THE IMPLEMENTATION OF THE SYSTEM OF CONTROL OF PRIVILEGED USERS (2020)

THE CHALLENGE BEFORE THE BUSINESS Compliance with the Volkswagen requirements for privileged access control. THE TASK BEFORE "IS" Providing access control for privileged users to information systems of the bank, increasing the information content of the evidence base on the actions of privileged users, reducing the risk of abuse of privileged authority. THE DECISION The Privileged Access Management (PAM) control system based on the CyberArk Privileged Access Security solution. THE IMPLEMENTATION To ensure the fault-tolerant architecture of the PAM system, Jet Infosystems specialists located it in two geographically separated data centers. One of the features of the project was a long period of trial operation of the system, which lasted about three months. During this time, the bank managed to smoothly transfer employees to work with the new system, and the integrator project team was able to receive detailed feedback from users and eliminate configuration flaws. A distinctive feature of the project was also the implementation in the system of a functional request and access coordination. In addition to fine-tuning the PAM-system, the integrator’s specialists adapted for it the privileged access control rules in force in a financial institution. The implementation of the system took place with the close interaction of integrator engineers and bank experts. So, the credit institution’s specialists independently implemented the test environment of the system, being guided by the instructions of the Jet Infosystems project team and receiving operational advice on emerging issues. Using the test environment of the system, Volkswagen Bank RUS specialists will be able to check the solution updates before applying them in a productive environment in accordance with the rules adopted by the bank.

• 9 IS. The number of Information Systems for which privileged user access control is provided.
• 50 users. The number of privileged users whose access is controlled by PAM.
• 2 data centers. PAM fault tolerance is provided within two data centers.
• 3 months. The duration of the trial operation of PAM was 3 months.

THE PROJECT RESULTS According to the results of the Volkswagen Bank RUS project, it brought the level of protection against insider threats into line with the requirements of the international concern and solved all the tasks. The system from CyberArk provided access control for 50 privileged users to 9 information systems of the bank. With the help of the solution, the IS service of a financial organization coordinates access to controlled systems and investigates incidents, IT specialists administer internal services, application software and databases, and developers get temporary access to apply updates to bank products. In the future plans of the credit, the institution is to expand the number of applications and services, privileged access to which is controlled using the PAM system. Ilya Udovitsky, Head of Information Security Department, Volkswagen Bank RUS: “It was important for us not only to integrate the solution into the IT infrastructure, but also into the existing privileged access control processes that are accepted and operate in the bank. In particular, we expected the project to increase the information content of the evidence base on the actions of privileged users by collecting detailed information about who, when, under what account and which systems it connects to. The specialists of Jet Infosystems helped us cope with all the tasks.”

One of the first steps was to make significant improvements in routine production systems access controls. In doing so, one of National Gypsum’s goals was to make it easier to be secure, but more painful when users tried to do things they shouldn’t. As part of National Gypsum’s new security model, the team created more Active Directory accounts to accommodate roles in development, QA and production environments. They also set up new accounts for SYS and “firefighter” roles, instituting a least privilege strategy where users would be granted access ondemand only to the systems needed to perform a particular task, in a documented way. The manufacturer implemented the CyberArk Privileged Access Security Solution, leveraging its Enterprise Password Vault® to better manage nearly 2,000 passwords, making sure they are automatically updated, changed at regular intervals and fully auditable. The National Gypsum security team is now in charge of all the production accounts and can track who requested access to a system, and what was done once access was granted. Through its integration with Active Directory, the CyberArk solution alleviates the need for dual management and maintenance of roles, overall improving operational efficiency. National Gypsum also integrated the CyberArk Application Access Manager™ solution with Opalis, a process automation system. Opalis is responsible for performing numerous IT automation tasks across the manufacturer’s servers and applications. Integrating with Application Access Manager allowed National Gypsum to remove sensitive (domain/server admin level) hard-coded passwords from the Opalis jobs and benefit from secure caching capabilities to ensure business continuity even in the case of a network outage. Typically, employees are given a level of privilege that they can either apply incorrectly and do some damage to the privileged system to which they have been given elevated rights, or gain access to confidential information. Brannon says, “We have taken care at National Gypsum to ensure that people only have the level of access that is needed. This prevents users from unwittingly bringing down production systems because they have access to data and/or processes outside of their routine needs. We deny by default, then allow based on needs, granted by approval.” Working with CyberArk also helped fuel new business initiatives, such as National Gypsum’s SAP deployment, “which presented an opportunity to do things the right way,” said Brannon. For example, National Gypsum leveraged its SAP deployment in an external data center to set up stronger system controls and appropriate levels of access. According to Brannon, some internal people said that approach would not work at the company, and that National Gypsum did not have the staff.

Description is not ready yet

Description is not ready yet

Description is not ready yet