How Aireon turned access and identity blind spots into a robust identity security and data governance program

Ensuring the security of global air traffic surveillance

Aireon's innovative technology plays a crucial role in ensuring the safety and efficiency of global air travel, tracking the location and status of every commercial aircraft in flight, 24/7, 365 days a year.

Entrusted with this vital responsibility and critical aviation data, Aireon recognizes that protecting sensitive information is not just a compliance requirement but essential to maintaining the trust of its customers, the integrity of its operations, and ultimately, the safety of air travelers around the globe.

Peter Clay, who brings over 25 years of cybersecurity leadership experience, including serving as CISO for Deloitte's Federal Practice and holding similar roles at Qlik and Invotas, currently serves as Aireon's Chief Information Security Officer (CISO). As part of the company's efforts to continuously harden its overall security posture, a few years ago Clay's team recognized emerging risks as a warning sign of underlying gaps in the company's data governance program. “Through our threat intelligence program, we could see increasing exposures of our attack surface to include both identities and data sharing,” he says.

Answering the essential questions of cyber security

The first step to resolving this problem was answering key questions around identity and access. “There are a couple foundational things that you want to understand,” Clay explains. “First of all, what data do I have — what am I trying to protect? And then the next questions are, who has access to that data and how much access do they have and what can they do with it?”

The years of data sharing with customers and partners — who then shared it with their partners and so on — coupled with the inherent complexities of managing permissions in a rapidly growing organization, made it difficult for Aireon concretely answer those questions around data access and permissions.

Hitting the limits of conventional IAM tools

Although Aireon initially attempted to address its data security challenges using traditional identity tools, Clay quickly recognized that these solutions failed to provide the comprehensive visibility they needed.

Moreover, gaining even partial visibility required extraordinarily intensive, manual tasks that weren't practical. “If I had all the time in the world and all the people in the world, how long would it take me to do this manually — to go through roughly 200,000 documents and trace out all the rights and permissions associated? It would have taken a minimum of three people working four years. So, roughly 24,000 hours of expended time to figure out just who had access — and that was just for Day 1, assuming nothing changes,” Clay explains.

Clay and his team were looking for a way to move beyond a reactive "whack-a-mole" approach to security and establish a proactive data governance strategy. And they knew that solution needed to start with deep, broad visibility — and couldn't rely on manual workflows to identify and remediate data governance issues.

Discovering Oleria’s unique approach to identity security

Clay was introduced to Oleria by two of the company's investors from Evolution Equity Partners, Dr. Taher Elgamal (a renowned cryptographer) and Phil Quade (the former CIO for the NSA). “Those are not guys that have to sell. One invented SSL and the other one did more for securing data than I've ever dreamt about doing,” Clay says, “So, the very fact that they were invested, and they were spending their time to be at the dinner and have the conversations — that spoke pretty loudly.”

Clay was immediately impressed by Oleria's capabilities. "If this thing really works," he recalls thinking, "then this is what we've been looking for.” Oleria's unique approach to data security, which starts with SaaS applications and works backward, resonated with Clay and his team. They recognized that Oleria could provide the visibility and control they needed to establish a robust data governance program.

Aireon's lead technologist, Tom Rudolph, a 30-year full-stack developer, was also quickly convinced of Oleria's value. “I saw the demo, and was sold on it right away,” said Rudolph.

The value of Oleria: Immediate visibility — ongoing assurance

After a seamless deployment, Clay says the time-to-value with Oleria was nearly immediate. “We really did get actionable results within about 45 minutes of initial deployment. And those results have been consistent and improved over time,” he says. “It's very easy to use Oleria to look at the difference between yesterday and today to find the inconsistencies and measure your improvement.”

That immediate and continuous, fine-grained visibility has enabled Aireon to achieve a proactive and comprehensive approach to identity security and data governance, resulting in a range of benefits:

Improved data governance

Though Aireon uses additional identity tools, Oleria is now an essential complement to Aireon's data governance program. The platform's automated reporting capabilities provide Clay and his team with the insights they need to make informed decisions about data access and security policies.

<case-study_note>“I'll put it this way. I've implemented both Okta and SailPoint during my career, and I like both products for what they do,” says Clay. “I can imagine using Oleria without using Okta or SailPoint — but I can't imagine using those two tools without using Oleria moving forward.”<case-study_note>

Risk prioritization & strategic planning

Aireon has developed an innovative application of Oleria's identity and access insights. The company uses that data to quantify its security risks in financial terms. “In cyber security, everybody just talks about critical, high, medium, low risks — and those words mean different things to different people,” explains Clay. “We worked with a brilliant statistician to develop a way of doing risk reporting that ties back into expected loss based on the performance of our controls — so we can express that in dollar terms. And Oleria provides us with key inputs on whether our identity and access management controls around our data are working.”

This risk modeling enables the company to make more informed decisions about resource allocation and security investments. “So, before we go spending money, we can answer the question, ‘What do we expect to lose if we don't do anything and then measure those results over time,” says Clay.

Continuous monitoring & fine-grained visibility

Oleria provides Aireon with critical clarity and control of data access and permissions across its connected systems. This enables Aireon to identify and remediate excessive permissions, reducing the risk of unauthorized access and potential data breaches.

“We use it to provide ourselves continuous visibility,” says Clay. “If we see something that changed from yesterday to today, we can understand why. So, it's not just a use-it-once-and-forget-it tool. We log into it every day, get the alerts, and understand what's changing in our data protection posture from day to day to day to day.”

Accelerated incident response

Oleria also now plays a crucial role in Aireon's incident response process. In the event of a security incident, Oleria provides rapid access to critical information about data ownership and permissions, enabling Aireon to quickly assess and respond to the situation.

“We use the MITRE attack framework and Oleria as part of our incident response capability,” explains Clay. “When we get an alert, we're checking where is the document, who has access to it, where should it be, are we seeing it somewhere else, etc., etc. Its incredibly useful to provide you with that rapid access snapshot of privileges and access.”

Saving time and cost — and freeing up resources

By streamlining data security assessments and reporting, Oleria has significantly reduced the time and resources Aireon previously dedicated to these tasks. This has freed up Clay and his team to focus on more strategic initiatives. “Without Oleria, we would have spent literally years of people's time just trying to manually go through the existing documents to understand our exposure,” says Clay

Using Oleria to continually strengthen Aireon’s security posture

Within weeks of deployment, Oleria became a cornerstone of Aireon's identity security and data governance program. Today, Clay and his team are continuously logged into the platform, using the tools daily to monitor, understand, investigate and remediate identity and access risks.

Oleria reports have also become vital for Clays important efforts as a CISO to engage with Aireon leadership about the criticality of data governance and gain buy-in for ongoing cybersecurity investments. “I just did my monthly meeting with the executive team this morning,” Clay says, “And the third slide was, ‘What does Oleria tell us about our environment? Its just a unique perspective on identifying the problem set and measuring how effective our remediation is on an ongoing basis.”

<case-study_note>“I really can't believe that nobody thought of this before Oleria did. Oleria is one of those things that once you see it and once you get it, its hard to imagine doing what you've been doing without it.” - Peter Clay, CISO, Aireon.<case-study_note>