How Integral Partners deployed a new PAM solution and set the global pharmaceutical giant on the path to GxP
Biogen, one the world’s leading pharmaceutical firms, recognized several ways they needed to improve their Privileged Access Management (PAM) maturity in order to effectively align with PAM Good Practices (GxP) for the Biotechnology industry.
Working with Integral Partners, Biogen has been able to implement a new PAM solution that is PAM GxP certified while increasing the scale and scope of their PAM program—making the company more secure while establishing the basis for even greater PAM capabilities in the future.
⦿ Implement BeyondTrust PAM solution
⦿ Mapping out connections between privileged users and admin accounts
⦿ Establishing firm PAM controls on each target system
⦿ Defining and enforcing PAM policies, including new automated workflows
⦿ GxP: Rigorous process and documentation to help ensure GxP is followed
Privileged Access Management
Migrate legacy system
Elevate PAM maturity
Follow GxP guidelines
The PAM tool BeyondTrust was implemented at Biogen to replace their legacy system.
The PAM implementation had to follow “good practice” GxP guidelines and regulations.
The Challenges Facing Biogen
PAM is a collection of tools, processes and practices that protect access to administrative “back end” accounts of critical systems. A privileged user is a person who has the systemic right to set up or modify user accounts or change system configuration, in other words access rights beyond what typical users have. Privileged users are a necessity, but also a source of security risk. PAM is all about managing their access and making sure that system access does not become the vector for a cyber-attack.
Biogen had been using its legacy PAM solution as a sophisticated password vault, and while this is a very important element of a healthy PAM program, they understood that more needed to be done to move to an optimal maturity. These included eliminating inefficient, error-prone manual processes for managing privileged accounts, bringing all systems and their privileged users under management of the PAM solution.
Under these circumstances, Biogen knew it needed to expand its PAM capabilities to more effectively secure the organization and achieve greater compliance with PAM GxP or “good practices” for the pharmaceutical industry.
Biogen was interested in improving its PAM practices as part of a broader plan to bolster its security posture and Identity and Access Management (IAM) program. They wanted to make PAM applicable to more users, as well as to all relevant systems—avoiding circumvention and neglect of PAM. They envisioned being able to manage and monitor all privileged account sessions. That way, they could know in detail what administrative actions had been taken by any given privileged users. And, they would have a quick understanding of malicious activities that could have contributed to a security incident. Adoption of GxP for PAM was also a critical requirement.
The Integral Partners Solution
Working closely with the Biogen team, Integral Partners implemented the BeyondTrust PAM solution and migrated the legacy system’s password data onto it. They then conducted a scan of Biogen’s user accounts, including privileged users, and all systems in the organization. The scan became the basis for mapping out connections between privileged users and privileged (administrative) accounts on each system.
The next step involved establishing firm PAM controls on each target system. This meant linking privileged users with specific devices. For example, with the legacy system, Biogen did not have a clear sense of which privileged users had access rights to the email server. Now, the email server admin panel is closed off to all but exclusive privileged users for that system.
Integral Partners then went to work on defining and enforcing PAM policies. Using automated PAM workflows—which were also new to the organization—they established policies such as password rotation and session monitoring. Now, when a privileged user conducts an administrative session, every action he or she takes is documented in a log and recorded in a video. This way, if there are any questions about how a system was modified, security analysts or other stakeholders can look at the step-by-step activities in the session recording. This is extremely valuable for forensic investigations of security incidents.
In terms of GxP, the Integral Partners team instituted a new, rigorous mode of process documentation, as required for GxP. This includes creating clear attribution for the documentation of cases. It also means establishing a work environment that adheres to a strict evidence-based methodology. The team does not jump to conclusions about how it’s doing PAM. Rather, working within GxP guidelines, they track their steps, examining evidence to prove that a process is being followed.
Biogen’s Next Steps
The initial phase was a substantial step forward in Biogen’s ambitious PAM roadmap. From here, Integral Partners will continue to assist Biogen in areas such as bringing non-human privileged account credentials under management, as well as sophisticated methods of session management.
Integrations are on the roadmap, too. Integral Partners plans to work with Biogen on connecting the BeyondTrust solution with SailPoint for identity governance. This will include Role Based Access Control (RBAC) with advanced reporting. PAM is expected to integrate with ServiceNow for IT ticketing support shortly as well. The company envisions instituting Robotic Process Automation (RPA) to drive further efficiency in the PAM process. PAM will also extend to managing cloud accounts, such as Biogen’s Microsoft Azure and Amazon Web Services (AWS) assets.
PAM is not the simplest or easiest area of security and IT operations – especially when working within a GxP environment, but with the right solution and implementation partner, a successful PAM program is very achievable and worth the effort.
The Biogen case shows how a company can grow in PAM maturity and align with PAM GxP for the pharmaceutical industry. The process takes focus and resources, but the results are worth the investment. Before this project, Biogen was exposed to access control risks. Now, they have a much more robust set of countermeasures in place to mitigate the threat of malicious actors abusing privileged user accounts to perform unauthorized changes to their critical systems. And, the entire process is running more efficiently than it did before, so the program does not represent an increase in the scope of IT operations.