Centralized Privileged User Authentication and Authorization Management

Top 5 worldwide bank implements FoxT BoKS ServerControl for privileged access management capabilities to cover servers within the banking operation.

The Access Control Challenge

Auditors had identified that there were errors in their identity management processes, starting with the fact that as a person left the company, the associated accounts were not consistently disabled, creating dormant accounts on servers. As well, the non-personal accounts (NPAs), also known as privileged accounts in the marketplace, were not linked or traced to a real, physical person, creating significant risks for a security breach. Hundreds of administrators could access sensitive information under a shared password, and their actions could not be tracked or controlled.

The Bank was using LDAP for personal accounts. While LDAP was connected to corporate directories and HR, they were unable to incorporate management of functional, non-personal accounts (NPAs). They were also unable to control who used the privileged accounts and what they did as a privileged user. Auditors were asking them: How do you know that these NPA accounts are not used from the test systems if they are on production systems? How can you restrict the source and destination access rights associated with non-privileged accounts?

As well, auditors required them to implement a process where they changed the NPA passwords across each of their Unix/Linux systems every 30 – 60 days. With 1,000s of servers, that meant a manual change on each system. The Bank calculated that they would need 3 security administrators dedicated to this function alone.

The FoxT Solution

Using BoKS ServerControl, the Bank is now able to full control privileged user access processes and has eliminated the sharing of NPA passwords. BoKS also automatically consolidates all user activity logs from across their server domains, including keystroke logs, to greatly simplify audits and compliance.

The BoKS ServerControl system synchronizes with LDAP (which is connected to the Corporate Directory and HR databases). That means they are automatically adding and removing user accounts and access entitlements as a status change is made in LDAP to eliminate dormant accounts and access scope creep. This is a big labor savings since security administrators no longer need to manage user accounts. With BoKS, they have also standardized their naming convention, have well-defined user roles, and easy to manage host groups to simplify administration.

CASE STUDY

Copyright © Fox Technologies. FoxT logo is a trademark of Fox Technologies, Inc. Other product and company names noted herein may be the registered trademarks and trademarks of their respective owners. All rights reserved.

About FoxT

Fox Technologies, Inc. helps companies

protect corporate information assets

with network security and access

management software as well as

striving to simplify compliance and

streamline administration with an

award-winning access management

and privileged account control

solution. Our access management

software centrally enforces granular

access entitlements in real time across

diverse server environments. To

contact Fox Technologies you can

email us at: sales@foxt.com, or visit

our website: www.foxt.com.

www.foxt.com • sales@foxt.com • 616 .438 .0840

Perhaps most importantly, the Bank is now able to automatically enforce privileged user access rights and routes at a granular level, meaning they can control authorization over who can access which server, from where, using which protocol (RDP, SSH down to sub-service levels), and when. As well, BoKS automatically controls privileged elevations without sharing the password; it also controls which commands a privileged user can execute.

Benefits of Centralized Privileged Access Management

There are many security and operational benefits associated with the implementation of privileged access management for such a large financial institution.

• First, they have improved their overall Identity and Access Managementprocesses, with both personal and non-personal accounts being linked to thecorporate directory.

• Second, they have greatly improved control over the privileged accountsincluding control over the access routes and user actions. By eliminating thesharing of privileged passwords, they are able to fully satisfy their auditors,while reducing the risk of a security breach.

• Third, they are able to differentiate and control where someone is allowed tolog-on from, the source network range. This gives them the ability to bettercontrol access security in an organization where some employees andcontractors work in remote locations or from home. For example, they canenforce that access to selected, sensitive servers can only be done fromcorporate managed devices and from within the corporate office.

• Finally, they have significantly reduced the security operational efforts for maintaining NPAs by automatically managing changes to privileged passwords across diverse servers.