Optimizing SaaS Security: Trade Me's Path to Cloud-First Growth
Trade Me is New Zealand’s largest online auction and classifieds website, with over five million active members. As the largest ecommerce platform in the country, they continuously implement and update their security measures to protect their customers’ critical information.
Investing in the Future with SaaS
From 2020-2021, Trade Me migrated from physical datacenters and on-prem solutions to the cloud, a major shift that allowed the company to accelerate with SaaS. With its employees now relying on platforms like Salesforce, GitLab, and Snowflake every day, Trade Me needed a way to secure their operations and the critical data that resides inside those SaaS apps.
Moreover, as a company with a long history, Trade Me needed to plan for the future while also managing risks from the past. A top priority for the team was a retrospective review of their SaaS and integration environment—focusing on understanding not just what was believed or documented, but rather the true state of their systems.
“Migrating to SaaS was an investment in the future of Trade Me. So now that we’re allowing employees to use cloud-native SaaS, the question became: what can we do to secure not only our users and systems, but also the data flows and integrations between each app?” - Keziah Ferrer, Lead Security Specialist
The Obsidian Security Solution
The Trade Me team brought Obsidian in to unify and strengthen identity and access management across their diverse systems. Through seamless integration with Trade Me’s IdP (Okta), Obsidian immediately uncovered actionable recommendations to reduce inherited risk and sprawl across their environment. The platform went beyond best practices, raising precise, service-specific actions tied to combinations of identity, roles, and the sensitive data involved.
“Obsidian didn’t just make us more secure. It also streamlined how we manage roles and access across our systems. By aligning access to actual usage, we removed excessive permissions, simplified oversight, and made it far easier to spot and close gaps. We now manage access with consistent efficiency and control.” - Ferrer
Instead of just providing a static checklist of detections, Obsidian delivered findings that demonstrated a deep understanding of the nuanced threats each application faced today. The platform’s context-rich insights and historical perspective enabled the security team to prioritize alerts and investigate quickly. This included making sure extra precautions were set up around powerful service accounts, or understanding which usage patterns should set off alerts for Trade Me’s specific environment.
Through Obsidian, Trade Me was able to prioritize real, critical issues that required immediate remediation, while separately working through others that could be addressed through long-term measures. The result? A reduced attack surface, stronger control over sensitive accounts and integrations, and the ability to focus resources on the highest-risk issues.
A Force Multiplier for Security & IT
One of the most valuable use cases for Trade Me’s security team is using Obsidian to gain visibility into both sanctioned and shadow applications. With the Obsidian browser extension, the team analyzes real-time browser usage, uncovering a granular view of application activity that goes far beyond traditional logs.
With contextual risk scores and identity-centric insights, Obsidian enables the security team to take decisive action—whether that’s educating users, blocking access to risky applications, or suggesting potential procurement opportunities based on revealed demand.
And the benefits have extended beyond security. Obsidian has become a tool for the IT team to understand both licensing and application costs. They currently use the platform to track usage for various services across Trade Me’s environment. This visibility allows IT to pinpoint the company resources that employees depend on most, and make strategic decisions about their technology stack.
