Vimeo uses Oleria to build future-ready identity security

Challenge

Just as Vimeo’s video-hosting platform enables millions of people and businesses to seamlessly share video instantly, Vimeo aims to empower employees to easily share information internally and externally to move work forward. But with a growing IT estate spanning more than 400 SaaS apps, legacy identity security tools and manual reporting processes weren’t keeping up

• Manual reporting for access and permissions monitoring: repetitive, time-consuming, and resource-heavy
• Spreadsheet-based compliance reviews: dependent on a manager’s approval, not account usage data
• Manual remediation of access risks: slow and error-prone

Solution

The Vimeo GRC and security teams implemented Oleria to enable more data-driven, accelerated remediation of over-provisioning to reduce the overall risk surface, without compromising the speed and agility of the business.

Modernizing the security stack to enable business growth at scale

Vimeo’s continued growth is increasingly fueled by its burgeoning enterprise business. More than 90% of organizations now use video content, and video is the fastest-growing marketing channel for both B2B and B2C. Vimeo partners with the world’s most well-known brands, as well as thousands of companies that rely on Vimeo to elevate their brand.

While data security and privacy have always been foundational to the Vimeo platform, enterprise-grade security, compliance, and risk entails an entirely new set of requirements. To help the company meet this challenge, Vimeo brought in seasoned InfoSec leader, Mark Carter, as CIO and CISO.

To build a risk-based strategy for improving Vimeo’s security posture, Carter worked with Kevin Towey, who leads Vimeo’s Security GRC team, to conduct a holistic gap analysis. “We used the NIST cybersecurity framework [NIST CSF] to evaluate our risks and challenges,” explains Carter. “One area we recognized as fundamental for protecting any company is identity.”

Prioritizing identity security as a critical risk

Why prioritize identity security? “Something like 70% of all major security incidents stem from identity compromise. And once identity is compromised, the reason the incident gets bigger is because people have too much access,” says Carter. “That’s why identity is a focus — because it’s the biggest reason for serious compromises.”
‍
Carter and his team wanted to build a more proactive identity security strategy — one that would go beyond conventional IAM to increase the efficiency of its monitoring and control processes, and reinforce its capabilities for enforcing least-privilege principles.
‍
But he knew this proactive approach required a new kind of identity security solution. Leading teams at Salesforce, Amazon, Google, PayPal, VMware, and Tesla, among others, Carter saw firsthand how conventional tools struggle to keep up with an enterprise landscape that has shifted from fully on-premises to a cloud-powered and SaaS-dominant IT estate. “The tools that exist today for identity and access management are mostly designed for a different era,” he says. “They’re 20 years old — and identity has changed massively in the last 20 years.”
‍
Moreover, Carter recognized that any new identity security solution needed to reduce, not increase, resourcing demands. “We have a small team, so getting more visibility without a heavy lift is critical,” he says.

Recognizing Oleria’s unique approach to identity security

As Vimeo evaluated the growing number of identity security vendors, Oleria stood out from the many legacy tools that Carter had used in the past. “Oleria took a fresh approach of starting with SaaS applications and working backwards,” says Carter.

Towey echoes this insight: “Oleria is taking the next step to fill the gap that a lot of GRC and security monitoring platforms haven’t done, which is aggregating the data to provide quick insights without significant resourcing on your end,” he explains. “It’s a quick, plug-and-play model that mitigates risk immediately.

Closing the back doors of excessive permission

As a first line of defense, Vimeo partnered with Okta to implement strong authentication. “That [authentication] closes the front door. But the problem is that the way things usually get compromised is through excessive permissions — people having access that they really don’t need, or that they used to need but no longer need,” explains Carter

“Where Oleria comes in is helping us identify excessive permissions — helping us identify access that may be granted (public access, external access) to resources that may put us at risk or is no longer necessary,” Carter adds.

This excessive permissions problem keeps growing more complex in the modern enterprise. “Even as a company with 1,300 employees, we still have over 400 SaaS applications,” says Carter. He notes that conventional approaches all hinge on manual reporting to support those numbers of users and apps: “Trying to figure out what permissions each individual has across all those applications is a nearly insurmountable process. The approach that Oleria has taken has significantly simplified that,” he says.

Eliminating the time, cost, and risk of manual reporting dependencies

Towey, whose team was responsible for monitoring permissions, describes the time and pain of this manual reporting: “What we were doing previously was pulling data from each app — pulling that permission data, pulling that activity data, validating that data with the people using those apps day-to-day,” he says.
‍
Carter emphasizes the distinction between compliance and security here. The manual reporting process revealed a lag of days or even weeks to address security risks stemming from overpermissioned users. “The traditional compliance process…that might make you compliant, but it doesn’t make you secure,” Carter says.
‍
By contrast, Oleria automates permission and activity reporting, enabling Vimeo to understand and react to risk in real time. “It’s giving us that quick data — that snapshot of what’s actually happening,” says Towey. “Without that automatic integration, it’s a manual audit process…continuously going through, line by line, permission by permission, redefining roles and doing role certifications.”

Immediate, fine-grained visibility — without a heavy lift

Towey highlights how little Oleria requires from a resourcing standpoint, starting with what he calls “plug-and-play” deployment. “Compared to others that require their own implementation team and a lot of time, this requires only an hour of work from one of our engineers,”says Towey.

Moreover, Oleria accelerated timeto-value for Vimeo by delivering immediate, fine-grained visibility to permissions and activity through native integrations. “A lot of the tools in this area have not provided the level of detail that Oleria does from an access and permissions standpoint — or if they do, it requires a ton of configuration on our side,” Towey says. “Oleria has simplified things. Oleria fetches those roles and permissions from the product, telling me what I need to know and showing me high-risk areas of access in those systems.”

Enforcing least-privilege principles to reduce risk (and right-size tech spend)

Vimeo is using Oleria’s immediate, composite, fine-grained access visibility to enable a more data-driven approach to the challenging and sometimes contentious practice of enforcing least-privilege principles.

“Oleria is providing me with that level of insight of usage of the application,” says Towey. “That gives us the data to see where users aren’t leveraging access. So, when a manager says, ‘My user needs every permission under the sun,’ we can provide the data to say, ‘They’re not actually using that permission.’

”Having that level of visibility — in real time — allows Vimeo to begin moving toward a just-in-time access-provisioning model. “For example, we just implemented the GitHub integration in Oleria,” Towey says, “And the ability to understand what my engineers need will help us provide access upon need.”

Towey adds that better clarity around unused accounts across Vimeo’s hundreds of SaaS apps naturally drives smarter license management, reducing accumulated technical debt and, ultimately, a right-sizing of the company’s tech spend. “Being able to assess the current state and optimize around least privilege provides the ROI in itself,” he says. “So the value [of Oleria] moves from  security risk to operational efficiency.”

Understanding (and controlling) external sharing

Vimeo is using Oleria to target one of the most common blind spots in identity and access management: third parties and other external users. “One of our largest risks is external sharing of high-sensitivity documents and data,” says Carter.

Vimeo is hardly alone in this external-sharing challenge, but Oleria provides a singular solution. “If you ask any CISO, ‘How many files have you shared outside the company? How many files have you shared that no longer need to be shared,’ most don’t have answers — or they don’t have easy ways to answer those questions,” Carter says. “In Oleria, I can answer those questions with a click.”

Towey adds that Oleria not only delivers visibility, but gives his team the ability to act to remediate external sharing risk. “Having visibility and the ability to remove that share or that file access — compared to the manual process in Google Workspace today — is a real differentiator,” he says.

Expanding use cases to increase the ROI of Oleria

Towey and his team are eagerly expanding their use cases for Oleria, including rolling out new app integrations as they become available. “As Oleria is releasing new features, it’s simple — you have standard runbooks and connectors that are pulling in permission data via the API,” he says.

The security and GRC teams are also showing others within the organization how Oleria can address some of their biggest blind spots and pain points. “We’re already getting significant value out of it,” says Carter. “And, we’re looking forward to getting our auditors excited about this — allowing them to generate reports from each application.”

This company is also developing more customized use cases for Oleria. “One of the things I’m excited about is using Oleria on a custom level within Vimeo, working to solve internal services,” Towey says. “That’s where we can really save resource hours.” Here, Towey calls out Oleria’s unique approach to partnerships: “Oleria has a lot of exciting innovation coming down the pipeline,” he says. “And compared to other vendors, they want to get our input on their roadmap to make sure their innovations align with our biggest needs."

Empowering Vimeo to focus on driving
the business forward

While Carter and Towey are focused on what their teams can do with Oleria, the broader business value focuses on what the rest of the business doesn’t have to do, thanks to Oleria: “I don’t want our people to be worried about compliance and security all day,” Towey says. “Having controls in place to identify when we might be overpermissioning or oversharing — it eliminates burdens on the business side.”

Towey stresses that this business value should resonate widely. “Any public company that’s subject to SOC 2, ISO, HIPAA, or other compliance mandates — there are so many minor tasks required of businesses,” he explains. “Oleria allows our business to focus on driving revenue, and less on checking compliance boxes — and we allow our team to mitigate risk at the same time.”