Zero Trust at Teads

Laura Diment
Teads Engineering
Published in
4 min readFeb 22, 2023

Teads is The Global Media Platform that connects Advertisers to Publishers in a one-stop shop. Serving ads at scale generates a lot of data. 100BN analytic events daily to be more precise. Distributing the services for our 2BN monthly users over multiple regions means we have a very interesting question to answer…

How do we keep the Teads Platform and its data secure on a global scale?

Well, keep reading to find out!

What is Zero Trust?

Verify, then trust. This was the relied upon method of authentication and authorisation for decades. The threat landscape has changed as the enterprise landscape has changed. Verifying once then trusting forever and for all things is no longer sufficient. With the very real and possible threat of verifying an imposter, or a compromise after verification, an advanced approach is needed to secure a segment or the entirety of a network. This is possible with Zero Trust (ZT).

Implementing ZT is a dynamic process that focuses on validating users, applications, and infrastructure; at all stages of an interaction.

Picture a simple castle (see below for inspiration).

With this castle, all that is necessary is to cross the drawbridge to become King or Queen of the castle, and have unrestricted access to everything and anything within its walls. This is verify then trust. This is what we don’t want.

Let’s look at a different castle…

With this castle architecture, each entry point for each part of the castle has a control (gatehouse, portcullis, inner bailey). This accounts for the use cases where a visitor can enter the outer bailey, but they are prevented from entering the inner. Or, an attacker manages to sneak past the gatehouse and is uncovered at the portcullis. Then, they can be kicked into the moat and be eaten by piranhas. This is a basic model for ZT. This is what we want.

Why is it important?

Previously implicit trust was given to those authorised within a network, with a defensive focus on a static perimeter. Then everything started moving to the Cloud. Cloud native and cloud based computing meant that a static perimeter as we knew it was no longer applicable or defendable.

From the early 2000s leading research groups, firms, and organisations within the field started to highlight the cracks. Foundational pillars and frameworks of security, focusing on security controls at all levels, started to emerge. With the continued rise of breaches and ransomware from malicious parties, criminal gangs, and even insider threats (check out the biggest breaches for this century so far), having granular and variable security inside a network is crucial now more than ever.

ZT continues to gain recognition as a secure model for authentication and authorisation. We continue to see industry groups and even government bodies promoting a ZT approach, developing roadmaps, and even selling ZT as a Service.

Zero Trust at Teads

Now for the million dollar question: what are some of the ways we implement this at Teads?

Users

  • The use of an Identity Provider allows us to use Single Sign-On (SSO) to centralise the provisioning of access to our enterprise applications. Being able to utilise SSO has the added benefit of reducing credential fatigue; users can have fewer and stronger credentials.
  • To protect the SSO, MFA is a mandatory additional layer of protection.

Applications

  • To prevent someone from having access where they shouldn’t, provisioning for applications or objects is done following the principle of least-privilege. Not only does this reduce our attack surface by minimising options for lateral movement, it reduces unintentional human error.
  • We adhere to a strict change management, where only the object owner can approve changes to their assets.

Infrastructure

  • The production environment is secured behind a bastion host. Users can only touch it through our remote access solution, which is protected by all the methods stated above.
  • What about the scenario where an object is interacting with another object as part of automated processes? Cloud native access monitoring tools allow us to verify a relationship of trust when non-human objects interact.

Checks & Balances

  • Centralising alerts for suspicious, privileged, and admin actions in our SOC gives the Information Security team oversight into anything suspicious, whether it is activity caused by someone malicious or a user’s mis-click.
  • Logging IAM actions, including admin or privileged roles, allows us to audit activity as and when needed.
  • For the icing on the cake, those previously mentioned centralised alerts let us know if someone tries to tamper with our logs!

In Other Words…

Trust no one. Trust for a predetermined period of time in a specific location. Then trust no one again. Rinse and repeat.

As Teads continues to grow our offerings the size of our impact, data, and platform will follow. This brings us new challenges. If you like problem solving we are always looking for new talent. Feel free to check out our openings.

--

--