Case Study: Privileged Access Management
07 August, 2023, by Natasha Free
When an audit review flagged that a small financial services organisation did not have sufficient control over third party users with privileged access to infrastructure and applications, it was time to review not just how people accessed systems, but for what purpose.
In an environment that had no Privileged Access Management (PAM) tool in-situ, the audit was always going to produce a lengthy list of recommendations, including:
- Discover and secure all existing service, application, administrator, and root accounts and vault all passwords.
- Enable a process to continually discover new privileged accounts & users
- Enable password rotation for privileged accounts
- Enable session launching controls and session recording
- Monitor privileged account usage and detect anomalous behaviour
- Provide an audit capability including standard reports
- Integrate with Identity Governance & Administration and SIEM tools
- Enforce Multi-Factor Authentication for end user access to any PAM service
The user community was relatively small, but it was agreed to take a staggered approach based on user communities/personas to ensure any issues were ironed out and to embed the solution into the organisational culture.
The customer was already an IBM customer and immediately saw the value of deploying IBM Security™ Verify Privilege Vault (ISVPV).
ISVPV met all the specified requirements but the seamless integration with the customer’s deployments of IBM QRadar and IBM Security Verify Governance were seen as key differentiators with competing products.
While the organisation had good control over their employee community, the visibility of their third party Managed Service Providers (MSPs) wasn’t adequate enough to identify who owned some end-user accounts, nor why those end-user accounts were carrying the privileges that they did, e.g., Domain Administrator.
Step 1, therefore, was to do a full sweep of the privileges that existed across the estate, and at least identify who owned those accounts.
Step 2 involved trying to group those users together and work out a means of providing access to secrets in ISVPV in a manner which both reduced administrative overhead and provided an end-user experience free of friction. Establishing a hierarchical folder structure for storing the secrets based on a combination of Third Party Organisation, Service/Application and environment seemed like a good starting point, but the structure was defined in a manner that would be supportive of any evolution or morphing into a new format.
Step 3 involved the tight integration of ISVPV with IBM Security Verify Governance to provide third-party user management interfaces and privileged access request processes and procedures. This approach provided an assurance that assigned privileges were valid/necessary, approved and auditable.
Step 4, the hardest step, was to ensure that the users who would need to use the service on a regular basis were on side. Identity and access management always treads a fine line between ensuring the right access to the right people at the right rime whilst also ensuring a seamless user experience. In this example, the most privileged users were naturally uneasy about anything that was going to upset the way they worked! This step involved early user engagement to alleviate any fears and counter any resistance by explaining why there was a need to introduce the PAM solution.
Stakeholders sometimes expect that the purchase and delivery of a PAM solution will solve privileged access concerns and sometimes overlook the need for ongoing discovery, management & maintenance. However, our case study organisation are fully aware of the additional potential of privileged access management and we are now planning the second and third stages of their journey towards PAM maturity.
Contact us to determine where you are in your PAM Maturity journey by taking our PAM Maturity Assessment.