Top 5 worldwide bank implements Fortra Core Privileged Access Manager (BoKS) for privileged access management capabilities to cover servers within the banking operation.
Auditors had identified that there were errors in their identity management processes, starting with the fact that as a person left the company, the associated accounts were not consistently disabled, creating dormant accounts on servers. As well, the nonpersonal accounts (NPAs), also known as privileged accounts in the marketplace, were not linked or traced to a real, physical person, creating significant risks for a security breach. Hundreds of administrators could access sensitive information under a shared password, and their actions could not be tracked or controlled.
The Bank was using LDAP for personal accounts. While LDAP was connected to corporate directories and HR, they were unable to incorporate management of functional, non-personal accounts (NPAs). They were also unable to control who used the privileged accounts and what they did as a privileged user. Auditors were asking them: How do you know that these NPA accounts are not used from the test systems if they are on production systems? How can you restrict the source and destination access rights associated with non-privileged accounts?
As well, auditors required them to implement a process where they changed the NPA passwords across each of their Unix/Linux systems every 30 – 60 days. With 1,000s of servers, that meant a manual change on each system. The Bank calculated that they would need 3 security administrators dedicated to this function alone.
Using Core Privileged Access Manager (BoKS), the Bank is now able to full control privileged user access processes and has eliminated the sharing of NPA passwords. Core Privileged Access Manager (BoKS) also automatically consolidates all user activity logs from across their server domains, including keystroke logs, to greatly simplify audits and compliance.
The Core Privileged Access Manager (BoKS) system synchronizes with LDAP (which is connected to the Corporate Directory and HR databases). That means they are automatically adding and removing user accounts and access entitlements as a status change is made in LDAP to eliminate dormant accounts and access scope creep. This is a big labor savings since security administrators no longer need to manage user accounts. With Core Privileged Access Manager (BoKS), they have also standardized their naming convention, have well-defined user roles, and easy to manage host groups to simplify administration.
Perhaps most importantly, the Bank is now able to automatically enforce privileged user access rights and routes at a granular level, meaning they can control authorization over who can access which server, from where, using which protocol (RDP, SSH down to sub-service levels), and when. As well, Core Privileged Access Manager (BoKS) automatically controls privileged elevations without sharing the password; it also controls which commands a privileged user can execute.
There are many security and operational benefits associated with the implementation of privileged access management for such a large financial institution.
- First, they have improved their overall Identity and Access Management processes, with both personal and non-personal accounts being linked to the corporate directory.
- Second, they have greatly improved control over the privileged accounts including control over the access routes and user actions. By eliminating the sharing of privileged passwords, they are able to fully satisfy their auditors, while reducing the risk of a security breach.
- Third, they are able to differentiate and control where someone is allowed to log-on from, the source network range. This gives them the ability to better control access security in an organization where some employees and contractors work in remote locations or from home. For example, they can enforce that access to selected, sensitive servers can only be done from corporate managed devices and from within the corporate office.
- Finally, they have significantly reduced the security operational efforts for maintaining NPAs by automatically managing changes to privileged passwords across diverse servers.