We sometimes get asked by our business customers how we manage our internal IT to support our employees both efficiently and securely. In this article, I would like to open the curtain by sharing some of our IT practices and explaining how they correlate to efficiency and security.
But let’s start with a bit of context: Dashlane’s IT team is comprised of three local field support experts, two system admins and myself as team lead. We service close to 400 distributed employees across Europe and America, with half of the organization being on the product and engineering teams.
Our tech stack
The tech stack our employees use every day is “classic” startup: Google Workspace for email and online collaboration. We are actually very light email users, as we rely way more on Slack and Zoom for communication, as well as Confluence for all written documents.
In addition, Intune and Jamf are used to manage our Windows/MacOS devices and provide a hybrid OS environment for our employees.
Other key tools include:
- Gitlab (where we host our repository), Jira, Tableau for data visualization, Miro, and Figma on the product and engineering teams
- Zendesk on the customer support team
- Salesforce and Marketo on the sales team
- Braze on the customer relationship management (CRM) team
- BambooHR, Small Improvements, CultureAmp, and Greenhouse by the entire company
All in all, our IT team uses around 120 software-as-a-service (SaaS) tools. We are looking for more streamlined processes, as this number has grown pretty rapidly and organically. For example, we now work with Vendr to manage software procurement and get better deals from software providers.
Our IT infrastructure
Our IT infrastructure is built on top of Azure, a full infrastructure as code with Terraform and AzureAD as a directory. All compatible services are accessible through SSO with additional multi-factor authentication through Duo.
SCIM provisioning is used as much as possible to keep a consistent state of accounts in all of our SaaS tools.
Cloudflare Zero Trust is replacing our legacy OpenVPN solution that improves the redundancy in the connection to our tools and adds a better layer of security.
In addition, we have recently completed our cloud migration. Even though the Dashlane application is fully supported by a cloud infrastructure, our own internal IT systems for historical reasons had a lot of on-premise servers in our Paris data center. This was not scalable and sustainable in the long run, so we embarked on a progressive migration to Azure. There were many benefits to that project: simpler maintenance and better performance, more scalability, more resiliency, and stronger security and compliance.
Our network and security
Keeping our employees and our company safe is a critical part of the role of IT. We want to provide the most secure services to protect our assets at all levels:
- Access rights management is fully automated around AzureAD with a principle of least-access privilege
- Our network is protected by Cloudflare
- We rely on Jamf Protect and Crowdstrike to protect employee workstations on MacOS and Windows/Linux
- In addition to our SSO infrastructure, we of course use Dashlane to secure company credentials
We train our employees through security drills, such as testing of session password strength or phishing simulations. As an example, our security team even tested us by planting a hardware device in one of the offices to test our ability to detect the malicious intrusion and find its source (the device had been hidden behind a TV, piggybacked on a network socket).
Our IT automation
A growing Dashlane team means we need to automate as many of our IT processes as possible and, in particular, processes related to the lifecycle of the employee: onboarding, rights management, and offboarding.
Onboarding and offboarding are automated with a GitLab CI/CD pipeline that uses python scripts to compare what we have in our AD system with what we have in our central HR system.
For rights management, we have built a cool Slack bot, called Beebop, plugged into BambooHR that pulls employee information from that central HR system to automate this. Basically, it grants end users the ability to ask for new rights and sends a Slack notification to the identified approvers to approve or deny. If approved, the bot adds the people to the correct group—and that’s it. We are integrating loads of cool stuff into this bot, and we’re thinking about making it open-sourced so everyone can add their own modules easily. We would love to write a future article to share more technical details about Beebop.
Automating the devices deployment is also pivotal when a company is growing. For that, we are using Intune and their Autopilot system to directly purchase the equipment through eligible vendors and, once purchased, the device is automatically linked to our Azure tenant. The end user will get a customized out-of-box experience with all custom apps automatically deployed to the machine. The same process occurs with Jamf PRO for Mac users and their Prestage Enrollment workflow.
3 key lessons we learned
- Build for a distributed team: Your offices, if you have any, are just one hub/node of your company environment. Your environment is the whole world, so you should leverage cloud infrastructures and distributed network solutions and invest in SaaS applications that support working distributed.
- Remove friction: IT should be so seamless that it empowers employees to do their best work without friction. Focus on reducing effort and making interactions smooth. Educate your customers, the employees, so they can learn the best practices and how to best use their tools.
- Security is key: In our situation, it is a critical role of IT to protect the company and its people. But all companies to some extent are at risk and need to pay attention to the potential threats against their internal systems. It’s on you to find the right balance between security and productivity based on your own business context. Nowadays, it is possible to find simple tools, such as Dashlane, that can provide both.
If you are interested by what we do, here are a few suggestions: