How CommonLit uses Indent + Tailscale to manage AWS access
- 50 - 250
secures millions of students
CommonLit is an education nonprofit that provides a comprehensive literacy program to tens of millions of students across the US. While most products with tens of millions of users have large engineering teams working on them, CommonLit has a lean organization with a team of ten engineers and five data scientists.
State and federal regulations along with individual school district policies mandate that they implement rigorous security measures to protect student data. With a growing team and an even faster growing user base, it was important to CommonLit to get the security fundamentals right and implement least privilege.
AWS Access Control
Traditionally, the way permissions worked at CommonLit was that the CTO, Geoff Harcourt and senior engineers had access to everything, including admin level access in AWS. While there were policies in place, there was fairly broad access given to the data and engineering teams to avoid friction and bottlenecks. Increasing security though was a priority for Geoff.
For network security, going with Tailscale was an easy decision made even simpler with their generous non-profit discounting. Using Tailscale they were able to protect their datastores in AWS by making them inaccessible from the public web. But then came the question of how to do access control for those AWS resources in Tailscale.
Geoff wanted to have the data team and engineers to have different levels of access in Tailscale. And for the engineers to only be connected to production resources if they needed it.
On-Demand Access with Indent
After doing some research, Geoff discovered that Tailscale and Indent had an integration that would solve his access control dilemma.
“I was expecting the cost of Indent to be horrific and just awful. When I mentioned that we were a nonprofit, they hooked us up with a pretty nice discount too. It was just a very logical decision to do it. With Indent each team has the level of access that they want and access requests get answered pretty quickly.”
CommonLit uses Indent in two main ways. The first is giving engineers read-only access to AWS resources. This allows them to view configuration for memcached and Redis stores and databases. Staff can also see which users exist in certain groups. They can't edit IAM permissions or configure non-staging databases.
They also use Indent to selectively block access to the production end of their Tailscale connection. Engineers often connect to staging and the data science team is persistently connected to some part of the AWS cluster so they can touch Redshift.
“It's hard for me to imagine us having as good a security setup with AWS as we do without using Indent. I think it would require such a disproportionate amount of my time that we would probably just choose to do something weaker that was actually more sustainable.”
On-demand access not only increases their security, it also helps their budget go further. Occasionally team members have run local tests without realizing that they have those services turned on, leading to $700 in charges for translation data that can’t be used in production. Indent adds a layer of protection to prevent unintentional service usage that really adds up for a small non-profit.
“Part of the big values that we get out of least privilege. It's not just security, it's also like preventing people from foot gunning themselves.”
They also set up auto-approvals for on-call to alleviate bottlenecks.
“There's 10 engineers today, right? And so there's usually one engineer off hours on call and like I've told everyone, you can call me in the middle of the night if there's a problem. But that kind of stinks, right? So the fact that people can self approve and we've an audit trail for what they did is really, really valuable.”
It's hard for me to imagine us having as good a security setup with AWS as we do without using Indent. I think it would require such a disproportionate amount of my time that we would probably just choose to do something weaker that was actually more sustainable.
SOC 2 Preparation
CommonLit is beginning to prepare for their first SOC 2 certification, and will be using their Indent access logs for access control evidence.
“With the huge uptick in academic ransomware attacks, school districts are getting much, much more cautious about security. With Tailscale and Indent we’re in a much better position to show them that we are doing all the things that we need to do in order to protect their data.”
With the huge uptick in academic ransomware attacks, school districts are getting much, much more cautious about security. With Tailscale and Indent we’re in a much better position to show them that we are doing all the things that we need to do in order to protect their data.