For financial services providers active in the settlement of securities transactions and the custody of those securities, security against external and internal risks is crucial. That’s why a financial services provider in Brussels wanted to secure all privileged access to their critical assets. The goal was to increase the overall security posture through standardization, reduce the strong risk on privileged access abuse and comply with regulations and standards. The project was divided into two phases, the initial product setup and the integration of the CyberArk PAS service. Devoteam was involved in the latter.
Large financial organizations are facing extreme security challenges. The enormous amount of money involved, large extent of personal data, compliancy standards (i.e., ISO, GDPR, …) and ever-changing technology adoption driven by a steep digital transformation require a must-have effective and efficient cybersecurity strategy. Privileged Access Management (PAM) is often one of the most important security areas to invest in.
The financial services provider already invested in security controls and countermeasures. Many of these solutions were introduced over time by technology owners themselves or were custom developed, making it difficult to support, govern and manage. As a result, the company struggled with the Segregation of Duty, whereby one technology owner is responsible for the access management of one solution. Additionally, due to these Islands of Security the financial services provider was unable to view the status of its privileged accounts and the risk exposure. For example, there were no accurate measurements on the number of accounts, where these were used for and by whom they were used. Furthermore, because of the broad technology landscape and different legacy systems privileged accounts were everywhere, generating a large attack surface and different points of interest for potential hackers. A holistic approach to ensure full coverage of all business and IT services was highly needed.
The financial services provider chose to work with CyberArk, the best available product on the market to cover its requirements and secure the entire environment. The project initially started with CyberArk to complete the full product setup and some pilot integration. The company not only needed the product, but a professional partner who could get the integration and security transformation done with guarantees of quality, respect for deadlines and an agreed, fixed budget.
The financial services provider found those partners in the software developer CyberArk and IT services provider Devoteam. It was CyberArk that advised the financial services provider to bring Devoteam on board. One of the biggest advantages was that the people at Devoteam speak the Belgian national languages and can always come on site, while a foreign supplier cannot come over that quickly.
Devoteam delivered the setup and integration project on time, with quality and full fixed price accountability, building up credibility and trust with the client organization. The project has high visibility and importance as it is one of the main projects in the overall cyber resilience program of the company. Devoteam onboarded the most critical applications and application groups into the CyberArk software and secured privileged access across all underlying platforms (Operating Systems, Databases, virtual infrastructures & Middleware services). The transformation needed to be done effortlessly, with no impact on existing security control, apps or technologies.
The adaptability of CyberArk and extensive set of integration capabilities is one of the main advantages of the software. It is easy to integrate with existing software, new cloud software and various operating systems, ranging from UNIX to Windows and Mainframe. Today, privileged access is reserved for IT professionals who support, develop or keep those applications running. The access request is just-in-time, limited to a predefined timeframe and only granted by means of a proper justification. In other words, there is always a second person who needs to give the requested access, either for planned works or for ad hoc actions. Also, the company now has an exact idea about the way the privileged accounts are managed (i.e., how often they are used, how often passwords are changed). The traceability and password rotation are other great advantages for the financial services provider.
Also, in terms of cyberattacks, the Center for Internet Security recommends “Controlled use of privileges”, and thus PAM, as a basic measure and as the fourth priority after “Hardware inventory & control”, “Software inventory & control”, and “Ongoing vulnerability management”. Due to the integration of CyberArk for centralized and uniform Privileged Access Management, the financial services provider has responded to open recommendations, complies with regulations and standards, reduced some strong risks on Privileged Access and increased the overall security posture.
But the story doesn’t end there. After the integration of PAM, Devoteam supported the client with on-the-job training, assistance and the testing of several use cases. For example, adjusting the Target Operating Model for the technical service teams, Access Re-certification, integrate Security in the DEVOPS methodology and automation of operational day-to-day activities.
CyberArk and Devoteam offered a solution to all compliancy requirements of the financial services provider and ensured more security, traceability and flexibility. The main benefits are:
- It’s a one-solution fits all: all privileged credentials, whether these exist on-prem, hybrid or in the cloud are managed.
- All technologies are covered supporting the business’s most critical applications, from legacy systems on enterprise systems, over open systems, virtual infrastructures, database & network devices to dynamic solutions fitting the DEVOPS pipeline like Docker, Ansible and Kubernetes.
- All credentials are (re-)certified identifying clear definitions with regards to ownership, usage, roles and access. During this exercise it was also assured the principles of ‘Least Privilege’ & ‘Segregation of Duty’ are well respected.
- The financial services provider now has a solution that allows the organization to consistently managing human and non-human privilege credentials across the entire enterprise. It allowed the organization to build an operational center, with knowledge and capabilities to support all the needs of both internal & external users.
- There’s a single source of truth, with extended reporting and monitoring capabilities on daily usage of the privileged accounts.
- The Privileged Threat Analytics strongly integrated in their SIEM solution allows them to detect and prevent threats and ongoing events with abnormal usage on-the-spot.