Healthcare Case Study: Deploying an integrated PAM and IGA solution
Integrate CyberArk and SailPoint to reduce audit pain, simplify user provisioning and create a single pane of glass to manage your privileged accounts and administrators.
The client is a regional healthcare organization which supports more than 8,000 workers and is the single-largest employer in their California county. Over 100 years old, the business charter is excellence in patient care and services with information technology viewed as an enabling tool to support those priorities.
With limited investment, information technology was perceived as a ‘foundation built on legacy garbage’, so the organization created a new office of the Chief Technology Officer (CTO) whose responsibilities included securing privileged access while modernizing identity processes, governance and automation.
Lack of investment in identity automation had created situations where business rules were not maintained and there was significant loss of governance and operational effectiveness. In one scenario, a senior executive was manually approving 40+ time cards across the organization as there was no process defined in the HR system (Lawson) for handling approvals when an employee was promoted.
An external cybersecurity risk assessment found four critical risks to identity governance and access to privileged credentials:
- No central view of users and privileges. Certification campaigns were time consuming and difficult, and auditors could not easily determine who has access to resources, or which resources could be accessed by personnel.
- Lack of a managed identity life cycle. Poorly documented scripts and free-form service request forms were the basis of identity provisioning. There was no consistency in provisioning, requests were not timely, and data was inconsistently entered. A change in any component could break fragile customizations, leading to a culture of change avoidance.
- No standard approval workflow for access requests – The organization did not follow a principle of least privilege and there was no consistent separation of duties review. This resulted in cases where employees could both request and print checks without oversight. In another case, there were multiple instances where privileged accounts of terminated employees were still active with unmanaged and unchanged passwords.
- Access to privileged account passwords was not audited, and passwords were not consistently rotated. – without the benefit of a privileged security tool in place, several domain administrator accounts running critical healthcare services had password ages of over five years. A password disclosure could allow extensive attacker dwell time without any way to identify or stop an active breach.
Addressing user administration and governance, the organization deployed SailPoint IdentityIQ (IIQ) to merge identity governance and administration efficiently through a single interface. IIQ provided the foundation for enforcing policy and provisioning user data into critical applications such as Active Directory, Lawson, C-Cure and MobileIron.
To reduce risk and address audit findings, the organization selected CyberArk’s Privileged Access Solution (PAS) to enhance their security posture and audit use of privileged accounts. A key evaluation consideration was CyberArk’s C3 Ecosystem Alliance and the tight partnership between SailPoint and CyberArk.
The SailPoint and CyberArk certified alliance enabled the client to automate privileged account lifecycle management with full governance and audit. The integration between SailPoint and CyberArk involved defining consistent naming conventions and mapping rules for users, privileged accounts, and safes. These naming conventions and rules allowed for granting and revoking policy-based access to privileged accounts through SailPoint’s interface.
To avoid administrative disruption, the organization deployed CyberArk’s Privileged Session Manager (PSM) for visibility and efficiency. PSM enabled the organization to create Remote Desktop (RDP) shortcuts for administrators, which allowed them to use native connection tools with PSM automatically handling checking out privileged credentials from a safe and auditing all activities during the session.
The organization deployed PSM-P so it would audit Secure Shell (SSH) connections to UNIX and Linux. Both PSM and PSM-P were integrated with the Security Information and Event Management (SIEM) server, which allowed for alerts to be sent to the Security Operations Center (SOC) as administrators accessed critical systems.
The combination of integrated PAM and IGA solutions has delivered day one productivity for new employees using familiar tools. A single feed through SailPoint allows updates to Active Directory, Lawson, and CyberArk. The integration also requires far fewer people and time to perform both simple and complex job changes, including revoking access when privileged users leave the organization.