Privileged Access Minimisation (PAM)
A key element of any access governance framework is the control of privileged access. i-confidential is currently engaged with a number of clients, assisting them with the roll out of CyberArk, defining privileged access management (PAM) operating processes and minimising privileged access. The following is a case study from one of our PAM client engagements.
This client is one of the largest businesses in the UK. It experienced a number of major incidents, where privileged user accounts inadvertently led to service disruption. The client required a thorough review of all its production systems to identify and minimise the number of users who had privileged access. It needed to do this because privileged credentials provide IT personnel administrative access, so they can access data, install programs, alter configuration settings, control user access, and perform other highly privileged actions.
i-confidential provided a team of specialists to identify and engage the correct application support teams, covering a number of platforms including Windows, Unix, and Mainframe. i-confidential requested all teams to provide an automated user access control list (ACL), ensuring that all ACLs were received in the same consistent format. This met audit and regulatory requirements, and supported the internal recertification team performing regular access reviews on these applications.
i-confidential worked closely with the application support teams to identify privileged access within 689 applications, consisting of c. 50,000 entitlements, assigned to 23,000 unique user accounts and 5000 users. i-confidential identified and onboarded 2,000 unique privilege user accounts into the clients privileged access management tool, CyberArk. This prevented unauthorised access to key information assets and limited privileged access to the right people for a limited, authorised time period.
i-confidential identified and co-ordinated the de-provisioning of 4,700 redundant and inappropriate user accounts. i-confidential also helped the client to establish and manage separation of duties (SoD) to prevent fraud and errors by disseminating the tasks and associated privileges for a specific business process among multiple users.
i-confidential’s PAM programme reduced data security risk throughout the organisation by placing elevated access into a privileged access management tool and removing many redundant and inappropriate user access rights. This reduced the client's privileged application access by 65%. It minimised privileged individual user accounts by 82% to 4,000 accounts, which were assigned to 620 individual colleagues; a reduction of 88%. This helped the client to prevent, detect, and resolve access rights conflicts, reducing the likelihood that individuals can act in a fraudulent or negligent manner.
Identified and classified 19,000 accounts
Account access risk reduced by 82%
Provided a new validation process for account management