Greenhouse is the leading hiring software for growing companies. Many of the most successful companies use Greenhouse to optimize all aspects of their hiring and onboarding. Greenhouse chose the Heimdall Database Proxy because of its ability to securely authenticate and authorize users to the Amazon Redshift. In this blog, learn how this joint AWS solution met the requirement of secure data access.
Greehouse has a SaaS service and experienced challenges when they added customers and needed to manage each customer’s data. They create distinct databases per customer in order to isolate access to each customer’s data, and the application simply accesses the proper database as needed for a given customer. As the number of customers grows, there is a limit on the number of databases supported on a single server. For light workloads, this may be in the thousands, although for heavy workloads it may be as low as tens per database, such as with an Amazon Redshift cluster.
One solution is for a customer to develop their application to do lookups of where a customer’s data is located in the database clusters, and directly connect to the appropriate cluster. However, there is the burden of the application team to maintain and improve scale; this adds time and risk. Another way is to use a database proxy in order to route the queries automatically to the proper cluster, and have a single endpoint for all customer activity. In some cases, where third-party software is involved in the offering, modifying the code is also not possible, so the proxy approach would be the only possible approach.
Heimdall Database Proxy provided the following functionality for the SaaS platform:
- Intelligent customer routing: The ability to restrict particular usernames to particular IP addresses; assign a tenant to a virtual database securely and easily.
- Secure Data Access: Per user authentication and authorization. Greenhouse used Active Directory as an authentication system. Active Directory makes it possible to unify technology stacks across identity, access, and device management, in a cost-effective manner that doesn’t sacrifice security or functionality. The Greenhouse team had the choice to either manually program user credentials and privileges on Amazon Redshift, or leverage their existing Active Directory infrastructure with added software development.
The Heimall Database Proxy was able to automate the authentication and authorization of users against their current Action Directory system. Group membership data is stored in addition to user authentication data. Users may belong to one internal group and not another. Group membership is often neglected in database offerings.
Heimdall Proxy allowed SaaS platforms to improve database scale and security as customers are added. The Heimdall Proxy integration with Active Directory allowed the authentication of users and removed the burden to manage users on the databases. Instead of preconfiguring users, the Heimdall Proxy synchronized user information from LDAP into the database so that access control was maintained. Heimdall Proxy also provided granular auditing (who, what when). The implementation did not require any application or Amazon Redshift modification. The transparent solution saved over months of development.
Resources and links: