CyberArk solution accelerates NERC-CIP compliance

April 18, 2017

Integral Partners recently worked with a utility company in the eastern United States on a project to demonstrate NERC-CIP compliance using CyberArk’s privileged access management solution. The primary goals of the project were to ensure accountability for every use of a privileged account and to record every privileged session for auditing.

NERC-CIP requires a high degree of separation of duties, and our customer was also planning to deploy new hardware and software for jump servers as part of a separate project so that engineers and administrators could access other parts of their heavily segmented network.  However, mass deployments of jump servers typically are not a scalable solution that is easily deployed.  These efforts require a significant amount of money to buy the jump servers, and time to manually configure the security and network settings on each server to bridge the network environments.  For example, for a single application, they believed that an engineer would need to open a VPN session, connect to a jump server, and then connect to the server that hosted the application. Even without formally budgeting for the project, our customer realized this would be difficult to scale over the dozens of highly-customized applications in their environment. They also saw that it would require a high amount of training for the engineers and administrators.

The following illustration shows the initial jump server design considered by the client.

We proposed using CyberArk’s PSM instead of the jump servers. Under the proposed configuration, the user would connect to the PSM server, and the user would be presented with a list of configured applications based on their credentials. The user would then be able to launch the application without needing to launch the second connection. However, the real value was that the sessions would be audited via PSM so that auditors could view any session to any application. Their project team had not previously considered how to implement auditing and had relegated that to a ‘back-burner’ project. Consequently the customer did not need to buy new hardware or software for the jump servers – a 100% savings.

The following illustration shows the selected PSM design implemented by the client.

The customer rapidly consolidated the two project teams under a single banner to deploy CyberArk, including PSM. The combined project was completed 3 months ahead of the deadline, as there were shared resources, and at a reduced cost, as much of the organizational change management, custom documentation, and training material were reusable across the project.