Protecting the UK Government from damaging cyberattacks
This Government Department is the UK’s biggest public service department, administering services to around 20 million citizens. With 24/7 reliance on its IT infrastructure – the largest network of systems in Europe - protection from cyberattack is a top priority.
Impressed by the experience and specialism of the team.
A government-led internal audit had highlighted that operators with privileged user permissions (the highest permissions, reserved for administrators and engineers) were not being managed effectively:
- When people left, rights were not removed.
- When people changed roles, permissions were not reviewed and reduced.
- User accounts were not always linked to a real person in the organisation.
- Use of generic shared accounts was routine.
- The number of privileged user accounts was in the thousands yet the number of employees was only in the hundreds.
With records containing information on every citizen in the UK and thousands of servers and 100,000 laptops running crucial citizen services, unmanaged privileged users were a critical risk. The Department turned to Pionen, experts in identity and access management, to find a solution.
First, Pionen needed to understand the Department’s problems and develop requirements to fix them – both the functional elements (what the solution would do) and the non-functional elements (how the solution would work with other capabilities). Working collaboratively with the Department’s identity and engineering teams, Pionen developed the requirements and gained approval.
Pionen then worked through their checklist of standard non-functional requirements to determine the technical constraints, and based on this work, Pionen was confident a commercial off-the-shelf Privilege User Access Management (PAM) solution would be suitable for the Department.
After assessing available products against the requirements, Pionen compiled a comprehensive compliance matrix with strengths and weaknesses. The Department’s buying team used the matrix to run a competitive procurement to select from the top three identified vendor platform products.
Once a product was selected and procured, Pionen worked with the vendor (CyberArk), to develop a design roadmap and plan and high-level design artefacts to commence governance. The first stage of this process was to create a reusable capability design – a solution-agnostic view of the system to mitigate the risks introduced when privileged users are not effectively managed.
Pionen then completed the complex solution design to allow privileged user management for over 500 privileged users. The design successfully met all the Department’s strict governance standards (based on the Government Security Policy Framework) and was approved by the Design Authority. The design was also scrutinised by the vendor and approved as only a CyberArk approved design would be supported.
In parallel with design, Pionen ran a Business Change Programme. They developed a Future Operating Model, documented existing use cases for all privileged users and created ‘to-be’ use cases documenting how processes would work with the new solution in place.
The first phase of implementation was data gathering using the CyberArk tool called DNA; Technical Data Gather which scanned the network and showed all privileged user accounts.
The second phase was to install the full CyberArk solution software components then onboard a friendly user group parallel to normal operations.
In the third phase, Active Directory synchronisation and further user groups will come on board, again in parallel to existing user accounts to ensure no disruption of service.
The fourth phase will start enforcing CyberArk only access. When all accounts are tested and in daily use, all existing legacy accounts (accounts not managed by CyberArk) will be removed or access denied.
The final phase, scheduled for 2023, will integrate SailPoint, which adds automated user lifecycle management to PAM. This step will add the power of efficient privileged user management and automate joiners, movers, leavers processes.
We are very happy with the team's delivery of our projects.
The PAM project has been a great success within the Department. CyberArk now manages over 300 privileged users and routinely:
- Spots unusual activity through behavioural heuristics and sends to the Security information and Event Management (SIEM) for investigation by the Security Monitoring Team.
- Makes a video recording of all privileged user sessions (remote desktop and Secure Shell (SSH).
- Manages granular privileges to ensure only required permissions are available to privileged users.
- Manages the checking in and out of generic and shared accounts to tie a human to an action using shared accounts.
- Removes the need for shared administrator password safes.
This means the Department has visibility of what the administrators are doing day to day. All user accounts with administrator privileges are managed (no backdoors) and any misuse will be flagged for investigation.
The Department is now considering the final phase of deployment which will automate lifecycle management between HR databases and Active Directory, reduce human error, ensure process consistency and reduce IT team resource overhead.