PEX Adopts Zero Trust Approach
Applies least privilege to strengthen security posture, achieve PCI compliance, and simplify internal audits
Based in the African country of Mauritius, PEX Ltd. is a universal payment service provider that delivers tailor-made technology solutions for its customers. A key focus for the company is providing a robust, resilient, cost-effective payment system infrastructure based on a customized, detailed analysis of each client’s operations.
PEX’s tech-centric approach, exceptional customer service, and commanding presence in one of the world’s fastest-growing
markets have all played a role in the company’s success. But with rapid growth comes operational and regulatory challenges. After years of expansion, PEX found itself struggling to comply with PCI regulations due to a lack of automation and security protocols across its infrastructure.
“Our lack of automated security procedures was posing a threat to the organization and costing us in terms of productivity,” says Jerome Dorasamy, Technology Team Leader at PEX, Ltd. “We were lacking key technologies like multi-factor authentication (MFA) across our network, and because we couldn’t be sure who was accessing them, we were unable to ensure the integrity of our databases. We had a major accountability issue.”
Another ongoing challenge was the inability of PEX employees to access Web-based applications from outside the network. While the team considered implementing a jump host to access and manage devices in separate security zones, they knew such an approach could be risky. A compromised jump server was responsible for the U.S. Office of Personnel Management’s high-profile breach in 2015.
Due to password expirations the company had implemented as a best practice, users were regularly locked out of their systems. And when users were locked out, productivity was lost. This made the tedious task of password management a never-ending challenge. The company needed to automate the process.
Finally, a lack of reporting made it virtually impossible to gauge the state of privileged access between audits. Even when audits were performed, password creep made it difficult to identify who actually had access to which systems and who had the ability to run privileged commands.
“While evaluating our challenges, we concluded that by taking a Zero Trust approach and applying least privilege, we could significantly strengthen our security posture, achieve and maintain PCI compliance, and dramatically simplify our internal IT audits,” says Dorasamy. “We selected Centrify based on its global reputation and its ability to meet virtually all of our needs with one comprehensive solution.”
PEX selected Centrify in hopes of leveraging many of its core modern privileged access management capabilities, including:
Multi-Factor Authentication ensures that only authorized humans are accessing sensitive systems, applied at system login, vault login, or during privilege elevation.
Multi-Directory Brokering securely extends the benefits of the cloud by simplifying user authentication through any directory service—Active Directory, LDAP, Google Cloud Directory, etc.
Active Directory Bridging unifies the IT infrastructure by consolidating identity, authentication, and access management
for Linux and UNIX within Microsoft Active Directory.
Centrify Zone Technology provides a flexible means of managing a set of users and computers that all need to share a common set of policies and access controls.
Secure Remote Access allows entry to critical data centers and cloud-based resources regardless of location and without a VPN.
Session Recording and Monitoring allows organizations to monitor and record privileged sessions from both shared and individual accounts with full video and metadata capture.
Auditing and Reporting capabilities provide access and activity reports that meet SOX, HIPAA, FISMA, NIST, PCI, MAS, and other industry standards and government regulatory requirements.
Least Privilege Access limits potential damage from security breaches through a flexible, fine-grained, just-in-time elevation process that leverages role-based access controls.
Contextualized Requests allow organizations to identify and understand the context behind the request for access, and to review and approve the request based on the information provided.
The auditing and reporting features of the Centrify product help immensely with external compliance purposes and also our own internal audits and health checks,” says Dorasamy. “The product has all the functionality we need to meet the compliance standards of the regulations we need to abide by., Technology Team Leader at PEX, Ltd.
Today, the Centrify solution helps PEX to efficiently and cost-effectively secure and control access to the IT environment by securing and automating repeated tasks like managing passwords, privileged users, and local and service accounts, as well as performing audits and creating reports. This has enabled the team to focus more on improving the services and infrastructure that serve its customers.
The company has experienced benefits across the board. “The ability to create custom reports has given us much greater control over user access. Account settings help us prevent DOS & DDOS attacks. We use group policies to auto-provision SSL certificates. Customizable reports allow us to extract SQL database data that we use in our decision-making processes. And all of this together ensures a more robust trust relationship,” says Dorasamy.
User onboarding and implementing access changes as user roles evolved was once a time-consuming process. Today, PEX uses Centrify to assign access by role instead of individual IDs, where applicable. When a user’s role changes, they automatically inherit all the access required for the new role, and all previous access rights are automatically removed.
Prior to Centrify, users outside the network could not access internal Web applications. PEX now ensures that authenticated users can remotely and securely access internal Web apps using multi-factor authentication.
The password expiration of local IDs (such as Oracle DBA IDs) that once blocked user access and reduced productivity has also been addressed. Local IDs are now managed through Centrify, which automatically changes the password according to pre-defined settings. In addition, workflows have been introduced on some of the most critical applications so that password checkouts or access requests must be approved by specified groups or individuals.
Auditing used to be a tedious exercise, but with Centrify, there are numerous standard reports available to ascertain which IDs and roles have access to each server and service. The company now runs daily reports for the entire environment, showing which groups, roles, and users have access to which servers. Reports also easily identify who can run privileged commands, eliminating access creep, and helping to identify any incorrect use of privileged access.
“The auditing and reporting features of the Centrify product help immensely with external compliance purposes and also our own internal audits and health checks,” says Dorasamy. “The product has all the functionality we need to meet the compliance standards of the regulations we need to abide by.”
When COVID-19 caused global lockdowns, many companies scrambled to enable working from home. PEX was fortunate to already have a secure authentication, auditing, and privileged access management solutions in place for most of its environment. Rather than scrambling to allow its employees to work from home, the business was able to concentrate on other pressing issues.
“As we move into our third year using the Centrify solution, we look forward to the simplified audits, a robust security posture, regulatory compliance, and the knowledge that we are prepared to deal with new challenges as they arise.”