HackerOne uses Nira to protect critical data and resolve offboarding risks

HackerOne is trusted by some of the largest organizations in the world to find and eliminate security vulnerabilities. Its community of ethical hackers and information security leaders surface security issues to companies before they can be exploited. To help with its core mission to make the internet a safer place, HackerOne turned to Nira to protect crucial data in Google Workspace.

After conducting periodic audits of HackerOne’s Google Drive, IT Engineer Mike Goddard knew there had to be an easier way to identify and secure sensitive documents that had been inappropriately shared.

“We were struggling with the fact that there was no way to tell which documents had been shared by who other than trawling through everything, Slacking people, or taking action manually using GAM or by changing individual document permissions one at a time,” Goddard said.

Audits were time-consuming, and the team didn’t have the bandwidth or the comprehensive visibility they needed.

“We wanted a tool that would give us quicker and easier access to see what data was shared and how it was shared in Google Workspace,” Goddard explained.

Using Nira, HackerOne was able to identify key risks and then fix them quickly and efficiently. Actions that previously took hours or days could now be resolved with a few clicks using bulk remediation.

We wanted the ability to rectify issues on a massive scale, which Nira excels at.

Mike Goddard,

IT Engineer

Whether they need to investigate and make changes to 10 documents or over 10,000, Nira enables HackerOne to make faster and better-informed choices. Key decisions and permission changes could be based on complete visibility, without going through tedious manual checks.

Discovery and alerting capabilities

Nira allowed HackerOne to discover issues and gain visibility no other tool could provide

For HackerOne’s Head of IT and Workplaces, Aaron Zander, buying Nira was about issue discovery.

Other IT tools HackerOne had used were not as fast or as reliable at delivering a specific document and its sharing permissions status, which meant finding risks took too long or the data wasn’t comprehensive.

The company needed to be able to quickly find access issues and identify what to take action on.

It’s hard to figure out what should and shouldn’t be shared. We needed a tool that could filter through all our files, find what had been inappropriately shared, and help employees figure out what’s the right thing to do.

Aaron Zander,

Head of IT and Workplaces

According to Zander, Nira had the features they wanted and, unlike other products they’d seen, it actually worked. Goddard agreed that from an admin stance, the company needed Nira’s comprehensive visibility into issues like files with public links that are accessible by anyone on the internet.

For HackerOne, any documents with public links could potentially be a risk, especially since they could contain confidential information, like financial or personal identifiable information, as well as vulnerability data that could have unintentionally been uploaded to Google Drive. These types of documents need to be especially restricted as they put critical customer and company information at risk.

Before Nira, HackerOne could use a Google API configuration to receive Slack notifications if anything was shared publicly. However, being able to identify the document quickly, accurately, or remediate the problem was near impossible. Google may alert HackerOne that a file was shared publicly, but the alert was too broad and missed the context behind it.

“We get alerts in Slack with data from Google’s API, but there are so many alerts so it’s not feasible to look in real-time. It’s not very easy to find information like what that document is, where it is, and what it really is about. The information in the alerts is kind of there, but it isn’t easy to get any real context or detail, and it was hard to make a decision on what action to take based on that,” Goddard said.

Now, Nira gives HackerOne the capability to drill down and get the exact information they need by applying filters. Goddard can configure alerts that include specific scenarios such as “Does the document title contain the word ‘confidential’?” or “Is it over a year old?”

“You can apply all those criteria to closely examine the scenarios that you truly care about among all the noise,” Goddard said. “You’re not going crazy figuring out that you have 1,500 notifications today about public links, but you don’t really know what to do with them.”

Goddard has also been able to use Nira for the ability to alert employees to potential access issues.

He can search for certain document attributes and then automate remediation actions for employees to review and take. He’s then able to ask employees using an automated workflow if they still need specific documents to be shared externally, a task he would have previously had to do through a manual process and repeat every six months. Now, with Nira, he can set up periodic Slack alerts and automations to make sure inappropriate sharing is resolved or never happens in the first place.

The impact is cumulative for the company, which did not previously have the bandwidth for constant time-consuming manual checks. With Nira, HackerOne is now able to discover and quickly fix access risks.

Remove personal account access and clean up file ownership

Nira allows HackerOne to meet best practices around offboarding and remediating file ownership

After identifying risks, Nira helped HackerOne quickly remediate access issues related to employee and third-party offboarding and file ownership. For Goddard and the team, it was essential to see if employees or vendors had access to files through their personal accounts as part of offboarding workflow processes. However, it was impossible to gain comprehensive visibility with other tools on the market.

When document ownership is transferred as part of employee or vendor offboarding, any personal account access related to that employee or vendor persists, Goddard explained.

As part of the offboarding process, we wouldn’t be able to easily remove personal account access without Nira.

Mike Goddard,

IT Engineer

Nira also gave HackerOne the ability to easily clean up file ownership. It could now do a bulk transfer of documents from an ex-employee to a new owner.

“It was game-changing to easily transfer ownership, saving us time and effort, which isn’t feasible in any other way,” Goddard said.

What may have taken an hour or two to transfer ownership of every file from one employee to another could now be taken care of within minutes.

“Cleaning up file ownership and transferring ownership is done really quickly now,” Zander said. “I once spent almost eight hours trying to fix an issue that would have immediately worked with Nira.”

Nira is not only providing time savings to administrators and IT teams, but also helps employees better manage their security. Through its employee security portal, end-users can be a part of information security solutions.

Rather than a top-down approach, employees are empowered to easily fix access issues

Nira enables employees to identify and quickly remediate accidental sharing issues

According to Goddard, HackerOne does not favor a top-down approach when working with employees and appreciated Nira’s ability to let employees be a part of the process.

“At HackerOne, we like everybody to understand what and why the IT team is doing and to make IT-related decisions themselves,” Goddard said.

However, although employees want to do the right thing when it comes to sharing documents securely, issues may get overlooked because of just how easy it is to share and how difficult it is for an employee to gain visibility into sharing permissions.

“We’ve had instances where people have said, ‘Did you mean to share this? I’ve got access to this file when I shouldn’t,” Goddard said. “The potential for people to do it unintentionally is huge.”

Goddard maintains employees may not be aware of what they were sharing and that the company needs extra checks and balances to keep data safe.

“That’s where Nira comes in. We don’t want to lock everything down so people can’t do their jobs,” Goddard said.

Nira gives people the freedom to share things in the ways that they need to, without sacrificing security.

Mike Goddard,

IT Engineer

Through features like Nira’s employee security portal and Slack notifications, employees can stay on top of security without taking up tons of administrative time.

“If we alert individuals in Slack about issues that’s great for us. People are empowered to change sharing permissions and eliminate risks themselves,” Goddard said. “We want everyone’s job to be security.”

Employees are able to more easily take care of cleaning up permissions, freeing up time and resources for IT teams. Nira also provides educational resources for admins and end-users, as part of its commitment to customer service.