Identity & Access Management , Multi-factor & Risk-based Authentication , Privileged Access Management
Winning Customer and Employee Trust in Uncertain TimesEncora Needed New Security Solutions for Visibility, Access Control and Compliance
At the height of the pandemic, Encora found it increasingly difficult to secure its crown jewel systems and the endpoints of its 7,300-strong workforce. With the shift to remote working, the architecture changed overnight and the perimeter dissolved. Traditional antivirus solutions and methods for access control became irrelevant.
See Also: Webinar | How the SASE Architecture Enables Remote Work
Encora, an infrastructure services company that supports Fortune 500 organizations, offers next-generation technology services such as predictive analytics, machine learning, artificial intelligence, IoT, cloud and test automation. The Scottsdale, Arizona, company had to assure its global clients that their data was safe.
"The major challenge was to maintain trust within the ecosystem," says Ankit Agarwal, head, IT infrastructure and governance, Encora. "Our customers were asking us how we are securing the entire development landscape."
Countering new and sophisticated threats called for an overhaul of security solutions and adoption of new approaches, such as a zero trust framework that the company implemented over the past two years. The framework will not only verify every privileged transaction but also protect endpoints from sophisticated attacks.
As the threat landscape evolved, Encora's antivirus solution could no longer adequately defend against sophisticated attacks.
At the time, Encora was using Microsoft Windows to create user accounts and for provisioning admin rights. Agarwal says this approach "had limitations" in securing non-Windows platforms and providing "protection at the application level."
The Windows environment works well, but it required a reboot of the endpoint whenever the admin privilege was needed, he says.
Encora also required a privileged access management solution to counter the new types of attacks targeted at its employees working on unsecured home networks. A key challenge was the lack of visibility and control over privileged access.
This led Encora to launch a detailed search for an effective PAM solution. The company had to meet three critical parameters: maximum technical adaptability to the Encora environment, a responsive support ecosystem and implementation agility.
In evaluating and shortlisting vendors and solutions, it relied on multiple validation sources such as Gartner and advisors from the wider Encora group. It also looked at the reputation and market position of the vendor.
The company then shortlisted three vendors and selected the CyberArk Privileged Access Manager using a self-hosted subscription model and CyberArk Endpoint Privilege Manager, which was deployed as a SaaS solution.
Rather than implementing everything at once, Encora took a phased approach to the deployment because the priority was gaining control of changes on elevated privileged accounts. Once that was achieved with Privileged Access Manager, Encora began to mature its processes by improving identity security controls and implementing adaptive multi-factor authentication, an endpoint light client daemon and secure remote access.
A phased approach is advisable when an infrastructure services provider needs to ensure high availability with minimal disruption. This approach also ensures minimum downtime and minimum productivity loss for employees of the service provider.
"We have network devices, servers and portals," Agarwal says. "First, we targeted the servers, and once everything was onboarded, we moved to the network devices. This approach ensured there was no service impact."
Likewise, there were three stages in the implementation of CyberArk Endpoint Privilege Manager. The new solution was first deployed in monitoring mode to understand user behavior and what applications employees were using.
The second stage was detection mode, where the application was selected, and user access was elevated. The third phase, which is currently underway, will address users accessing assets in a restricted manner, Agarwal says. This approach helped the company avoid downtime and complaints from employees about productivity loss.
"Thus, we can easily roll out the entire implementation in a seamless manner," Agarwal says.
Encora first deployed the PAM solution to its IT staff and development operations teams. The endpoint software is currently being rolled out to the rest of the staff and is expected to be completed in two months.
Zero Trust Framework
With the perimeter dissolved, Encora explored various solutions that bypass physical boundaries for accessing resources. The obvious choice was a zero trust framework.
"The framework had to verify everything our developers were accessing. They had to be authenticated first before accessing our resources," Agarwal says.
Encora also had to address concerns about how internal IT teams would apply the zero trust framework, so it applied the Endpoint Privilege Manager to support its zero trust strategy.
The passwordless zero trust framework immediately removed the need for privileged users to log in with passwords.
"That reduced the risk because if I don't use a password, it cannot be leaked," Agarwal says.
Zero trust also limits the lateral spread of an attack, which is crucial for Encora because it has a presence in 14 countries with interconnected data centers that share information.
If a security incident occurs in one of the locations or data centers, it can be "isolated quickly to contain the attack," Agarwal says.
While SOAR and SIEM technology can help prevent lateral movement, they are "reactive approaches" that take time to analyze and detect attacks.
"We wanted a proactive approach to kill those vulnerability aspects and prevent lateral movement. So a bit of automation was needed," Agarwal says.
To address these requirements, the company uses Zscaler Private Access and Zscaler Internet Access.
"We are moving to a strategy where we are not exposing public-facing infrastructure to non-employees," Agarwal says. "Our vision is that our Microsoft 365 should not be accessible from unaudited workstations. It should only be available to employees."
Improved Compliance and Auditing
Besides saving time and money, effective privileged access management addresses visibility and control, reduces sophisticated attacks, and provides a clear audit trail to meet compliance regulations.
Encora has internal and external auditing programs designed to meet ISO standards for information security that are BSI certified. With the CyberArk solution, Encora can automate report generation, which used to be a time-consuming and manual process, and offer these to auditors.
At Encora, IT and auditing are discrete functions. "The IT implementer should not be auditing, and the auditor is not the IT implementer," Agarwal says.
The new PAM solution can track the audit trail, and there is a separate login for the auditor. The auditor can have a live view of the actions performed by users, and the sessions can also be recorded for review.
The CyberArk solution also helps in reducing insurance premiums as it has built-in security policies.
Cybersecurity and privileged access management top the list of priorities and are an essential part of the cybersecurity infrastructure at Encora. A robust solution as part of the cybersecurity defense not only lowers the risk but also increases confidence in customers.
"Every customer we speak to signs a master service agreement or MSA that lists certain criteria. They send us the vendor assessment form, and there are risk ratings. We are constantly working to improve our risk ratings. With all these solutions in place, we have increased the confidence of our customers," Agarwal says.
Wisdom for CISOs
Digital transformation is happening at an accelerated pace, and technology is continuously evolving. That's why Encora moved away from its dependence on a fixed-technology stack. Continuous evolution means its IT support team must adapt to the changing landscape to provision smart services, enhance user experience and reduce turnaround time.
Agarwal advises "a careful analysis of the indirect cost spent in engaging manpower and response time in provisioning alternate solutions."
The solution must be uniform "so that it can be applied to different platforms," he says.
For Encora, the complete adoption journey highlighted the need to adapt to a long-term standard solution that offers agility, a good support system and one that supports constant innovation.