GreenSky, Inc. is a leading technology company Powering Commerce at the Point of Sale® for a growing ecosystem of merchants, consumers, and banks. The company’s highly scalable, proprietary technology platform enables approximately 16,000 merchants to offer frictionless promotional payment options to consumers, driving increased sales volume and accelerated cash flow. Banks leverage GreenSky’s technology to provide loans to super-prime and prime consumers nationwide. Since the company’s inception, approximately 3.6 million consumers have financed over $26 billion of commerce using its paperless, real-time “apply and buy” technology.
Because it operates in the financial market, GreenSky is bound by numerous regulations – including the Sarbanes-Oxley (SOX) Act. Additionally, GreenSky was looking for additional ways to improve our security posture.
Improving Onboarding and SOX Compliance
Early in 2020, before the COVID crisis, GreenSky decided to move all applications behind OneLogin Single Sign-On (SSO). This was driven by the desire to improve the user experience and comply with the SOX requirement to revoke application access once an employee is terminated.
GreenSky’s Vice President of IT Security and Business Continuity, Lori Temples, recognized the need for SSO because of challenges they faced in understanding access rights. “During offboarding for a terminated associate, our helpdesk did not always know every application that an associate had access to unless it was tied to an Active Directory group.”
As a first step, a team of IT Security, IT Operations, and project managers reviewed every application used within GreenSky. They determined the number of associates using any given application, how many times per day the app was accessed, and whether the application contained sensitive data. The audit findings were transformed into a matrix priority list for moving every application behind OneLogin SSO. The security team also established a policy requiring all new applications to be SAML-enabled and to sit behind OneLogin SSO.
To date, GreenSky has moved the majority of its applications behind OneLogin, especially those with sensitive data or multiple users. According to Temples, this has greatly improved the user experience by making it possible to go to a single portal and swiftly access each application with a single click. Plus, because the offboarding process is better, it is much easier to meet SOX compliance requirements when an employee terminates with our company. “OneLogin SSO is an easy way for us to shut off all access to applications, which is critical because sensitive data and intellectual property live behind those apps,” she says.
Quickly Shifting to Work from Home
When COVID-19 struck, GreenSky was able to respond with agility by activating its Business Continuity Plan. With a goal of transitioning the employee base to work from home safely within a short time, the company’s focus was enabling the 50% of associates who were not laptop users – many of whom work in the company’s two call centers. At the same time, Temples had to make sure the company’s VPN could handle the increased capacity with all associates working remotely. To that end, the network team greatly accelerated the schedule to move the VPN to the cloud and increase capacity.
GreenSky’s Learning and Development Department worked with Temples’ team to establish training documents for setting up home workspaces, logging into the VPN, and using telephony systems from home. The security team reviewed every desktop before it left the physical sites to confirm it was equipped with all the required security tools. The IT Operations team also added the OneLogin app to associates’ phones so they could use multi-factor authentication (MFA) when getting on the company’s VPN.
Within a week and a half, every GreenSky associate was working from home securely.
Emphasizing Engagement and Security Awareness
While the Business Continuity team established effective forms of communication and updated various policies to support the work-from-home transition, it also paired up with Human Resources to find ways to keep associates engaged and working securely. HR surveyed associates about how connected they were feeling to their team, their manager and GreenSky. We looked for virtual opportunities such as lunches, breakfasts, and games. This year the security team took its Cybersecurity Awareness month virtual and built ways to educate, connect and win virtual prizes.
In a video chat, the CTO and CFO explained the biggest security risks, how security affects the company, and how management feels about funding security. Temples’ team built an online game requiring associates to make choices during scenarios such as malicious attacks and a phishing “phrenzy.” Associates completed weekly simulations throughout the month, and those who reported all simulations accurately were entered to win a prize. Temples’ team combined these with other measures, such as sharing Slack Cybersecurity Tips of the Day, and hosting lunch and learns on topics like protecting personal devices.
GreenSky’s executives and the Business Continuity working team still meet monthly to ensure that the business is operating efficiently and that associates’ lives are made easier when they are trying to get their work completed from home.
Continuing to Shore Up Security for a New Future
With no plans for a return to the office at this time, Temples sees less reliance on security tools with physical hardware and more reliance on those that enable virtual work. In fact, she sees a unique opportunity. “Virtual desktops offer improvements from a patching, accessibility standpoint, and security standpoint, which is important since we believe that work from home is here to stay,” she says.
With that in mind, GreenSky plans to continue security training and awareness for all of their associates. “The Internet of Things, mobile phones and wearable devices are on the rise, and can penetrate the home network, which is where our workstations now sit. More education and stronger security will help our associates in their personal lives and in protecting GreenSky data,” Temples explains.
To that end, GreenSky continues to fully leverage OneLogin’s Identity & Access Management (IAM) platform using MFA and OneLogin’s Remote Desktop Gateway (RDG) Server Plugin to provide simple, yet secure access to its virtual desktops. “We can’t control people’s home networks so MFA and IAM become even more important, enabling us to better control application access and keep sensitive information and documents safe from unauthorized users,” concludes Temples.