Lyft was founded in 2012 and currently provides 50 million rides a month across the United States and Canada. This adoption brings the biggest challenge for Lyft’s security team: to protect their users’ sensitive personal and financial information.
The company aimed to strengthen security protection for their mission critical applications and valuable intellectual property. They wanted to enable easy and secure access for all stakeholders, empowering effective collaboration.
Lyft employees used VPN connections to access sensitive internal applications hosted on Amazon Web Services (AWS). Lyft had implemented a custom solution based on OpenVPN, but it posed usability challenges for end users accessing web applications and SSH. Employees had to use the VPN even when they were inside Lyft offices to access certain internal apps, which impacted user productivity. Lyft was looking for a VPN alternative for certain popular applications without compromising security.
Meanwhile, Lyft also had a diverse mix of end user devices, including MacBooks, Chromebooks, Windows and Linux machines. Some were actively managed by IT and some were end users’ own personal devices not managed by IT. Gaining visibility into all these devices to analyze their security posture was a big gap. Maintaining VPN clients for disparate operating systems on all their end users’ machines required high effort and was becoming increasingly expensive.
To protect user information, Lyft wanted to establish strong access controls for applications so only authorized and trusted individuals using company issued devices were allowed access to sensitive data. Specifically, they wanted to enable two-factor authentication (2FA) to strengthen the security of remote access, and ensure that only devices with good security posture could connect to their critical applications in AWS.