FS moved its data center off-premise to the cloud, so there was an opportunity to strategically build the security infrastructure up front to manage more than 300 machines on AWS. Each of the servers has its own SSH key and a local user for development. Multiple people need to connect to the servers all the time. Managing the security of these privileged accounts was a complex and complicated endeavor. Also, the company wanted to have a system in place to track all changes to ensure each was approved for deployment and documented for long term analysis and audit. Having proactive security measures in place to mitigate risks associated with privileged accounts was not only important to the IT team supporting a growing business, but it was also a priority for the CEO who understands the business benefits of protecting digital assets.

Protecting the privacy and security of data is a top priority. The company’s highly diverse IT environment runs multiple Windows platforms, and more than 85% of end users had administrative rights to their machines which was a security risk. To reduce the attack surface, the company was compelled to rewrite IT security policies in support of removing administrative rights from business users on endpoints. Ultimately, the goal was to implement the new IT security policies with the least disruption to and resistance from end users, while doing so in the most cost effective way possible. Due to the company’s IT environment and the applications supported, it was critical to have the ability to define a specific application to run with elevated rights without having to give the same rights to child processes.

One of Canada’s leading institutional fund managers faced significant risks from potential insider threats. With over $200 billion in assets, the company needed to protect against both external and internal cyber attacks. The primary concern was the abuse of privileged accounts, which could allow malicious insiders to move freely and undetected within the network. The company had hundreds or thousands of privileged accounts that were unknown, unmanaged, or unsecured, posing a critical vulnerability. The challenge was to identify and secure all privileged accounts to mitigate the risk of insider threats.

For this global communications company, Pass-the-Hash attacks posed an immediate and troubling challenge. While the company was able to identify the existence of these types of attacks before a serious breach occurred (evidence of password theft and password cracking was clear and eminent), they struggled with the unique nature of a stolen hash. As a first step, the IT team opted to restrict access to their admin and privileged accounts by issuing Smart Cards. Unfortunately, this did not solve the problem, as vulnerabilities persisted within these Smart Card-enabled accounts. Smart Cards, which are touted to prevent credential theft through multifactor authentication, actually exacerbate the problem. With Smart Cards, the passwords associated with each privileged account, by default, never expire and are never changed again. As a result, once the hash is stolen, the attacker can exploit it in perpetuity. To truly combat Pass-the-Hash attacks against Smart Card-enabled admin accounts, the organization would need to deploy a custom solution that ensures admin and privileged passwords are automatically changed with some frequency to proactively protect against stolen credentials and abuse.

The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). As a result of its online growth, the airline was acutely aware of the need to maintain compliance with the credit card data protection standards mandated by the Payment Card Industry (PCI) Security Standards Council in its efforts to ensure credit card security. The PCI Data Security Standard (DSS) industry protocol is a common set of tools and measurements that are applicable across industries to help ensure the safe handling of sensitive credit card data and the protection of cardholder information. PCI Compliance in travel and tourism is often differentiated from other industries because of the lag time between when a flight is booked and when the credit card is processed for that booking. In this scenario, the credit card information is usually stored until the travel has actually taken place, or shortly before. This practice is not allowed in a PCI compliant environment, leaving travel companies at risk for fines and under intense pressure for ensuring their databases are protected from being wrongly accessed or altered - unintentionally or otherwise. As a result of these requirements and increased exposure due to its popular e-commerce business, the airline needed a new approach to document the steps it was taking to achieve PCI compliance with auditors. In this case, that meant proving that passwords to its database of sensitive customer data (including names, credit card numbers, billing addresses and other information) were being effectively monitored, managed and changed regularly.

As an investment firm, this company is required to generate and send 1099 tax forms to its American clients each year. These forms are used to report additional earned income, including that from investments and interest payments. Since many of this firm’s clients hire Certified Public Accountants (CPAs) to prepare their taxes, these forms must first be shared by the firm with its clients and then by the clients with their CPAs. A key challenge the firm has faced is that these 1099 forms, which contain sensitive personal and financial data, must be handled with the highest degree of security. In the past, once these forms were generated in January each year, the firm would mail the forms to its clients since electronic means of file sharing were considered too risky and insecure. Clients, in turn, would mail or physically deliver these forms to their external CPAs. This highly manual process was costly and inefficient for both the firm and its clients. The firm’s IT team began searching for an easier, more secure way to send these sensitive tax documents to their clients and to enable their clients to share these tax documents with their external CPAs.

CyberArk works primarily with this financial services company’s business banking segment, which provides a number of financial products and services including business checking accounts, payroll management, accounts receivable processing and accounts payable processing. Before digital transfer and storage technology was available, many of the banking and treasury management services provided to customers were highly manual, requiring significant time and physical resources. This approach restricted the company’s ability to scale its business and create new competitive advantages. In order to expand its service offerings while still addressing the increasingly complex compliance and operations requirements, this financial services company needed a more secure, automated and operationally efficient approach to handling Cash Letter processing, Account Reconcilement Processes (ARP), Automated Clearing House (ACH) transactions, and Lock-box files. At a minimum, this would require transforming these files into digital assets that could be securely transferred, processed and stored. At the time, in the early 2000s, exchanging digital files was a challenge that required companies to develop in-house expertise around technologies such as File Transfer Protocol (FTP) and/or invest in expensive solutions that small to mid-size corporate customers couldn’t always justify. Even with the in-house expertise and expensive systems, many businesses couldn’t guarantee the security of electronically transferred files, nor could they guarantee that the system management processes would be governed properly. This company turned to CyberArk to help eliminate the need for complex, expensive and time-consuming communications technologies and instead move towards a more secure, automated solution.

Due to the nature of the practice, it is of the utmost importance that the law firm’s most sensitive information be handled with only the highest degree of security. One the firm’s biggest challenges was that executives and external board members considered electronic communications too risky to use to transmit confidential information for board meetings. As a result, the executives and board members still relied on the physical distribution of paper and CDs. The process of using paper and CDs was overly cumbersome, prone to error and highly ineffective for sharing important information quickly. Additionally, the distribution of paper and CDs was a largely untrackable process, and there was a significant risk that these items could accidentally fall into the wrong hands. Jamie, the Manager of Information Security, recognized the many challenges and risks associated with the use of papers and CDs. As a result, he began to search for a highly secure solution that could safely enable the exchange of confidential information, offered granular access control and was able to track exactly who accessed what and when.

As cloud vendors including AWS and Azure make clear, security in the cloud is a shared responsibility. Though these public cloud vendors take great efforts to secure the cloud infrastructure — compute, storage, etc. — their customers are fully responsible for protecting everything above the hypervisor, including the operating system, applications, data, access to external resources and other assets and infrastructure. Fully appreciating this shared responsibility model, the TOTVS Cloud security team set out to identify a security solution that could not only bolster their cyber resilience but also add value to the TOTVS Cloud by driving automation, standardization and increased efficiency. TOTVS Information Security Cloud Team conducted an in-depth technical analysis of potential solutions, ultimately selecting and deploying the market-leading CyberArk Privileged Access Manager Solution based on overall performance, resilience, health checks, high availability/disaster recovery requirements and cost.

According to the 2018 Deloitte Global RPA Survey, 53 percent of organizations have already started their RPA journey to help robotize repetitive routine tasks and drive digital transformation. RPA adoption is expected to increase to 72 percent in the next two years, and if it continues at its current level, RPA will have achieved near-universal adoption within the next five years. It’s not hard to see why – the same study points to total ROI in less than 12 months, with significantly improved compliance, quality, accuracy, productivity and cost reduction. This global insurance provider has embarked on a multi-year digital transformation journey aimed at achieving agile development at scale. To help steer this strategic initiative, the company’s application development team has embraced Blue Prism’s RPA technologies to automate operational activities, test new applications and accelerate operational agility. Over the past 12 months as part of a proof of concept, the firm integrated 10 business critical applications – including SAP, Windows and Lightweight Directory Access Protocol (LDAP) – into the Blue Prism Digital Workforce Platform. To interact directly with business applications, RPA software must mimic the way applications use and mirror human credentials and entitlements. This can introduce significant risk when the software robots automate and perform business processes – whether logging into a system to access data or moving a process from one step to the next. Often times, the credentials being used are hardcoded directly within the application. If an attacker successfully steals these credentials, they can ultimately take full control over the robot and gain access to target critical systems, applications and data. Fully understanding these risks, the CVP of Privileged Access Management at the firm, made securing privileged access to these robotic credentials a top priority.

Despite its success, like all enterprises BRAC Bank Limited (BBL) must face up to the many and varied challenges of security. To do this it has taken bold steps, becoming the first (and so far only) local bank to achieve ISO 27001:2013 certification for security management and BBL was the first Bangladeshi bank to deploy a Security Operations Centre to anticipate and defend against threats. Participating in the highly regulated financial sector, the bank prides itself on being at the forefront of implementing state-of-the-art security controls, policies and procedures across all operations. However, BRAC Bank must still address the familiar malware, spoofing and other familiar threat vectors. Also, it recognises that the cybersecurity threat landscape continues to change as data governance rules are adapted over time, including the Bangladeshi Guideline on ICT Security for Banks, PCI-DSS and SWIFT, while addressing payment partners’ security requirements and other local regulations. And, again typical, the bank has to fight to justify access to IT security resources and to retain security staff in a world where these skills are highly prized.

According to the 2017 Verizon Data Breach Investigative Report, 81 percent of data breaches involve weak or stolen credentials. Understanding that many cyber attackers focus their efforts on harvesting privileged credentials, the real estate services company has trusted CyberArk for more than six years to protect, control and monitor privileged access to critical information—including 500+ systems and one of its primary data centers. In the past three years, the organization has accelerated its move to the cloud to improve efficiencies, scale processes, deliver enhanced client services and maintain its edge in the ultra-competitive real estate market. Despite its many benefits, the cloud’s multiplier effect has created exponentially more privileged account credentials and secrets that are highly targeted by attackers and need to be properly managed and protected. As part of their cloud journey, the organization’s security team sought a way to further enhance security around these powerful, privileged account credentials through an additional, complementary security layer: multi-factor authentication (MFA).

Growing both organically and through acquisition since 1865, Milliken amassed unprecedented intellectual property, which has powered much of the company’s success. It has also presented challenges to protect that information and mitigate risks presented by the modern IT environment. Privacy and data security were a top priority. With the company operating more than 50 locations around the world, they needed a solution that could cover every endpoint and scale with the growing company. Amidst a current landscape of large breaches occurring at other companies, Milliken’s desire to protect its associates and its intellectual property led them to perform an internal security assessment, which included hiring a third-party security consultant to independently evaluate their environment. The assessment’s outcome demonstrated to the Milliken security team that changes were needed, leading to new security policies for managing this global IT environment. At Milliken, end users were running with full administrative rights on their company devices. A goal was established to eliminate this high risk and only allow certain individuals to have elevated privileges and only for specific applications and functionality. Along with establishing least privilege, the company sought better capabilities to govern application control. To ensure that users continued to have the freedom needed to do their jobs effectively, the right solution needed to balance the needs of the business around innovation but also minimize risk to the company and brand.

This global financial services firm, with $2 trillion in assets and operations in more than 60 countries, faced significant challenges in managing nearly 50,000 emergency or break-glass accounts. These accounts are essential for emergency access to over 20 target platforms across seven lines of business. The firm's Security and Risk Management Group was under immense pressure due to the manual and burdensome processes required to manage these accounts. The complexity was further exacerbated by the use of three large, regional Lotus Notes databases for managing break-glass accounts, which contributed to extended password request and fulfillment times. The primary goals for investing in a privileged identity management solution were to reduce costs through better automation, migrate from the slow and complex Notes technology, and centralize the databases.

The direct selling industry, which collects billions of personal data points from customers globally, is a prime target for cybercriminals. Beyond personally identifiable information (PII) and payment card industry (PCI) data, they gather other sensitive information such as social security and government ID numbers. Princess House’s information systems and technology (ISIT) team recognized the need to secure privileged access to this sensitive information to preserve customer trust and protect Princess House’s reputation. Before implementing a PAM solution, accounts were stored in password-protected spreadsheets without enforced password rotation, posing a significant security risk. The team initially selected a PAM solution but faced issues with its implementation, which was complicated and lacked a step-by-step guide. The platform was inflexible, requiring all accounts to be managed at once, which was not suitable for their phased approach.

Changing customer expectations, greater digital use, and the evolving cyber threat landscape are challenging financial institutions to balance innovation with effective security practices. Privileged access management (PAM) is critical to enable flexible yet controlled access to critical systems holding sensitive customer PII and other valuable information. As financial systems grow in size and complexity, privilege is everywhere, making strong PAM essential for banks to move with agility without jeopardizing their brand or regulatory compliance.

To enhance global collaboration and integration, Shiseido planned to move to an entire portfolio of cloud-based applications but needed a single sign-on capability to provide robust user authentication for both Active Directory and external users. Shiseido’s legacy environment utilized an on-premise application, accessible via a domestic portal for its Microsoft Windows-based users. The company recognized that it would be impractical for the existing corporate infrastructure to support new cloud applications because it would force users to set up individual IDs and passwords for each application that needed to be accessed. Worse still, it would significantly increase the security risk with so many different passwords having to be created and memorized. In addition, the company estimated there would be a significant reduction in user productivity associated with managing the numerous log-ins, and an associated increase in IT support and administrative work to keep everything running smoothly. Leveraging the portal concept, Shiseido’s plan called for implementing an Infrastructure-as-a-Service (IaaS) environment but to be successful, there was an urgent need for an authentication infrastructure that could enable single sign-on access to cloud-based applications via a globally available portal.

The insurance company wanted to use DevOps methodologies and containerize thousands of applications to increase business agility, eliminate inefficiencies, and accelerate the pace of innovation. Containerized applications use secrets such as passwords, tokens, and SSH keys to gain access to sensitive enterprise resources such as databases, web applications, compute, storage, and networking services. The security team recognized that in some other organizations, out of expediency, developers have hardcoded secrets, access keys, and other sensitive credentials into applications. Hardcoded credentials are not only challenging to rotate but also potentially expose the business to data theft and malicious attacks. The insurer’s information security organization wanted to ensure credentials were removed from code to reduce potential vulnerabilities, such as inadvertently exposing secrets in the code stored on repositories. A key priority was to ensure applications can securely access databases and other sensitive resources without impairing developer productivity or hindering application delivery.

The company faced challenges with their existing SharePoint workflows and DevOps processes, which were frequently breaking. They needed a more reliable and efficient way to manage privileged access without the need for submitting tickets, going through workflows, or waiting for approvals. Additionally, they had a tight deadline to meet an external customer requirement for privileged access management, which included signing the purchase order, installing the solution, and managing a larger number of servers than initially anticipated.

The organization faced significant risks related to endpoint security, particularly concerning the potential for pass-the-hash attacks and same-account harvesting. The challenge was to reduce the attack surface by removing local administrative rights on workstations, which would minimize the chance of privilege escalation. Additionally, the organization needed a solution that could provide immediate reporting to the Security Operations Center (SOC) in case of an incident. The goal was to enhance overall security while maintaining operational efficiency.

Implement a cloud-based identity management solution as the basis for an entirely new cloud-based infrastructure. Include secure single sign-on (SSO) to support productivity-enhancing mobile apps. Do this in a way that reduces demand on IT. As with any Local Distribution Company (LDC), the top priority at London Hydro is literally keeping the lights on. LDCs must therefore act with extreme caution when it comes to introducing new technologies into the system that could negatively impact service to customers. But that caution must be balanced with the many benefits new technologies provide, such as the ability to significantly reduce costs, improve delivery systems and minimize waste. After months of careful evaluation of the advantages and the risks, Mike Flegel, Cyber Security Specialist at London Hydro, was tasked with finding a single sign-on platform that would support the company’s move to a cloud based infrastructure. Historically, security at LDCs has been a matter of simply keeping office and field networks physically separate, and requiring multiple passwords to access individual resources. But times have changed — complete separation can be too restrictive and users juggling multiple passwords can end up being security risks themselves. London Hydro needed to implement an identity management solution that would be the basis for an entirely new cloud-based infrastructure consisting of everything from traditional ERP datacenter applications like SAP and JDE to new, mobile apps for the field. At the same time, it was important to reduce the IT workload by minimizing password reset requests, and simplifying the process of adding or removing employee access and incorporating new apps into the environment.

Avoid the build-out of a high-cost disaster recovery co-location for a product that was already difficult to implement and manage. Simplify app integration, address MDM requirements and SOX compliance, and ensure a more robust security stature. When SBA Communications began using SaaS-based apps like Innotas, ExpenseWatch and Yammer, they implemented Microsoft’s Active Directory Federation Service (AD FS) at an approximate total cost of $35,000 for identity management. While implementation and application integration proved challenging, the product met the company’s requirements at the time. As their environment evolved, however, the solution became increasingly difficult to manage. To assist in the implementation, they hired a consulting firm with AD FS expertise, which took six weeks to get the initial solution implemented. However, a new version of AD FS was soon released, and the company was faced with having to migrate the entire infrastructure. Integration was so painful the first time around that they dreaded having to migrate those same apps into the new environment. The unfortunate result was two live versions of AD FS, each with its own set of SaaS applications that required significant resources and a coordinated effort to maintain. The real issue arose as cloud-based solutions became more pervasive within the company’s environment. While they had previously incorporated only a few, less-critical SaaS apps, the benefits of cloud-based solutions led the company to adopt more until eventually disaster recovery became an issue.

At Chugai Pharmaceutical Co Ltd, three different tools were used to provide single sign-on (SSO), enterprise mobility management (EMM) and multifactor authentication (MFA) across the company’s European and US divisions — Chugai Pharma Europe, Ltd. With a limited IT staff in each location, management of these separate solutions created unnecessary strain and considerable expense. Looking to simplify IT processes and save money, the company first considered expanding its relationship with its existing SSO provider. The company was also looking to replace its existing MFA tool with a solution that leveraged users’ mobile devices. They needed a cloud-based solution that included SSO, MFA and EMM to protect Chugai’s intellectual property as well as the personal information of patients participating in their clinical trials.

Implement identity federation services for Office 365 without requiring significant new investment or added pressure on the IT team. Provide single sign-on for users. Simplify the IT tasks of user provisioning and deprovisioning. Help ensure compliance with GLBA regulations. In the process of renewing their Microsoft Enterprise Agreement, The Citizens Bank decided it was time to move to Office 365 for a more easily-managed solution. However, they’d heard that Microsoft’s complementary Active Directory Federation Services (AD FS) product comes with many challenges and considerable expense. The company decided to look for a more efficient solution that wouldn’t require significant additional investment in the transition to Office 365. As an FDIC-regulated financial institution, the company must also comply with GLBA (Gramm–Leach–Bliley Act) regulations, which require that a host of specific actions be taken to protect customer financial data. Two key components of protecting user information are tightly controlling access to the data and having the ability to quickly remove that access when employees leave the company. So, secure password management and the ability to easily provision and de-provision cloud applications are essential.

Drive flexibility across the business. Deliver employees single sign-on access to all the apps they need, located in one central portal. Ease the onboarding process and increase productivity for all users. When Chief Technology Officer Sébastien Huet joined Rémy Cointreau in 2015, one of his primary objectives was to help transform the company into a more agile organization. A key component of that transition would be the upgrade of its IT infrastructure to provide more flexibility, respond better to changing worker habits and deliver exceptional support for the business. Huet encountered another example underscoring the need for an overhaul. It took months to open their new office in Asia. One of their key objectives is to have the flexibility to open a new office anywhere in the world in a matter of days. Huet and his team set out to transform IT and with it, the business as a whole. The company was moving to a cloud-based architecture, with the goal of relying exclusively on web apps. They wanted to be able to access apps from any device, anywhere and at any time, so mobile management was crucial. And for optimal security, they needed to transfer focus from the network and the device to the applications. Identity management would be essential to achieving these goals.

Build out a cloud infrastructure to support rapid company growth. Ease the transition to cloud with single sign-on to Office 365 and other apps. Include two-factor authentication for stronger security. Protect and manage company smart phones with EMM. Nearing the end of a contract that outsourced the community services ELC supervised, the company decided to bring the services in house and offer them directly to the public. It was a large undertaking that would require nearly 100 new employees and the opening of new satellite offices. Success would depend on an environment that could support the company’s 300% growth projections. “We didn’t have the infrastructure or services necessary to handle the anticipated increase in employees,” says Luis Mena, Director of IT at Early Learning Coalition. “So we were under a tight deadline to roll out an entirely new infrastructure.” Mena decided to leverage the cloud to the greatest degree possible. “We considered building out our own on-premises infrastructure, but that approach would have required initial hardware costs in the hundreds of thousands of dollars and significantly more time and IT resources than we had available,” he says. “The ease and speed of building out a cloud-based environment made it a better choice. But we needed a strong solution that would help us in the transition.” ELC began looking for a solution that would provide authentication and single sign-on for the cloud services they were evaluating. Security would be a top consideration in any solution, as well as compliance with state and local government regulations similar to HIPAA. Strong, two-factor authentication for remote users would also be required. And if they could locate a complementary solution to securely manage their mobile devices, it would be ideal.

Simply Healthcare faced significant challenges due to rapid growth, including the need to transition to Office 365 and provide single sign-on (SSO) for various SaaS applications. The company aimed to minimize help desk tickets for password resets and reduce the time and effort required for IT to onboard new employees. The infrastructure team was overwhelmed with tasks ranging from server and network maintenance to help desk requests and employee onboarding. The decision to switch from on-premises Microsoft Office to Office 365 was made to alleviate some of these pressures. However, the team needed a solution to help with identity federation and to support the company's continuous efforts to remain HIPAA-compliant.

Find a single sign-on solution to dramatically reduce complexity, minimize calls for password assistance, increase security and help keep users engaged and using key apps. Designed to act as a portal for growers, packers, exporters and local marketers, the NZ Avocado system provides access to highly-specialized apps including a Spray Diary to log essential information about growing activities, as well as an AvoTools app and associated websites used to ensure compliance to international regulations. In order for New Zealand growers to export overseas, they must register with the association and record all use of sprays on their orchards. This is an essential component in assuring quality, guaranteeing that international standards are met and protecting a multi-million dollar industry. But with over 1350 members, NZ Avocado was having significant issues with users logging into their applications and online tools. Each app required its own set of credentials for access and that meant users had to remember multiple passwords. Compounding the issue was the fact that each orchard required its own user name and password as well, so owners of multiple orchards often found themselves managing dozens of passwords. As a result, the NZ Avocado team was frequently inundated with calls for password assistance. The problem was so great that the organization resorted to keeping user names and passwords on a spreadsheet that was available to most of the office staff. Lacking its own IT department, NZ Avocado contacted IT consultant Andrew Nimick with Point Concept, and enlisted his help in finding a solution that would dramatically reduce complexity, minimize calls for password assistance, increase security and help keep users engaged and using the apps.

With more than 400 employees, password expirations and resets at Grupo Argos had become a significant strain on IT resources. Traveling was another challenge for staff, as logging into SAP and other apps from outside the office was difficult, impacting productivity. Employees frequently had different passwords for each SAP app, and managing passwords for both privileged users and end users had become cumbersome. Concerns were raised about security because users were re-using passwords or keeping them in unsafe locations. Macs presented an entirely different set of issues, being managed locally without IT oversight. Additionally, the company had limited visibility into third-party managed servers, which was crucial for SOX compliance and troubleshooting outages.

Since its launch, Quanta Services has acquired over 200 businesses and amassed 16,000 endpoints dispersed around the world. That growth, while welcomed, has created a major privileged access management (PAM) challenge for the company. Richard Breaux, senior manager, IT security at Quanta Services, outlined the problem, “As we acquire companies, the challenge is to integrate them – taking their privileges, their computer systems and how they operate – and to make them part of our own ecosystem and to keep everything secure.” Alongside this, Quanta also faced issues common to many businesses. Breaux stated, “We have the same challenges around privileged access that many companies do, whether with local administrative rights on a desktop or laptop, or privileged access for server administration and web application development. We’re all confronted with a similar set of issues.”