Mercury Cuts Mitigation Time With Astrix

Danielle Guetta November 7, 2024

Mercury’s mission: Powering financial workflows for startups

Mercury is a fintech company trusted by over two thousand startups to manage and streamline their financial workflows. As a leader in this space, Mercury’s commitment to security is paramount, especially in the rapidly evolving landscape of identity and access management (IAM).

Non-human identities are a blindspot

IAM is a cornerstone of any robust security program, and most established companies have mature processes in place for managing human identities. Tools like Okta, single sign-on (SSO), and SAML are commonly used to govern access. However, non-human identities, such as API keys, machine credentials, and other forms of automated access, are often overlooked. These identities, critical for connecting systems and enabling automation, lack the processes and attention given to their human counterparts.

Branden Wagner, Head of Information Security at Mercury, explains: “The human side of IAM is well established, but non-human identities are often neglected. Traditionally, protecting these identities has fallen to DevOps practices, with little dedicated tooling available. With Astrix, we can build our program with more maturity and security.”

A real-world test: Rapid remediation during a third-party breach

Mercury’s decision to partner with Astrix was put to the test during a proof of value (POV) phase when a breach occurred at Dropbox Sign. Although Mercury wasn’t a direct customer of Dropbox Sign, a third-party vendor they worked with used the service, creating potential exposure within Mercury’s environment.

“Astrix allowed us to quickly identify and remediate the affected accounts,” Branden recalls. “Without Astrix, it would have taken us days to search logs and reverse-engineer OAuth connections. With Astrix, we completed the remediation in thirty minutes, turning what could have been a complex, time-consuming task into a straightforward process.”

Why Astrix stood out: Business justifications and anomaly detection

One of the key features that impressed Mercury was Astrix’s ability to collect and enforce business justifications for non-human identities. In an environment with over nine hundred non-human identities, it’s impossible for a security team to know the purpose and legitimacy of every one.

“Astrix democratizes security by allowing end users to explain why a tool can access our environment,” Branden explains. “This is critical because security teams can’t know everything. Getting input from those closest to the situation is invaluable.”

Additionally, Astrix’s Anomaly Manager and App Analyzer tools provide essential visibility into non-human activities. For a company like Mercury, which is heavily reliant on Slack, being able to analyze and vet new apps before they enter the environment is crucial.

“We use Slack extensively, and with Astrix, we can drop new app requests into the analyzer to understand the app’s origins, permissions, and potential risks before it’s approved,” Branden adds.

NHI Security: A critical yet overlooked aspect of IAM

While NHI security may be less discussed, it’s a crucial component of IAM that has historically been overlooked. “NHI security isn’t a new field, but it’s one that has often been neglected by security teams. Having the tools to provide visibility and control is extremely important,” Branden concludes.

Learn more

The Service Accounts Guide Part 2: Challenges, Compliance and Best Practices

The Service Accounts Guide Part 2: Challenges, Compliance and Best Practices

The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes

The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes

Detect and Rotate Exposed Secrets with Astrix

Detect and Rotate Exposed Secrets with Astrix