One of the World’s Largest Asset Management Firms Turns to Centrify to Reduce Administrative Access Risk and Strengthen Compliance Posture
As financial services providers continue their digital transformation journeys, they are faced with administrative access-related risk across data centers, cloud, and DevOps environments, resulting in data breaches, audit findings, and unnecessary overhead costs.
To address these challenges, many leading financial services providers select Centrify’s market-leading privileged access management (PAM) solutions to enforce least privilege access at scale for humans and services, in the cloud and on-premises.
With Centrify, privileged access controls are automated and seamlessly integrated, administrative access risk is reduced, and compliance postures are strengthened.
The asset management firm had developed a series of processes over the years, all designed to ensure the safety of their clients’ financial data. While the home-grown system was effective at protecting customer and company data, it had become bloated and required a large IT staff to manage it. Among the key issues:
- Delays in granting the right access to the right employees. Rather than managing identities from a central location, expensive and time-consuming manual processes were used to grant rights for thousands of employees across the infrastructure. These manual processes were subject to frequent errors and often took several days to get new identities fully provisioned. Even small changes to an individual’s job scope created complexities in granting and removing access rights.
- Difficulty determining appropriate access for each role. To remain compliant with internal policies and external government regulations like SOC 2 and NIST, employee access was subject to bi-annual reviews. The security team would scan all server access and correlate the data by employee. The reports were sent to managers who would then look up each server to understand its use and determine whether the employee still required access.
- Inconsistent privileged access management. The firm was using a homegrown sudo configuration, which needed to be replicated across thousands of UNIX servers. Security teams would manually push the latest copy of sudo files to each server. However, offline and new servers were often missed, leading to inconsistencies when teams needed elevated privileges to manage their applications. If an application couldn’t be deployed due to missing identities or incorrect permissions, and security and provisioning teams were not available to respond, deployments would be extended or rescheduled, causing costly downtime and unanticipated delays to market.
- Managing access to cloud workloads. A manual process of distributing SSH keys to individuals and then tracking and revoking them in a timely manner was a complicated task. Keys were sometimes shared, and there was no simple way to determine who was accessing cloud workloads. The firm had hundreds of entries for “ec2-user” and no easy method of correlating them back to a specific individual, making it nearly impossible to understand who was accessing specific servers.
The firm began searching for a solution that would solve their most pressing problems. Specifically, they wanted to:
- Centralize the process of adding and removing identities.
- Replace the existing homegrown sudo solution with a much more secure, automated, and streamlined way of managing root access and privilege elevation.
- Automate the process of ensuring that User ID, Group ID, and sudo files were in sync.
- Dramatically simplify reporting that would assist in meeting internal policies and government regulations.
- Improve the way servers were organized.
- Provide a “break-glass” solution for access to the production environment.
- Include a unified method of logging and monitoring access to their multi-cloud environment.
Upon the evaluation of multiple solutions, the asset management firm selected Centrify based on its unmatched ability to meet each key requirement:
Centrify Authentication Service
Centrify Audit and Monitoring Service
Centrify Privilege Elevation Service
Centrify Vault Suite
Since the implementation of Centrify’s solutions, the asset management firm has effectively addressed all of its access management challenges. They now leverage Microsoft® Active Directory to centrally manage user accounts. This has allowed them to remove thousands of local identities from UNIX servers and eliminated the need to scan thousands of servers to determine where each user has access.
By leveraging Active Directory for provisioning, they ensure team members have consistent and appropriate User or Group IDs throughout all environments, and by grouping servers together in a logical manner, the time required for provisioning has decreased by nearly 50 percent.
With sudo files consolidated into Active Directory, root passwords are no longer distributed to multiple users. Consistency has been achieved in terms of privilege elevation and is managed without having to push flat files to individual servers.
Previously, when the asset management firm needed to know who had accessed a server, they had to parse through hundreds of syslog files. With Centrify, the firm has a unified logging system that provides concise access logs for audit and compliance teams without having to spend cycles translating files and aligning logs from multiple vendors.
Reports are available that show the logical groupings of servers, provide a common naming schema, and list the assets within that group. This gives managers an at-a-glance view of what assets are assigned to each logical grouping and easily illustrates what each team member has access to.
The asset management firm no longer issues SSH keys and instead uses an approval process to grant just-in-time access to critical cloud-based environments for each individual. This is made possible through Centrify’s integration with ServiceNow® and SailPoint® Technologies.
Elevated privilege is centrally managed through a single source of truth. Changes and updates to elevated privilege are automatically replicated across all servers. When a server comes online, it receives the latest privilege information. This has significantly reduced the number of critical incidents caused by a server that lacked correct permissions.
Overall, the asset management firm has dramatically improved its security posture, while reducing the number of employees needed to manage access, minimizing the number of failed deployments due to identity and privilege related issues, decreasing the time required for provisioning, eliminating a number of manual tasks, and significantly lowering the potential for downtime.