+Omnipresent logo

How Omnipresent uses Indent for self-serve, temporary production access


Industry
HR Tech
employees
250 - 500
Raised
$120m
Stack

Customer Highlights

50+ engineers

with production access

waiting for AWS access

10 seconds

with a single AWS admin

13 time zones

Omnipresent logo

Omnipresent is revolutionizing the way businesses operate in the modern world with solutions to effortlessly navigate the complexities of employing and managing a globally distributed workforce. Like their customers, Omnipresent is a globally distributed team balancing compliance and security requirements while shipping quickly.

In 2022 they began adding up to five engineers a week just as they were preparing for their SOC 2 certification.

Key Takeaways
  • Deployed Indent, AWS, and Google for engineering self-onboarding
  • Allows a single admin to cover 13 timezones

Problem

One Admin for 13 Timezones

One of those new hires was Rinaldi Utomo, Senior Infrastructure Engineer, who assumed ownership of the company’s AWS user management in addition to his other responsibilities.  Having worked at companies like AWS, Rinaldi knew the importance of getting access control right.

“Access is a tough challenge. You need to balance between giving too much access and giving too little access in a way that doesn’t create friction with the other engineers.”

When he joined Omnipresent, engineers were given limited but persistent production access on their first day. Admins also retained elevated permissions, even when they weren’t actively using them.

“I had full admin access to AWS at all times which is not exactly ideal. I don't want to have access to production at all times, and there isn’t a use case for me to have it at all times.”

When engineers needed access they would ping Rinaldi on Slack, who would set up their IAM username and access to dev. Then once he assigned them to the corresponding group, they could access production at any time.

Their process:

  • Had bottlenecks
  • Wasn’t as secure as it could be
  • Didn’t generate easily exportable access control evidence

On-demand access had been in the back of Rinaldi’s mind for a while based on conversations he’d had with others at previous roles.

He wanted an on-demand access control solution that would be:

  • Self-serve, so he wouldn’t bottleneck the engineering team
  • AWS Identity Center (aka AWS SSO) compatible
  • Automatically generated access control evidence, to simplify their SOC 2 audit

Access is a tough challenge. You need to balance between giving too much access and giving too little access in a way that doesn’t create friction with the other engineers.

Rinaldi Utomo

Senior Infrastructure Engineer

Solution

On-Demand AWS Access with Indent

When Rinaldi’s manager showed him Indent, he was excited to find something that fit his criteria, and even better, was easy to set up.

“It's a good solution to where the whole Slack workflow is just easy to set up and get running. It is better than what we had at my previous companies where everyone just had permanent access.”

Rinaldi was able to set up AWS SSO, Google Workspace, and Indent. Choosing Indent also future proofed their system since it’s also compatible with other identity management providers like Okta, which was a plus.

Indent’s automatic log generation allowed them to capture all the information they needed for their SOC 2 audit, and also get rid of local storage of access keys and secrets, increasing security and helping them towards their compliance goals.

It's a good solution to where the whole Slack workflow is just easy to set up and get running. It is better than what we had at my previous companies where everyone just had permanent access.


Rinaldi Utomo

Senior Infrastructure Engineer

What's Next

Expanding On-Demand Access Outside Engineering

When implementing an on-demand access system, there can be apprehension that this is going to slow people down. When explaining Indent to the engineering team, Rinaldi was pleasantly surprised at the warm reception it got.

“I explained that nobody should have access to prod at all times, including myself. I have to request access and people thought I have special access but I actually don't and I don't want to. We need to have accountability.

I got feedback from a lot of the team that, ‘Oh this is so cool, this is awesome, and yeah, we definitely should not have production access at all time.’"

Now that Indent is rolled out to the engineering team, Omnipresent is considering expanding its usage to other teams in the organization.


I got feedback from a lot of the team that, ‘Oh this is so cool, this is awesome, and yeah, we definitely should not have production access at all time.'

Rinaldi

Senior Infrastructure Engineer

Try Indent for free.