Sophos Simplifies and Centralizes AWS Account Management Using AWS IAM Identity Center

Sophos—a cloud-native information technology security company that provides 24/7 threat protection, monitoring, and response across hybrid cloud environments—was growing rapidly using Amazon Web Services (AWS). The next step in its journey was simplifying account onboarding and centralizing account management. In the past, Sophos used identity federation on an account-by-account basis to grant access to AWS. This enabled Sophos to manage AWS account access simply and securely, but the company wanted an even simpler and more scalable way to manage access across a growing number of AWS accounts. At the same time, Sophos needed to keep fine-grained access control over new AWS account setup, identity and access management roles, permissions, and temporary user credentials.

To simplify and centralize AWS account management and gain more flexible options when assigning user roles and permissions, Sophos implemented AWS IAM Identity Center (successor to AWS Single Sign-On). IAM Identity Center is a service that makes it simpler to centrally manage access to multiple AWS accounts and business applications. Instead of setting up identity federation for each account, Sophos set up identity federation once through IAM Identity Center to manage access across multiple AWS accounts, which dramatically simplified the process of onboarding new accounts and assigning separate roles with limited privileges. Now able to manage account access centrally from the IAM Identity Center console or command line interface, Sophos no longer needs to rely on third-party extensions to assign temporary credentials to developers. “Our people are really happy with the look and feel of IAM Identity Center,” says Guy Davies, principal cloud architect at Sophos. “And account creation time has gone way down because most of it is now automated.”

Sophos got its start in 1985, and today its products help protect more than 400,000 organizations and over 100 million users in more than 150 countries from advanced cyber threats. Before using IAM Identity Center, Sophos was using identity federation on an account-by-account basis to securely manage its 250 AWS accounts, which are accessed by 1,500 internal users. The process of onboarding, managing, and making changes to its AWS accounts was time consuming, involving input from both the information technology and cloud development teams. Sophos was looking for ways to scale even faster with the agility it needed.

Sophos already used AWS services, including AWS Organizations, a service that helps companies centrally manage and govern their AWS environments as they scale their AWS resources. In addition, Sophos was looking to centralize its AWS account management and avoid extra steps when onboarding new accounts and changing role permissions. Sophos has more than 500 Azure Active Directory groups it uses to control account access. So in 2019, when IAM Identity Center began supporting the System for Cross-domain Identity Management specification, Sophos found its solution for simplifying account onboarding and managing access at scale. It could now sync its existing Azure Active Directory groups into AWS. “We have the skills to build a solution ourselves, but we also have 1,500 people who are skilled on AWS,” says Davies. “Starting in the AWS environment makes it simpler for us to do cool stuff.”

Sophos wanted to keep using its existing identity service providers—including Azure Active Directory, an enterprise identity service—as well as Jira authentication and YubiKey hardware authentication devices. These identity tools and IAM Identity Center work together seamlessly, enabling secure multifactor authentication. After performing a proof of concept and receiving positive internal feedback, Sophos proceeded with the transition to IAM Identity Center. It completed setup within a couple of weeks, by September 2020, and in the first week of October, Sophos asked its 1,500 internal users to make the switch by the end of the month. Sophos saw a quick initial take-up followed by a slower to transition of some users, but the reactions were universally positive. “I don’t think we got any negative feedback about IAM Identity Center,” says Davies. “For a change that affects the daily workflow of about 1,500 people, that’s kind of unprecedented.”

The transition to IAM Identity Center has greatly simplified all aspects of AWS account management for the Sophos team, decreasing the time it takes to onboard new AWS accounts from multiple days to less than 1 day and enabling virtually instant revocation of AWS account access as contractors come and go. In the past, revoking a user’s access required combing through all the individual Azure Active Directory groups that control access to individual accounts to completely revoke access to each account, then waiting for Azure Active Directory to synchronize. This could take up to an hour. After creating two Azure Active Directory groups—one containing all individual users and granting access to the IAM Identity Center console and another that syncs through the System for Cross-domain Identity Management and grants access to AWS accounts and permissions—Sophos can now simply pull a user out of the IAM Identity Center group, and access is revoked immediately, without having to wait for a sync. Overall, developers have saved hundreds of hours on AWS account creation and no longer need the information technology team to perform AWS account onboarding. This has led to lower resource costs and enabled Sophos to scale with more agility.

Using IAM Identity Center, Sophos also experienced an important security benefit: it could now provide its users with the option to create temporary credentials to access AWS resources. Sophos does not need to rotate credentials or revoke them when they’re no longer required. IAM Identity Center also enables account administrators to change their permissions from a central location, giving them flexibility to adjust role permissions quickly. “Now we can be more granular with the permissions we assign because we can create as many permission sets as we want without it being a pain,” explains Davies. “We can scope down the access that people have to their AWS accounts, which lowers the attack surface.”

For Sophos, implementing IAM Identity Center has resulted in much faster and more streamlined AWS account management, freeing developers to spend less time waiting on other teams and more time focusing on exciting innovations. Sophos also plans to use the IAM Identity Center APIs to build out more automation and further accelerate AWS account onboarding and access processes in the future. For instance, it plans to automate a means of provisioning account access—useful if someone makes a request after normal business hours.

“That’s the sort of thing we are looking to do so that we have a more granular and dynamic approach to privilege management for our AWS accounts,” says Davies. “It’s all super possible using IAM Identity Center.”