Expanding Automated Provisioning for Just-in-Time Access at Scale Using AWS with Navan

Founded in 2015, Navan simplifies booking and managing business travel and expenses for thousands of companies around the world. With its developers depending on reliable and secure access, Navan recognized the importance of reliable identity management. “The two most important things to maintain are a very high security posture and productivity,” says Iurii Iurchenko, cloud security manager at Navan.

Navan primarily uses Okta to authenticate developers. But governance over Okta authentication was previously managed by the IT team, which didn’t have full visibility into the AWS permissions that each developer should have. Further, Navan was manually creating each AWS identity. “This was a tedious, slow process that didn’t scale efficiently,” says Oleg Gusakov, chief security architect at Navan. When the company began using single sign-on functionality across its AWS accounts in August 2020, it became important to separate identity management on Okta from developer authorization on AWS while still having visibility over the entire system.

In 2022, Navan began using AWS IAM Identity Center (successor to AWS Single Sign-On), which manages workforce access to multiple AWS accounts and applications in a single place, for cloud permissions. The company also adopted AWS Organizations, which centrally manages the environment as a business scales its AWS resources. Soon, Navan saw an opportunity to further optimize its identity management processes by implementing an intermediary layer to connect authentication on Okta with user provisioning through AWS IAM Identity Center.

Navan built a custom solution—which it calls its User Life Cycle (ULC) component—that runs as Java code and serves as the third piece of its authorization solution. The company runs the ULC component using Amazon Elastic Compute Cloud (Amazon EC2)—which offers secure and resizable compute capacity for virtually any workload—to fully automate the user provisioning process by efficiently connecting data from Okta and AWS. “We moved from manually creating users per AWS account to streamlined user management through AWS IAM Identity Center for the whole organization,” says Iurchenko. “And from that, we stepped even further toward automatic provisioning.”

Now running since 2021, Navan’s new system has proven to be a virtually zero-maintenance solution. The identity management process currently involves just a few automatic steps. First, the ULC component quickly reads whether the user is allowed to sign in to specific AWS accounts. It also reads whether the user has been locked out of AWS or Okta and should thus be removed from the remaining databases. And it reads from a custom database that tells ULC what attributes to field for a particular identity. As a result, Navan can follow the principle of least privilege—giving users the minimum amount of access they need for doing their jobs—by limiting developer access to AWS based on a specific list of attributes.

For example, when a new software architect comes on board, the cloud security team can map the architect’s account to the necessary privileges in advance to make provisioning simple. However, if an account is provisioned without preset privileges, the identity is instead given a default minimum set of attributes. These features streamline the process without limiting Navan’s ability to customize permissions. Even the default set of attributes can be based on some Okta data, such as the user’s department. Meanwhile, Navan has granular control over all privileges using permission sets through AWS IAM Identity Center.

On AWS, Navan has accelerated the process for provisioning and deprovisioning users, groups, and accounts. The previous system used to take 25–30 minutes to scan 10,000 users. Using AWS IAM Identity Center, it takes 1–2 minutes. The company is using its identity management solution to support multiple accounts in AWS Organizations and gain visibility into security and compliance across all accounts.

“At any given time, we can pull out the statistics about any given user: when they were provisioned, when they were deprovisioned, if it happened through the automated process, and more,” says Iurchenko. “We have all the details, which unlocks high visibility for our own security and compliance reasons.” Further, Navan has automated quarterly compliance tickets and stores all changes it makes in GitHub so that it has simple access to a full record. “Compliance audits have become much simpler,” says Gusakov.

On AWS, Navan engineered an automated solution that provides centralized governance and embarked on a journey to least privilege. “We’ve received great support from AWS with the services that we’re currently using,” says Iurchenko. “We have a very productive collaboration with the AWS team.”

For the next step in its journey to least privilege, Navan wants to add just-in-time provisioning capabilities to give developers immediate temporary access to resources and extend permissions to anyone who’s already provisioned while maintaining strong security.

“Using AWS IAM Identity Center, we sped up our development process and made it much better,” says Gusakov. “We saw the advantage of this service and jumped right in.”