End-to-End Privileged Access Governance
Connecting PAM and IGA solutions for full visibility
These two clients are both in the financial services industry. One is a SIFMU (systemically important financial market utility) operating under SEC jurisdiction. With approximately 600 employees in its Chicago offices, it processes more than 17 million transactions per day and serves more than 100 organizations. It’s fairly mature in its identity and access management, with both IGA and PAM solutions.
The other client is a Massachusetts-based startup born from one of the largest broker-dealer companies in the US, with annual revenues of more than $1 billion. The parent organization recently spun off its popular software platform into an independent technology company, with plans to market its software to other firms. The startup currently has 250 employees and is profitable, with plans to grow at least 50% over the next year.
Many organizations have separate privileged access management (PAM) and identity governance access (IGA) solutions. IGA solutions govern user repositories but don’t own them, while PAM systems deliberately isolate privileged account credentials from users to better protect them. Although each solution serves its own critical purpose, not connecting them can create redundancies, a lack of centralized visibility, inconsistent policy enforcement, and even potential security gaps.
The SIFMU was experiencing an over-abundance of Active Directory groups, which stressed the authentication process. It was eager to move from Active Directory groups to direct management, where it could increase transparency into certifications inside its IGA system. It also wanted deeper visibility into what user information was stored in its PAM solution, and a more consistent, auditable process for requesting access and approval workflows.
The spinoff company was driven by a desire for automation and lightweight, efficient, self-serve processes. To reduce the number of “fingers on keyboards,” it wanted to automate the creation of a personal safe (vault) for every user with admin credentials.
Both clients wanted to implement an integration between SailPoint and CyberArk that could provide proper governance for requesting, approving, provisioning/deprovisioning, and certifying privileged accounts and safe permissions. Integral Partners advisors used its extensive knowledge of both SailPoint and CyberArk, along with its extensive experience building customized connectors, to adapt a tailored integration solution for each client. Because Integral Partners was building custom SailPoint/CyberArk integrations before the connector modules even existed, we’ve been able to help define the standard for how the modules work and have been one of the first companies to adapt and customize them. Each integration allows the client’s privileged account management to connect to its IGA system.
The SIFMU client had purchased the SailPoint PAM module and wanted to install it. Since it’s somewhat limited out of the box, Integral Partners built customizations that capitalize on the full capabilities of the API: we created a workflow that adds safe permissions for identities in CyberArk that are viewed and maintained in IIQ. This gave the client a centralized view into safes, and a unified way to add permissions and perform certifications.
For the spinoff company, Integral Partners developed a solution automating what used to be manual processes. It creates a CyberArk account linked to an Active Directory account, builds a new safe to store the newly provisioned Admin Active Directory account (and its credentials), assigns permissions to the new CyberArk account so the end user can view those admin credentials, and adds some permissions to specific CyberArk Accounts and groups for manual administration purposes. The integration unites the company’s access workflows and birthright provisioning, resulting in more efficient access requests, and a more streamlined login process with proper certifications on the CyberArk side.
By standardizing the approval process and auditing each action, these integrations reduce risk, increase efficiency, and improve the user experience. Both clients now have their identity intelligence in a single tool, which reduces their exposure, makes controls more consistent, and gives each client more coherent policy enforcement.
- Centralized visibility into access and privileges across all kinds of users
- Improved user experience (shorter timelines for requests and approvals)
- Automated certifications
- Certifications against CyberArk data, instead of against implied Active Directory groups, which provides greater insight into user permissions and groups
- Automated group creation that doesn’t require coordination between the CyberArk and SailPoint teams
- Standardized approval and workflow processes (replacing manual permissions assignments)
- Eliminated “token bloat” (when an Active Directory account is a member of too many groups) and associated authentication failures