Ability to automate ‘what and which’ authentication methods are utilized based on the access request also significantly improves administrator productivity.
With a diverse mixture of 600 servers across multiple global business units, this leading manufacturing company knew their management of privileged user access rights and associated user accounts was out of control.
One big challenge was that user accounts were managed via local edits. Administrators manually added user accounts to each server to which the user needed access and then manually removed them when the person left. The user requested access to each server individually, and would often make many similar requests, creating inefficiencies.
The situation where someone left the company or changed jobs to a new area of the organization was a security and audit issue. Removing access required that the administrator be informed. This was problematic from both a productivity and security standpoint. An audit required that the organization institute a new policy requiring that access to servers be blocked within a set number of hours after termination. They would not be able to accomplish this without fundamental changes to their process.
Access to privileged accounts also had major problems. Access was controlled by knowledge of a shared password. Passwords were not changed on a regular basis - sometimes not even when administrators changed jobs. The privileged accounts often were accessed directly, removing all traces of accountability to a specific person.
The organization was becoming increasingly concerned about how to automatically control privileged user access across the diverse servers that held their highly sensitive intellectual property. They needed a way to automatically enforce who could elevate privileges, under what parameters, and all without sharing the privileged account passwords. This was essential to improve security of data and to pass IT audits.
After considering many different approaches, the organization determined that Powertech Identity & Access Manager (BoKS) would best satisfy their requirements. Using Powertech Identity & Access Manager (BoKS), the administrator can easily associate users to roles, which then automatically grants access to the appropriate servers while enforcing the appropriate access rules.
One of the key benefits from the BoKS system is that a manufacturer is able to automatically remove user accounts from across servers for terminated employees. They can meet their time requirements and solve a key audit issue.
Other operational savings come from Powertech Identity & Access Manager (BoKS)’s ability to enforce which form of authentication needs to be utilized, and when, as part of the authorization process. Now the manufacturer can automate ‘when’ to require SecurID, which improves administrator productivity. Here’s how. The administrator authenticates once using SecurID and can then move across servers using ssh, or elevate privileges using su or suexec, to complete their tasks. They can do this all without requiring further authentication of the user.
Because a SecurID token generates a new code only once every 60 seconds and each code can only be used once, it would take over an hour for an administrator to login to 60 systems. If further authentications are required for elevating privileges, it would take even longer. Automating the enforcement of when and what authentication is required as part of the authorization process not only improves productivity, it also provides better control over privileged user actions.
And while it is less easy to quantify, the organization has also found that by automating the enforcement of granular authorization policies for privileged user access and actions along with automatically enforcing limits on clear text protocols (telnet, ftp, and the r-commands), their risk of a security breach has been greatly reduced.
Implementing a centralized solution for administering privileged user accounts across diverse servers and automatically enforcing granular authorization policies for privileged access has enabled this manufacturing company to significantly streamline operations while closing security gaps. In addition to reducing the risk of accidental or intentional release of intellectual property, they are also benefiting from simplified audit and compliance reporting, further improving overall productivity in the IT operation.
See Powertech Identity & Access Manager (BoKS) in action. Schedule a demo now.
Centralized administration console for heterogenous environment
Enforced control for root accounts across all servers
Simplified compliance reporting and auditing