As Tide continues to evolve its technology and operations, the company’s identity team set out to modernize how access is managed across the organization—enforcing least privilege, eliminating over-access, and driving automation at scale. This year marked a step change in that journey, with foundational improvements such as migrating core systems, adopting ConductorOne, and moving toward configuration-as-code with Terraform. The goal: to ensure every team member has exactly the access they need, only when they need it.
Moving from role-based access to needs-based access
With ConductorOne, Tide is moving from static, role-based grants toward a needs-based model that combines birthright access for low-risk tools with just-in-time (JIT) access for sensitive systems. Application owners are brought into the process so they understand the model and are comfortable as apps migrate.
“We’re empowering application owners so that they’re comfortable, and they know the model being applied, as and when we migrate our applications over.” — Lawrence Munro, Chief Information Security Officer (CISO) at Tide, Head of Security Engineering
Terraform first: peer review, patterns, and speed
Terraform was a top priority for Tide across Okta and ConductorOne.
- Peer-reviewed changes: Anyone on the team can open a pull request to modify identity or ConductorOne configuration. Peers review changes just like code, which builds confidence and speeds delivery.
- Safe rollback with GitOps: Every change is logged with full history. If something looks wrong, the team can revert quickly.
- Reusable blueprints: The team maintains copy-pasteable Terraform patterns using ConductorOne’s provider. New applications are onboarded to C1 by following an agreed format in code rather than clicking through UI checkboxes.
- Human-readable files for a mixed-seniority team: Tide represents configuration in YAML so all engineers can read, implement, and contribute.
Lawrence’s advice for implementing Terraform: “Terraform doesn’t need to be this scary thing that only Cloud Engineers use. It’s very simple to turn complex things like access profiles or just-in-time requests into a couple of lines of YAML.”
Access profiles and birthright access at scale
Tide manages birthright access for more than 2,000 users using ConductorOne access profiles driven by HR personas, such as security engineer or customer support. Profiles map personas to the appropriate Okta groups, all managed in Terraform. Today, birthright covers less sensitive tools like design systems such as Figma so new joiners can be productive immediately.
Next up, the team plans to use ConductorOne automations to remove unused entitlements after a period of inactivity, with an easy path to request access again when needed. The intent is to reinforce least privilege while keeping end-user friction low.
Standardizing JIT for sensitive systems
Tide is migrating all applications to either birthright or JIT. Sensitive or critical systems that move money or hold sensitive data are handled through JIT policies in ConductorOne with time-boxed access and approvals, typically manager followed by application owner. This replaces a manual flow that relied on Jira tickets and Slack messages with inconsistent context and slow approvals.
For apps without SSO, the team can still create Okta groups so users can make requests in C1. Approved requests trigger ConductorOne’s external ticketing integration to open a Jira ticket for the identity team. Engineers receive a consistent, pre-approved work item and know exactly what to do.
“Now we’re in a really good position where it’s so easy to add new just-in-time access requirements, or new birthright access to applications, and so it’s just making our lives, and the identity engineers lives, a lot easier.” — Lawrence Munro, CISO
Why Tide chose ConductorOne
ConductorOne helps Tide reach true least privilege in practice. Rather than giving people persistent access “just in case,” needs-based access ensures employees get what they need when they need it, and nothing more. This eliminates unnecessary standing permissions while still keeping productivity high.
It also solves a major challenge around any non-SSO applications, because JIT requests can still flow cleanly through ConductorOne. Approved requests automatically trigger Jira tickets with all required context, allowing Tide’s identity team to fulfill them quickly and consistently.
Another decisive factor was Terraform provider support. With Terraform and ConductorOne, adding new JIT policies or birthright profiles is straightforward and the identity engineers’ day-to-day work is significantly easier.
“ConductorOne helps us get to the least privilege model a lot faster.” — Lawrence Munro, CISO
