Docebo Embraces Agentless Security to Scale in the Cloud with Confidence

Docebo Powers e-Learning for Thousands of Companies Worldwide

Docebo is known for its cloud-based “e-learning as a service” product that enables companies to create and manage content, deliver training, and understand the business impact of their learning experiences. The company has earned recognition for creating one of the industry’s fastest-growing and most innovative AI-based learning technologies on the market. More than 2,800 companies worldwide use Docebo to power their learning experiences.

Docebo’s customized end-to-end learning platform equips enterprises to tackle any learning challenge and create an authentic learning culture within their organization. Docebo’s powerful configuration engine enables customers to create audience-specific pages using flexible drag-and-drop functionality to get their learning programs up and running quickly. Customers can leverage free extensions like certifications, automation, e-commerce, custom domains, audit trail, gamification, and more, to configure the learning management system (LMS) to their exact use case.

Docebo, a company that was established in Italy in 2005,  is now a publicly-traded company headquartered in Toronto, Canada, with eight offices worldwide.

Cloud Security Is a Critical Need to Protect Docebo’s Business Operations

Davide Riva joined Docebo two years ago and is the manager of the security operations team. His primary duty is to detect any potential threats that could impair the Docebo business. He primarily focuses on endpoint protection, IT risks, and – given that operations are 100% in the cloud – cloud security.

According to Riva, 99% of the product infrastructure runs on AWS, while  a smaller portion is hosted on the Google Cloud Platform. They manage approximately 70 AWS accounts, some of which serve various purposes including testing and development. The environment comprises different services, including virtual machines, containers, and serverless computing such as Fargate and Lambda.

“When I first joined the company, our cloud security platform was in place, but it mainly focused on compliance risks,” says Riva. “We could only gain visibility of about half of our cloud environment because this tool required us to deploy an agent, which we found difficult to do as we needed other teams to install, test, and maintain the agents. Plus, we were fearful of disrupting anything with our production systems.”

Thus, the challenge was to find a more complete cloud security platform that could function without an agent and provide 100% visibility.

“Agents in cloud infrastructure can get very messy. I think the future of cloud security is agentless.”
Davide Riva

Manager, Security Operations

The Orca Security Platform Covers Almost All of Docebo’s Security Needs

Riva didn’t have to look far for a new cloud security solution. They quickly found a new solution when the newly hired Chief Information Security Officer (CISO) at Docebo recommended using Orca Security as their cloud security monitoring platform. The CISO had prior experience with Orca Security at a previous company, making it an easy choice for them to consider. “He described what Orca can do and how it works, and I got pretty excited about it,” says Riva. “We set up a PoC with Orca and were so happy with the trial’s outcome that we didn’t see the need to scout for other solutions. Orca was easy to deploy and quickly gave us 100% visibility of the cloud infrastructure.”

Comparing Orca to the previous security tool, Riva says the significant difference he saw was the ability to have real security risks prioritized easily. “When we access the Orca Platform, we know we can trust the alerts because Orca considers context. For example, similar resources with the same vulnerability may not have the same level of risk based on the context, such as whether the resource is external-facing or not. This prioritization of risks is one of the key reasons we adopted Orca as our cloud security solution.” He adds that the old security tool was at least double or triple the cost of Orca, with only half the visibility coverage.

Orca offers a robust Asset Inventory dashboard, which allows Riva and his team to effortlessly view all the cloud assets being used across AWS and GCP.  One crucial feature is the ability to identify assets correlated to their compliance posture, making it easy to extract evidence required for internal and external audits.

Orca also provides functionality that might otherwise require multiple tools—cloud security posture management, cloud workload protection, infrastructure entitlement management, cloud detection and response, Shift Left Security, and more. “When we purchased Orca, we got a full security platform that integrates multiple security capabilities,” says Riva. “This one platform covers almost all our security needs.”

“Orca provides so many capabilities in one platform. We love having just one vendor to communicate with for all our cloud security needs.”
Davide Riva

Manager, Security Operations

Orca’s Cloud Detection and Response is a Differentiator

“I’m particularly interested in the new CDR capability, which allows Orca to ingest CloudTrail events as part of CDR seamlessly,” says Riva. “With just one click, we can open a ticket from an open alert within the Platform, or send alerts directly to our SIEM. Additionally, Orca generates alerts directly from CDR, such as detecting unauthorized access to a root account, which is the most privileged account in AWS, prompting immediate investigation to determine if it was an authorized operation or not, thanks to Orca’s alerting capabilities.”

Orca’s Shift Left Security helps the various teams within Docebo collaborate better. Riva says they are in the early stages of including the Shift Left infrastructure code scan into their CI/CD  pipeline. “We use two different source code repositories, GitLab and GitHub. Orca makes the effort very straightforward. We just have to insert the script directly in the pipeline, and we have the centralized view in the Shift Left dashboard,” he says. “We can see misconfigurations and risks for all the projects we have pertaining to the different products, all in one place. Currently, we aren’t enforcing a block of the pipeline, but just having visibility is great because we can understand where we need to improve. Also, we can check if our security and compliance requirements are being followed by the many DevOps teams working on different projects.”