On-demand production access**: Secure production with least privilege access model that facilitates time-bound access based on immediate need. Access requests are routed to approvers based on predefined policies, ensuring compliance. Approvers can grant and set the access duration via Slack, expediting access for the requester.\n- **On-call auto approvals**: Adjust privileges based on change of responsibilities related to on-call status. On-call status triggers a bot to grant the necessary access, ensuring compliance principals are maintained while the access is logged for later review.\n- **On-demand admin access**: Secure Okta with least privilege access model that grants admins time-bound access based on immediate need. Admins are able to get access quickly when they need it, without needing to continually maintain their elevated privileges, keeping the organization’s most sensitive systems secure.\n- **Uniform day one access**: Grant access to new internal and external users based on roles and responsibilities. Protect against privilege creep and make sure that new users have access to the necessities for their role, while being able to request additional access on-demand.\n- **Automated audit evidence collection**: Automates your evidence collection by storing all access related data in immutable logs. They can then be easily exported with a single click and shared with your auditor.\n\nWe used the Indent Platform during our own SOC 2 Type II audit and were gratified by the response from our auditor at [Moss Adams](https://mossadams.com). Our customers’ auditors have also been pleased with the format of the audit evidence.\n\nFor example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.\n\nPlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out [their case study](/customers/planetscale).\n\nIf you're considering pursuing SOC 2 compliance or are already compliant but finding it hard for people to get access quickly, we'd love to help! Feel free to [request a demo](/demo) with our team and we're happy to help you get started.\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"ethernetdan","name":"Dan Gillespie","twitter":"ethernetdan","image":"/static/images/blog/avatars/ethernetdan.jpeg","title":"CTO"}],"kind":"blog/post"},{"name":"on-demand-google-cloud","title":"On-Demand Access for Google Cloud Platform (GCP)","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"On-Demand Access for
Google Groups + Cloud","ogImagePlusLogo":"","description":"","noSidebar":false,"heading":"","date":"2022-05-08T12:12:56.018Z","content":"\nThis post will guide you through the process of setting up on-demand access control for Google Cloud with Indent. You and your team will be able to get, review, and revoke temporary access to production in minutes.\n\nWithout Indent, most teams have either:\n\n1. Open-by-default access where most, if not all, engineers have standing Editor / Owner access to Google Cloud\n2. Locked down IAM where only a handful of senior engineers / DevOps have any access to Google Cloud\n\nCheck out this demo for requesting access to Google Groups:\n\n\n data?.name === 'CondensedPetitionForm.height.change'\n ? data?.height + 52\n : undefined\n }\n/>\n\nThere are tradeoffs with both approaches that ultimately come down to: do you want to prioritize speed or security? With Indent, you can get both with a policy that grants engineers access faster than they can boot up local env.\n\n## Prerequisite: RBAC with Google Groups\n\nBefore we get started, let's talk about the Google Cloud access control model. There's a lot of technical information about this model on the [Google Cloud documentation](https://cloud.google.com/iam/docs/access-control), but let's keep it simple for our purposes.\n\nThere are two Google Cloud specific terms to know:\n\n- **Principals**: people or groups that you want to grant access.\n- **Roles**: permissions that you want to grant to the principals.\n\nMost teams will directly add engineers as principals and grant them Owner access to not have to deal with regularly updating the IAM policy. This can work for some companies during the early days, but as usage picks up and the team grows, it becomes more important to have a clear policy that is easy to understand and manage to avoid accidents.\n\nWe recommend implementing role-based access control (RBAC) with Google Groups to easily manage the permissions you're granting to your team. If you already have groups configured as principals, you can skip to Step 1. If not, here are some options for groups that could work based on your goals.\n\n### Option 1: Job-specific groups\n\nFor most companies starting with open-by-default, we recommend adopting a job-specific groups model. This means you'll give engineers a base Viewer role that lets them still click around. If they want to make changes they can request the elevated access on-demand.\n\nWhen people need Editor (or Owner) access, they can request temporary membership of a group that grants them the necessary access.\n\n| Group Email | Group Name | Suggested Permission(s) |\n| --------------------- | --------------- | ----------------------- |\n| `eng@...` | Engineering | Viewer |\n| `acl-prod-editor@...` | GCP Prod Editor | Editor |\n| `acl-prod-owner@...` | GCP Prod Owner | Owner |\n\n> **Frequently asked question: What's the difference between Editor and Owner?**\n>\n> Editors have all Viewer permissions, plus permissions for actions that modify state, such as changing existing resources (e.g. create a bucket or delete an instance).\n>\n> Meanwhile, Owners have all the permissions that Editors do but they can also modify roles and billing for the project. If you're deciding between granting someone Editor vs Owner roles, they probably just need Editor.\n\n### Option 2: Workflow-oriented groups\n\nAs your team or security risk grows, you'll want to create more groups to manage the fine-grained access engineers need. This approach maps the workflows that engineers might need to accomplish to pre-configured groups that have everything they need.\n\n| Group Email | Group Name | Suggested Permission(s) |\n| ----------------------------- | ------------------------ | --------------------------------------------------------------------- |\n| `eng@...` | Engineering | Viewer |\n| `acl-prod-logs-viewer@...` | GCP Prod Logs | Logs Viewer
Monitoring AlertPolicy Viewer
Monitoring Viewer |\n| `acl-prod-storage-viewer@...` | GCP Prod Storage Viewer | Storage Object Viewer |\n| `acl-prod-storage-admin@...` | GCP Prod Storage Admin | Storage Admin |\n| `acl-prod-sql-viewer@...` | GCP Prod Database Viewer | Cloud SQL Viewer |\n| `acl-prod-sql-admin@...` | GCP Prod Database Admin | Cloud SQL Admin |\n| `acl-prod-editor@...` | GCP Prod Editor | Editor |\n\n## Step 1: Add Indent to Slack\n\nIndent is available as a Slack app that allows your team to get, review, and revoke access directly from Slack. If you haven't connected Indent to your Slack, you can do that now:\n\n\n\n## Step 2: Install Google Groups Integration\n\nOnce you've installed Indent into your Slack workspace, you can install the Google Groups integration to pull groups as resources and allow your team to request access. You can one-click install Google: [indent.com/start →](https://indent.com/spaces?next=/manage/spaces/%5Bspace%5D/catalog/google)\n\nAs part of the installation, you can configure the reviewers for the groups you imported into Indent and where you want notifications to be sent.\n\n## Step 3: Grant Access to Google Cloud\n\nCongratulations, you're all done! In Slack, you can type `/access`, request from your [Indent dashboard](https://inden.com/home) or go to: [access.new →](https://access.new)\n\nAny member of your team can request access to any of the Google Groups you just imported, you'll get a notification and you can approve without ever leaving Slack. Now your team can get access to prod on-demand, faster than they can boot up a local environment. Happy accessing!\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"}],"kind":"blog/post"},{"name":"announcing-indent","title":"Indent raises $5.6m for on-demand access control","ogTitle":"","fullTitle":"Indent raises $5.6m for on-demand access control","ogImageUrl":"","ogImageTitleHtml":"Raised $5.6m seed
led by Index Ventures","ogImagePlusLogo":"","description":"We're excited to announce that Indent has raised $5.6m in seed funding led by Index Ventures.","noSidebar":false,"heading":"","date":"2021-12-21T14:00:00.000Z","content":"\nAfter three years of research and development with leading IT and security teams, we repeatedly found that companies struggle with access requests and reviews due to insufficient context, slow approvals, and over-provisioned users.\n\nToday, we’re announcing Indent: a service to automate and route access approvals across your team. Indent provides\non-demand access control for everyone in a company to what they need, when\nthey need it.\n\nWhen an engineer needs to view production server logs or\ncustomer support needs admin privileges in a sensitive system, they can use\nIndent’s apps to request access without IT for help.\n\nReviewers are messaged on Slack and can approve directly from there, then once the time expires access\nis automatically revoked.\n\nWe’re also excited to announce that we’ve raised a \\$5.6 million seed round led by Shardul Shah (Index Ventures), Kevin Mahaffey (Lookout CTO) and Swift Ventures among a few other [notable investors](#notable-investors).\n\nAs teams scale, more employees need access to a growing number of services where approvals can take days, weeks or months. The _easiest_ way to get access is rarely the _right_ way, leading to security concerns, but when it’s business critical, that sometimes it can be the difference between getting back to a customer in a few hours or even a few days.\n\nThis is complex - many companies use at least a few dozen apps across different teams for critical services, collaboration or customer data processing, and each app has dozens of different potential roles or sub-permissions. It can easily get out-of-hand.\n\n- If you’re on the IT team, you’re caught in the line of fire, with different permission granting systems for multiple applications. You’re debugging permissions, and hoping it’ll just work this time.\n- If you’re on the security or compliance team, this is terrifying! You know that users are likely over-provisioned but can’t reduce access where that’s the case without threatening business operations or disrupting someone’s everyday workflow.\n- If you’re part of a business team or a developer, it can be very hard to figure out how to get the access you need––to a customer support thread, virtual machine, admin dashboard, or myriad other restricted tools–– while doing your work. Good luck trying to get access to the right tool. And if you’re a manager caught in meetings, it’s too easy to either miss critical requests from your team or have insufficient context so act as a rubber stamp approval to unblock them.\n\nWe built Indent to provide teams with the easiest, safest way to democratize access management and accountability.\n\nOur customers already benefit by using Indent:\n\n- For IT teams, our API and Dashboard take the guesswork out of permissions management and provide simple self-service controls for managing complex approval routing.\n- For security and compliance teams, our automatic continuous access reviews and audit log collection simplify compliance certifications.\n- For business teams and developers, our apps and chat integrations can enable access requests to be approved within seconds -- even when they depend on multiple approvers.\n\nFor now, you still need to request access to Indent - like your internal systems! Make your first request at [indent.com](https://indent.com) - we promise it will be fast and easy.\n\n---\n\n

Notable Investors

\n\nWe're grateful to work with a phenomenal set of investors:\n\n
\n Sam Altman (OpenAI), Dylan Field (Figma), Alex Stamos (ex-Facebook CSO),\n Gerhard Eschelbeck (ex-Google CSO), Olivier Pomel, Alexis Lê-Quôc & Amit\n Agarwal (Datadog), April Underwood (Nearby/ex-Slack), Jack Altman, Eric Koslow\n & J Zac Stein (Lattice), Cristina Cordova (ex-Notion/Stripe), Andrew\n Peterson & Zane Lacky (Signal Sciences), Maya Kaczorowski (Tailscale) and\n many more...\n
\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"ethernetdan","name":"Dan Gillespie","twitter":"ethernetdan","image":"/static/images/blog/avatars/ethernetdan.jpeg","title":"CTO"}],"kind":"blog/post"},{"name":"next-stories-rfc","title":"Next.js Stories — RFC","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Next.js Stories
**RFC**","ogImagePlusLogo":"","description":"A component library for every Next.js application.","noSidebar":false,"heading":"","date":"2021-10-29T17:00:00.000Z","content":"\n**Indent provides on-demand access for cloud apps and infrastructure.**\n\nOur dashboard is built using the incredible Next.js framework. Introducing a component library into our dashboard was surprisingly tough, so we spent time thinking about how the experience could be improved.\n\n
\n\nWe're excited to introduce our proposal for Next.js Stories:\n\n- **Zero-config component library** for every Next.js project\n- **Automatically generated stories** for components and pages\n- **Storybook interface with hooks into the Next.js build system** for a great developer experience\n- **First-class `components` directory** similar to `pages`\n\n
\n\nIf you want to jump to the request for comments and share your thoughts, you can find it in Next.js Discussions:\n\n
\n
\n RFC: Stories\n
\n
\n \n
\n
\n\n
\n\n---\n\n
\n\n## How would it work?\n\n1. [Automatically creating stories for components and pages](https://github.com/vercel/next.js/discussions/30628)\n\n - [Recording simple stories](https://github.com/vercel/next.js/discussions/30628)\n - [Recording stories for complex components](https://github.com/vercel/next.js/discussions/30628)\n\n2. [Browsing stories and exporting a component library](https://github.com/vercel/next.js/discussions/30628)\n3. [Next.js and Storybook integration](https://github.com/vercel/next.js/discussions/30628)\n\n## What's the story?\n\nCodebases with a sophisticated user interface and complex business logic reach a point of complexity which calls for a separate component library.\n\nIn our experience, setting up that component library from scratch for an existing Next.js project can be very tedious and time consuming.\n\nWhile we rolled our own component library at [Indent](https://indent.com), we considered potential introductions to the Next.js ecosystem which could improve the experience and reliability of developing complex UIs with React.\n\n## Where we started\n\nWe built our Next.js app in an idiomatic way, separating components from pages; so why do we still need to invest a lot of time to produce modular components? It reminded us of manually setting up routes with `react-router` before Next.js' `pages` file-based routing.\n\nSome of the challenges we ran into: configuration complexity, difficulty in creating new components and slow builds.\n\nAll of the things Next.js has already solved for us.\n\n## Our options\n\nInitially we looked into _just_ rebuilding the stories and the developer interface natively in Next.js... until we talked to people who had done that. Even at much larger companies with more resources, it's hard to keep components and stories up-to-date — let alone having to maintain the design system primitives too.\n\nLooking at all of the total React, Storybook and Next.js downloads, there's a lot of room for Next.js to grow as the de facto way to build a React app. Also, Storybook is more popular than Next.js!\n\n[![Download counts of Storybook vs Next.js vs React](../static/blog/next-stories-rfc/next-stories-downloads.png 'Download counts of Storybook at 3.3 million, Next.js at 1.8 million and React at 12 million')](https://www.npmtrends.com/@storybook/ui-vs-next-vs-react)\n\n## Next.js Stories\n\nOur proposal for Next.js Stories provides easy creation and maintenance of component libraries for all Next.js applications with a `components` library.\n\n[Read more →](https://github.com/vercel/next.js/discussions/30628)\n\n![Files and Storybook in a project using Next.js Stories](../static/blog/next-stories-rfc/next-stories-screenshot.png 'Files and Storybook in a project using Next.js Stories')\n\nAdmittedly, some parts of this RFC are very ambitious. Our hope in writing an RFC and sharing it with the community is to spark a conversation about the state of component library tooling.\n\nWhile drafting this RFC, the proposal has received feedback from experienced Next.js practitioners (including the Next.js team). We’re looking forward to further review and feedback from the community.\n\nIt would be amazing if Next.js and Storybook as tools and as communities could be brought closer together.\n\nWe'd love to hear your feedback on the RFC, so please go to the discussion and add a reaction/your comment:\n\n
\n
\n \n \n
vercel/next.js/discussions/30628
\n \n
\n
\n\n

\n Thanks to Tim Neutkens,{' '}\n Jack Hanford,{' '}\n Lee Robinson,{' '}\n Brody McKee and{' '}\n Gordon Wintrob for reviewing drafts\n of this proposal.\n

\n\n\n","hero":{},"authors":[{"id":"fouad","name":"Fouad Matin","twitter":"fouadmatin","image":"/static/images/blog/avatars/fouad.jpeg","title":"CEO"},{"id":"nataliemarleny","name":"Natalie Marleny","twitter":"nataliemarleny","image":"/static/images/blog/avatars/nataliemarleny.png","title":"Software Engineer"}],"kind":"blog/post"},{"name":"stale-while-revalidate-beyond-http-requests","title":"Stale-while-revalidate (SWR) beyond HTTP requests","ogTitle":"","fullTitle":"","ogImageUrl":"","ogImageTitleHtml":"Stale-while-revalidate
beyond HTTP requests","ogImagePlusLogo":"","description":"We present a more optimal implementation of the useLocalStorage hook that is written using the SWR Javascript library.","noSidebar":false,"heading":"","date":"2021-08-09T13:00:56.018Z","content":"\nWhile implementing features in the Indent dashboard, we heavily use the [localStorage browser API](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage). A convenient way to use the localStorage in React is the `useLocalStorage` hook from [usehooks.com](https://usehooks.com/useLocalStorage/). Below is a simplified example of the pattern that often occurs in our code while using the `useLocalStorage` hook:\n\n```js\nconst Component1 = () => {\n const [value, setValue] = useLocalStorage('key1')\n return
Component1 {value}
;\n};\n\nconst Component2 = () => {\n const [value, setValue] = useLocalStorage('key1')\n return
Component2 {value}
;\n};\n\nconst Page = () => (\n <>\n \n \n ;\n);\n```\n\nIn the above example we have two independent components utilizing the `useLocalStorage` hook with the same key. The original implementation of the `useLocalStorage` has a few drawbacks when used in this manner:\n\n- **Many re-renders** - Each use of the `useLocalStorage` creates a dedicated state variable with `useState`. Each of these states is completely separate from one another. If all of these states need to be updated to a new value, one re-render is going to occur for _each_ of the updates.\n- **Inconsistent state** - Each use of the `useLocalStorage` creates a separate `setValue` function that updates only the piece of state that it is associated with. This means that if the `setValue` is called within one of these components the other component wouldn't reflect the correct value of the localStorage entry until the page is refreshed.\n- **Potential race condition** - Each use of the `useLocalStorage` independently reads from the localStorage when _the component using `useLocalStorage`_ is mounted. This means that different components on the same page could potentially read different values from the localStorage. The result could be an inconsistent UI.\n\n![Each read from the localStorage happens on the component mount. Each useLocalStorage reads from the localStorage separately.](../static/blog/state-while-revalidate-beyond-http-requests/useLocalStorage-original.png 'useLocalStorage original')\n\nInitially I was using the [`swr` JavaScript library](https://github.com/vercel/swr) (named after the [stale-while-revalidate](https://datatracker.ietf.org/doc/html/rfc5861) pattern) only for HTTP caching, and then I came to the realisation that `swr` is so much more cool and general purpose to only be a library for caching HTTP requests. So I got the idea to write a `useLocalStorage` implementation which has a more optimal behaviour using the `swr` library and here's the result:\n\n```js\nimport { useCallback, useMemo } from 'react'\nimport useSWR, { cache } from 'swr'\n\nconst localStorageFetcher = async (_fetcherName: string, key: string) => {\n const item = window.localStorage.getItem(key)\n // An Error occurring in the fetcher is gracefully handled by SWR\n if (item == undefined) throw new Error()\n return JSON.parse(item)\n}\n\nexport function useLocalStorage(\n key: string,\n initialValue?: T | (() => T)\n): any[] {\n const swrKey = useMemo(() => ['localStorageFetcher', key], [key])\n const initialData = useMemo(\n () => (initialValue instanceof Function ? initialValue() : initialValue),\n [initialValue]\n )\n\n const { data: storedValue, mutate } = useSWR(swrKey, localStorageFetcher, {\n initialData,\n // Read from the localStorage only if the value is not in the cache already.\n revalidateOnMount: !cache.has(swrKey),\n // Disable refetching from the localStorage. After the initialization from\n // the localStorage, the value is not re-read until the page is re-loaded.\n revalidateOnFocus: false,\n revalidateOnReconnect: false,\n refreshWhenHidden: false,\n refreshWhenOffline: false,\n shouldRetryOnError: false,\n refreshInterval: 0\n })\n\n const setStoredValue = useCallback(\n (value: T | ((c: T) => T)) => {\n mutate(\n (currentStoredValue: any) => {\n const valueToStore =\n value instanceof Function ? value(currentStoredValue) : value\n if (valueToStore === currentStoredValue) return currentStoredValue\n window.localStorage.setItem(key, JSON.stringify(valueToStore))\n return valueToStore\n },\n false // don't refetch from the localStorage, just update the state\n )\n },\n [mutate, key]\n )\n\n return [storedValue, setStoredValue]\n}\n```\n\nThe new `useLocalStorage` has the same API, but:\n\n- it reads from the localStorage only once per page load for the given localStorage key, regardless of the number of times it is called\n- it causes only a single additional re-render after the value has been loaded, regardless of the number of times it is called\n- when the new components which use the `useLocalStorage` hook enter the page with the same key, they don't read from the localStorage again, but use the `swr` cached value instead\n- changing the value in any of the components, using the `setValue` function causes the immediate change in all other components using `useLocalStorage` with that key. No page refresh is necessary.\n\nAll of this means that the performance and the robustness of the UI is going to be improved.\n\n![Instead of having a separate piece of state for every invocation of the useLocalStorage hook, we have a single piece of state that all of the useLocalStorage invocations refer to. Only the first component that mounts reads from the localStorage. Every subsequent component reads from the SWR Cache.](../static/blog/state-while-revalidate-beyond-http-requests/useLocalStorage-with-swr.png 'useLocalStorage with SWR')\n\nAfter implementing this version of the `useLocalStorage` hook I wasn't surprised to discover that others have attempted to do the same. Most notably the [zydalabs/swr-internal-state](https://github.com/zydalabs/swr-internal-state) library contains a slightly different implementation of `useLocalStorage` using `swr`.\n","hero":{},"authors":[{"id":"nataliemarleny","name":"Natalie Marleny","twitter":"nataliemarleny","image":"/static/images/blog/avatars/nataliemarleny.png","title":"Software Engineer"}],"kind":"blog/post"}]},"__N_SSG":true}