Operating thousands of restaurants worldwide requires a large server infrastructure. Keeping that global infrastructure secure is a huge challenge. After failing a SOX audit related to lack of control over how privileged users were accessing servers, this company determined it was time to find an automated method for administering, enforcing, and auditing privileged user access rights.
The initial target was to add automated privileged controls for 500 core Unix servers. However, they needed a solution that would scale to potentially support thousands of servers. In addition, the privileged access management solution needed to control privileged user access to both Unix and Windows servers, and preferably from a single architecture and console.
The controls needed to automatically enforce granular access policies and eliminate any sharing of privileged passwords as well as provide control over local accounts on Windows servers. In addition to having powerful authorization capabilities, they needed a solution that would enable them to centrally administer the privileged users’ identities, and leverage Active Directory (AD) as needed.
They explored many options, but found that Powertech Identity & Access Manager (BoKS) offered them the most granular, proactive enforcement of authentication and authorization policies. As well, Powertech Identity & Access Manager (BoKS) was proven to be highly scalable and offered a single architecture across the Unix and Windows servers. The ability to centrally administer all of the privileged user identities, in conjunction with Active Directory, was also a key value.
Powertech Identity & Access Manager (BoKS) automatically controls the elevation of privileges for administrative users based on granular, role-based policies including which commands the privileged user is allowed to execute. Over 100 different operating systems are controlled by BoKS, including the lock-down of local 0Windows accounts.
The deep granularity offered by Powertech Identity & Access Manager (BoKS) is enabling the organization to proactively control access and privileged elevation based on: the role, the source system, the communication method, the target system, and the time. Centralized distribution of SSH keys, another feature of HelpSystems Powertech Identity & Access Manager (BoKS), is also incorporated into the authorization and can be controlled down to the sub-service level as part of the access rules, further boosting productivity while enabling more granular control over administrator actions. Powertech Identity & Access Manager (BoKS) also enables the food and beverage company to keystroke log sensitive sessions and grant privileged command execution to non-privileged users.
All authorized users and accounts have security policies that are centrally administered and enforced through Powertech Identity & Access Manager (BoKS). The user administration works in conjunction with Active Directory. Users imported from Active Directory can leverage a common identity across Windows and UNIX servers. Additionally, the Kerberos ticket that is presented to a Windows user as they log into a domain can be extended to include UNIX servers. This provides the users with a single sign on experience.
While controlling privileged accounts and privileged user actions in a proactive fashion is crucial for system security, it also enables the food and beverage company to address their SOX audit failure and other regulatory mandates including PCI. Rich audit reporting capabilities are making it very easy for the IT Security Team to produce the required data needed to prove that their access controls are in place.
- Centralized administration console for heterogenous environment
- Enforced control for root accounts across all servers
- Simplified compliance reporting and auditing
Utilizing Powertech Identity & Access Manager (BoKS), a leading food and beverage organization has been able to significantly streamline administration of privileged users reducing the cost of administration, while satisfying requirements from auditors to eliminate the sharing of powerful functional account passwords.
As well, they are able to address SOX and other key regulatory compliance mandates and ensure that their systems and data are safe from insider fraud.