Carta’s Win/Win: Implementing Robust Security Controls While Improving Developer Productivity

About Carta

Carta, formerly known as eShares, is a technology company that specializes in capitalization table management and valuation software, with the aim of making it easy for private companies, investors, and employees to manage equity, maintain accurate capitalization tables, and comply with regulatory requirements. By making equity ownership more transparent and accessible, the company envisions a world where more people can participate in the wealth generated by innovation. Founded in 2012, the company has since grown to become a pivotal player in the finance and technology sectors. Carta's headquarters are located in San Francisco, California, United States.

Challenges

At Carta, data security is paramount, especially because the company manages sensitive customer information such as equity capitalization tables. Developers are continually delivering products and features across various financial domains to meet customers' specific needs. The company needed to implement robust security and demonstrate compliance with regulations while operating at scale and maintaining high engineer productivity levels. Some of Carta's key concerns included:

Implementing transparent access and auditing controls
Meeting stringent compliance requirements and safeguard customer information in a scalable manner.

Streamlining developer workflows for infrastructure access
Improving onboarding, manage access as roles and projects changed, and manage account deactivations.

Eliminating maintenance toil
Reducing manual effort as well as risks of human error and inconsistencies.

Solution

Teleport addressed Carta's key challenges. Key capabilities included:

Role-based access policies with fine-grained auditing mechanisms
Carta successfully implemented role-based access policies that provided fine-grained auditing mechanisms for its Kubernetes clusters and databases. This ensured that access controls were precise and could be audited effectively, enhancing both security and compliance at scale.

Improved developer access and onboarding/offboarding operations
The onboarding process for developers became straightforward and efficient. By integrating Teleport with their identity provider, Okta, Carta configured role-based access control policies that ensured teams had access only to the resources they needed. This integration also simplified internal transfers and offboarding processes, as changes in team composition and account deactivations were quickly reflected in Teleport user access boundaries through Okta.

Maintained security with declarative, Kubernetes-native installations
Teleport and its agents were installed in a declarative, Kubernetes-native manner, which greatly improved maintainability. This approach allowed Carta to manage Teleport configurations and deployments in a clean and consistent way, leveraging Kubernetes operators and GitOps continuous deployment practices.

Results

As a result of these efforts, Carta was able to address its strategic concerns:

Security with no compromise on productivity
Teleport's intuitive, off-the-shelf solution with granular access policies and auditing logs allowed developers to securely deploy, configure, and test their applications in Kubernetes clusters, ensuring robust security while maintaining high productivity levels.

Streamlined employee onboarding and offboarding
The onboarding process for developers at Carta using Teleport was remarkably efficient, taking only a few minutes. By integrating Teleport with Okta, Carta configured role-based access control policies to ensure that teams had access only to the resources necessary for their roles. Additionally, Carta implemented review processes to handle access requests that extended beyond predefined boundaries. This setup simplified internal transfers and offboarding, as team changes and account deactivations were swiftly propagated to Teleport user access boundaries through Okta.

Reduced toil on infrastructure teams
For the infrastructure teams at Carta, reliability and maintainability are key priorities. Teleport's self-hosted solution offered robust options for deployment across the infrastructure in a clean, declarative way. The Teleport Kubernetes operator was used to configure roles, identity providers, and tokens. By leveraging GitOps continuous deployment, Carta could securely track all policy changes in source control alongside the functional components of Teleport. Additionally, the use of AWS IAM agent join tokens provided an efficient and secure way to protect access to new clusters without manually configuring long-lived tokens.

Conclusion

Implementing Teleport allowed Carta to enhance its security posture while streamlining developer workflows and reducing maintenance overhead. By adopting role-based access policies with fine-grained auditing, Carta ensured compliance and data protection at scale. The integration with Okta simplified onboarding/offboarding processes, while the declarative, Kubernetes-native installations improved maintainability. Overall, Teleport enabled Carta to achieve robust security while enhancing productivity, meeting the needs of a dynamic and growing technology company in the finance sector.