- Secured and optimized fine-grained controls in AWS IAM
- Quick detection of changes to support compliance efforts and enhanced audit readiness
- A modern cloud architecture using legacy access control models
- Authorization Graph
- User Access Reviews, Privileged Access Reviews
Leveraging the Power of Authorization for Data Governance & Compliance
Choice Hotels International is one of the largest hotel franchisors, currently operating more than 7,000 establishments worldwide, ranging from upscale hotels to extended-stay lodges. With 570,000 rooms in some 40 countries,
the company collects massive amounts of data of both customers and franchisees, which it relies on to ensure smooth business operations and
“get heads into beds.”
Data is essential for tracking reservations and ensuring that guests end up in the right room at the right time. And the secure flow of data through payment systems, whether for guests or franchisees, is mission critical. “Data is our lifeblood. It’s the key to understanding the marketplace and our customers,” says Steven Cihak, Senior Director, Cloud Platform & Site Reliability.
With so much data and so many financial transactions traversing the globe, cybersecurity is a high priority. The company handles lots of personal information (PII) and payment data (PCI) that needs to be managed and protected, and there are data privacy rules like the General Data Protection Regulation (GDPR) that it needs to comply with for its European properties. And as a publicly traded company, Sarbanes–Oxley (SOX) compliance is another concern. “Ransomware is also a high priority, because if a hacker manages to get into an admin’s account with elevated permissions and encrypt our reservation data, our business is dead in the water,” notes Jason Simpson, VP of Engineering. Managing and securing vast data resources and complying with financial regulations and corporate governance mandates is a major challenge — one that grew exponentially as Choice Hotels moved its operations to the cloud.
Data is essential for tracking reservations and ensuring that guests end up in the right room at the right time. And the secure flow of data through payment systems, whether for guests or franchisees, is mission critical. Data is our lifeblood. It’s the key to understanding the marketplace and our customers.Stephen Cihak || Senior Director, Cloud Platform & Site Reliability
Building a multi-cloud enterprise from the ground up
The company’s journey to the cloud began in 2016, first by migrating to AWS to rebuild its central reservation system in a microservice architecture. “We were among the first to rebuild legacy systems from the 80’s and 90’s in a cloud-native way,” says Cihak. Ever since, they’ve gone all in on cloud and now use services and tools from different providers.
Getting the right data to the right people and the right applications
The adoption of Okta helped integrate applications to a centralized user directory, authenticate users, and leverage existing groups and roles. But they still had problems authorizing access to resources while reusing legacy permission models without modifying them for the cloud. Managing fine-grained access controls became quite complex. There was a lot of cleanup to do regarding specific permissions to the ever-growing number of data stores in the cloud. The company had to create new roles and policies as cloud migration progressed and they moved into a microservice architecture. “User and entitlement management now extends across multiple systems. Because we’re so spread out, it was tricky to manage and hard to know who had access to what. Veza lets us understand it in a simple way. The first time we plugged Veza in, we knew we really needed it,” says Cihak.
Veza: A critical tool for data governance and compliance
Upon implementing Veza’s cloud-based data security platform, security teams were able to quickly identify challenges in Choice’s environment. They found orphaned users and groups and policies that weren’t attached to any entities.
In short, lots of things to clean up. When policy violations are discovered, Veza helps accelerate remediation by automatically sending alerts to ServiceNow, thus giving Choice’s security teams a heads-up regarding what needs to be fixed.
“Our partnership with Veza has been fantastic. We’re very confident that not only are we going to get a lot out of the product, but we’re also going to help Veza set the direction for integrations they can add to make it easier to secure our cloud,” says Simpson. As for Choice Hotels, they’re looking to extend Veza to more teams and get to additional applications and eventually go deep into every database they have. “This is one of the most exciting tools I’ve ever seen, and I’ve been at it for 30 years. Out of the box, Veza has given us the ability to identify and fix aspects of our InfoSec environment that we didn’t have before,” concluded Harris.
This is one of the most exciting tools I’ve ever seen, and I’ve been at it for 30 years. Out of the box, Veza has given us the ability to identify and fix aspects of our InfoSec environment that we didn’t have before.Chris Harris || Platform Engineering Manager