One of those new hires was Rinaldi Utomo, Senior Infrastructure Engineer, who assumed ownership of the company’s AWS user management in addition to his other responsibilities.  Having worked at companies like AWS, Rinaldi knew the importance of getting access control right.

“Access is a tough challenge. You need to balance between giving too much access and giving too little access in a way that doesn’t create friction with the other engineers.”

When he joined Omnipresent, engineers were given limited but persistent production access on their first day. Admins also retained elevated permissions, even when they weren’t actively using them.

“I had full admin access to AWS at all times which is not exactly ideal. I don't want to have access to production at all times, and there isn’t a use case for me to have it at all times.”

When engineers needed access they would ping Rinaldi on Slack, who would set up their IAM username and access to dev. Then once he assigned them to the corresponding group, they could access production at any time.

Their process:

• Had bottlenecks
• Wasn’t as secure as it could be
• Didn’t generate easily exportable access control evidence

On-demand access had been in the back of Rinaldi’s mind for a while based on conversations he’d had with others at previous roles.

He wanted an on-demand access control solution that would be:

• Self-serve, so he wouldn’t bottleneck the engineering team
• AWS Identity Center (aka AWS SSO) compatible
• Automatically generated access control evidence, to simplify their SOC 2 audit

When Rinaldi’s manager showed him Indent, he was excited to find something that fit his criteria, and even better, was easy to set up.

“It's a good solution to where the whole Slack workflow is just easy to set up and get running. It is better than what we had at my previous companies where everyone just had permanent access.”

Rinaldi was able to set up AWS SSO, Google Workspace, and Indent. Choosing Indent also future proofed their system since it’s also compatible with other identity management providers like Okta, which was a plus.

Indent’s automatic log generation allowed them to capture all the information they needed for their SOC 2 audit, and also get rid of local storage of access keys and secrets, increasing security and helping them towards their compliance goals.

When implementing an on-demand access system, there can be apprehension that this is going to slow people down. When explaining Indent to the engineering team, Rinaldi was pleasantly surprised at the warm reception it got.

“I explained that nobody should have access to prod at all times, including myself. I have to request access and people thought I have special access but I actually don't and I don't want to. We need to have accountability.

I got feedback from a lot of the team that, ‘Oh this is so cool, this is awesome, and yeah, we definitely should not have production access at all time.’"

Now that Indent is rolled out to the engineering team, Omnipresent is considering expanding its usage to other teams in the organization.