The information that is handled by Clearstream on a daily basis is extremely sensitive. In order to address security concerns surrounding this, Clearstream initially needed to automate its manual administrator password management process to control access to privileged accounts based on pre-defined security policies. As the connection and transfer of data was regularly password protected, Clearstream required a more mature, professional solution to manage and control its passwords to ensure that corporate and customer information was appropriately protected. Strong authentication, information integrity and encryption were also essential so that only the right people had access to the right information and that this access could be adequately tracked, logged and monitored. In order to satisfy auditors as regulations continue to evolve, Clearstream sought a forward thinking solution that offered a clear overview of administrator activity and that could facilitate secure storage of this information in logs. Due to auditors having to adhere to extremely strict and tight timelines, Clearstream needed a solution that could quickly and accurately deliver the information required. This is a constant regulatory requirement and Clearstream wanted to work with a technology partner that could continue to evolve with the company to meet these needs.

Protecting the privacy and security of data is a top priority. The company’s highly diverse IT environment runs multiple Windows platforms, and more than 85% of end users had administrative rights to their machines which was a security risk. To reduce the attack surface, the company was compelled to rewrite IT security policies in support of removing administrative rights from business users on endpoints. Ultimately, the goal was to implement the new IT security policies with the least disruption to and resistance from end users, while doing so in the most cost effective way possible. Due to the company’s IT environment and the applications supported, it was critical to have the ability to define a specific application to run with elevated rights without having to give the same rights to child processes.

For this global communications company, Pass-the-Hash attacks posed an immediate and troubling challenge. While the company was able to identify the existence of these types of attacks before a serious breach occurred (evidence of password theft and password cracking was clear and eminent), they struggled with the unique nature of a stolen hash. As a first step, the IT team opted to restrict access to their admin and privileged accounts by issuing Smart Cards. Unfortunately, this did not solve the problem, as vulnerabilities persisted within these Smart Card-enabled accounts. Smart Cards, which are touted to prevent credential theft through multifactor authentication, actually exacerbate the problem. With Smart Cards, the passwords associated with each privileged account, by default, never expire and are never changed again. As a result, once the hash is stolen, the attacker can exploit it in perpetuity. To truly combat Pass-the-Hash attacks against Smart Card-enabled admin accounts, the organization would need to deploy a custom solution that ensures admin and privileged passwords are automatically changed with some frequency to proactively protect against stolen credentials and abuse.

According to the 2017 Verizon Data Breach Investigative Report, 81 percent of data breaches involve weak or stolen credentials. Understanding that many cyber attackers focus their efforts on harvesting privileged credentials, the real estate services company has trusted CyberArk for more than six years to protect, control and monitor privileged access to critical information—including 500+ systems and one of its primary data centers. In the past three years, the organization has accelerated its move to the cloud to improve efficiencies, scale processes, deliver enhanced client services and maintain its edge in the ultra-competitive real estate market. Despite its many benefits, the cloud’s multiplier effect has created exponentially more privileged account credentials and secrets that are highly targeted by attackers and need to be properly managed and protected. As part of their cloud journey, the organization’s security team sought a way to further enhance security around these powerful, privileged account credentials through an additional, complementary security layer: multi-factor authentication (MFA).

Growing both organically and through acquisition since 1865, Milliken amassed unprecedented intellectual property, which has powered much of the company’s success. It has also presented challenges to protect that information and mitigate risks presented by the modern IT environment. Privacy and data security were a top priority. With the company operating more than 50 locations around the world, they needed a solution that could cover every endpoint and scale with the growing company. Amidst a current landscape of large breaches occurring at other companies, Milliken’s desire to protect its associates and its intellectual property led them to perform an internal security assessment, which included hiring a third-party security consultant to independently evaluate their environment. The assessment’s outcome demonstrated to the Milliken security team that changes were needed, leading to new security policies for managing this global IT environment. At Milliken, end users were running with full administrative rights on their company devices. A goal was established to eliminate this high risk and only allow certain individuals to have elevated privileges and only for specific applications and functionality. Along with establishing least privilege, the company sought better capabilities to govern application control. To ensure that users continued to have the freedom needed to do their jobs effectively, the right solution needed to balance the needs of the business around innovation but also minimize risk to the company and brand.

Changing customer expectations, greater digital use, and the evolving cyber threat landscape are challenging financial institutions to balance innovation with effective security practices. Privileged access management (PAM) is critical to enable flexible yet controlled access to critical systems holding sensitive customer PII and other valuable information. As financial systems grow in size and complexity, privilege is everywhere, making strong PAM essential for banks to move with agility without jeopardizing their brand or regulatory compliance.

The company faced challenges with their existing SharePoint workflows and DevOps processes, which were frequently breaking. They needed a more reliable and efficient way to manage privileged access without the need for submitting tickets, going through workflows, or waiting for approvals. Additionally, they had a tight deadline to meet an external customer requirement for privileged access management, which included signing the purchase order, installing the solution, and managing a larger number of servers than initially anticipated.

Drive flexibility across the business. Deliver employees single sign-on access to all the apps they need, located in one central portal. Ease the onboarding process and increase productivity for all users. When Chief Technology Officer Sébastien Huet joined Rémy Cointreau in 2015, one of his primary objectives was to help transform the company into a more agile organization. A key component of that transition would be the upgrade of its IT infrastructure to provide more flexibility, respond better to changing worker habits and deliver exceptional support for the business. Huet encountered another example underscoring the need for an overhaul. It took months to open their new office in Asia. One of their key objectives is to have the flexibility to open a new office anywhere in the world in a matter of days. Huet and his team set out to transform IT and with it, the business as a whole. The company was moving to a cloud-based architecture, with the goal of relying exclusively on web apps. They wanted to be able to access apps from any device, anywhere and at any time, so mobile management was crucial. And for optimal security, they needed to transfer focus from the network and the device to the applications. Identity management would be essential to achieving these goals.

Build out a cloud infrastructure to support rapid company growth. Ease the transition to cloud with single sign-on to Office 365 and other apps. Include two-factor authentication for stronger security. Protect and manage company smart phones with EMM. Nearing the end of a contract that outsourced the community services ELC supervised, the company decided to bring the services in house and offer them directly to the public. It was a large undertaking that would require nearly 100 new employees and the opening of new satellite offices. Success would depend on an environment that could support the company’s 300% growth projections. “We didn’t have the infrastructure or services necessary to handle the anticipated increase in employees,” says Luis Mena, Director of IT at Early Learning Coalition. “So we were under a tight deadline to roll out an entirely new infrastructure.” Mena decided to leverage the cloud to the greatest degree possible. “We considered building out our own on-premises infrastructure, but that approach would have required initial hardware costs in the hundreds of thousands of dollars and significantly more time and IT resources than we had available,” he says. “The ease and speed of building out a cloud-based environment made it a better choice. But we needed a strong solution that would help us in the transition.” ELC began looking for a solution that would provide authentication and single sign-on for the cloud services they were evaluating. Security would be a top consideration in any solution, as well as compliance with state and local government regulations similar to HIPAA. Strong, two-factor authentication for remote users would also be required. And if they could locate a complementary solution to securely manage their mobile devices, it would be ideal.

Find a single sign-on solution to dramatically reduce complexity, minimize calls for password assistance, increase security and help keep users engaged and using key apps. Designed to act as a portal for growers, packers, exporters and local marketers, the NZ Avocado system provides access to highly-specialized apps including a Spray Diary to log essential information about growing activities, as well as an AvoTools app and associated websites used to ensure compliance to international regulations. In order for New Zealand growers to export overseas, they must register with the association and record all use of sprays on their orchards. This is an essential component in assuring quality, guaranteeing that international standards are met and protecting a multi-million dollar industry. But with over 1350 members, NZ Avocado was having significant issues with users logging into their applications and online tools. Each app required its own set of credentials for access and that meant users had to remember multiple passwords. Compounding the issue was the fact that each orchard required its own user name and password as well, so owners of multiple orchards often found themselves managing dozens of passwords. As a result, the NZ Avocado team was frequently inundated with calls for password assistance. The problem was so great that the organization resorted to keeping user names and passwords on a spreadsheet that was available to most of the office staff. Lacking its own IT department, NZ Avocado contacted IT consultant Andrew Nimick with Point Concept, and enlisted his help in finding a solution that would dramatically reduce complexity, minimize calls for password assistance, increase security and help keep users engaged and using the apps.

A Financial Institution overwhelmed with the administrative privileges sprawled across their end-user environment needed a solution which would reduce the attack surface these network entry points exposed without affecting the strict Service Level Agreement’s (SLA’s) they have with their customers. With thousands of applications in use, the company’s immediate need was to remove local administrative rights from end-user machines. This was necessary to prevent end-users from granting themselves privileged access to applications they hadn’t been authorized to use. Since both Windows and Mac computers were being used to access applications, they needed a solution that would account for both operating systems. Beyond reducing insider risk, the lack of controls around local privilege management could also make it easy for attackers to establish a foothold in the company through these machines, escalate privileges and move laterally across the environment until a jackpot of data is discovered that can be exfiltrated outside of the network. To add to this, the institution needed to implement a simple process for their users to request access to the applications they may have had unrestricted access to previously, but are now being restricted by the solution. The goal was to keep the users with the minimum rights they needed to do their day to day tasks.

Healthfirst, the largest not-for-profit health insurer in New York State, faced a significant challenge in evolving its cybersecurity operations. With a rapidly growing member base of 1.8 million and an increasingly complex healthcare landscape, the organization needed a robust cybersecurity program. Healthfirst holds a comprehensive database of member-related information, including enrollment, billing, customer care, payments, processing claims, and health data. The protection of these highly sensitive healthcare records and identities of members and staff was paramount. The organization had adopted a cloud-first strategy, with approximately 70% of systems and applications now cloud-based and 10,000 endpoints, 70% of which are remote. This required a sophisticated and robust security solution. The organization aimed to transform the industry by digitally enabling its members, which included heavy investment in digital apps, virtual community-based offices, and mobile solutions.

Kainos, a UK-based digital technology company, faced a significant challenge in securing sensitive data across its global workforce. With over 3,000 employees in 22 countries, the company had to ensure secure remote work and client location operations. The company's employees had the freedom to choose, download, and install applications, which, while convenient, posed a security risk. An audit revealed that there were 50,000 different applications in use globally. The company also faced constant threats like phishing, fake Office 365 password reset scams, and LinkedIn targeting for new starters. The challenge was to enhance security without hindering the work of different user groups, including developers, business staff, and senior executives, who required varying access rights.

o9 Solutions, a leading AI-powered planning, analytics and data platform provider, faced a significant challenge in ensuring the security of its Fortune 500 customers' data. The company delivers its services via a multi-tenant cloud environment based on AWS, Azure and Google, making identity protection and management crucial to access control. However, as cyber threats became more widespread and sophisticated, the visibility of identity and threats became poor and disconnected. There was no centralized way to monitor and control the various cloud environments the company used. The company needed to develop a more robust and effective Privileged Access Management (PAM) capability to match or exceed the cybersecurity and corporate governance strategies of its large, global customers. The customers needed reassurance about how o9 Solutions managed and controlled access to their data and the environment.

Pacific Dental Services (PDS), a leading dental support organization, was faced with the challenge of managing and controlling a large number of privileged accounts, passwords, and mobile devices across its geographically dispersed teams. The company supports over 900 dental practices and is responsible for protecting the personal and sensitive healthcare information of dentists and their patients across the U.S. PDS team members had access to approximately 20,000 clinical service websites, and passwords for these sites were recorded on an intranet-hosted spreadsheet, leading to security issues and chaos. Additionally, PDS manages over 5,000 laptops and mobile devices for team members based at their National Support Offices and a good number of remote/mobile team members. Admin rights were being granted, often for basic things like installing a web camera or updating a driver. However, these admin accounts would stay with the device, sometimes for years, posing a security risk. PDS needed a better way to monitor and manage user access across this environment.

A leading European bank, serving over ten million customers, was looking to enhance its digital banking services with Kubernetes and cloud-native computing environments. However, with the increased digitization of services, security became a paramount concern for the bank’s stakeholders and clients. As the bank initiated its journey to the cloud, it adopted a variety of cloud-based technologies to rapidly address and respond to new business needs, such as providing customers with secure home banking services and secure apps for mobile phones. The bank realized that adopting cloud and related open-source technologies came with a price in terms of management and security constraints. One of the most critical aspects of the cloud journey was how to properly manage identities and secrets (privileged credentials or grants) across different cloud services. Managing secrets across different cloud and hybrid services are typically a pain point in every organization’s cloud journey.

Tribunal Regional do Trabalho da 8ª Região (TRT8), a judiciary body in Northern Brazil, was facing a surge in cyber attacks, a situation that was particularly concerning given the sensitive nature of the data they handle. The organization had recently digitized its court case management system, making all information related to court procedures, including highly sensitive personal information about individuals involved in employment disputes, digital. Despite having a robust security strategy, TRT8 had little control over users and passwords with access to this information, and privileged access was decentralized. Enforcing security information policies such as regularly changing and updating passwords was a manual and time-consuming process. Endpoint protection relied on a basic anti-virus tool, leaving the organization vulnerable to viruses or malicious attacks that could disseminate throughout the network and harm court operations.

To improve services, reduce costs, and increase business efficiency, a digital transformation initiative was launched that embraced a cloud-first, mobile-first strategy. Previously outsourced services were brought in-house, and most infrastructure was transferred to a multi-cloud environment using Microsoft Azure and AWS. As the IT team expanded from seven to over 140 employees, ensuring the security of this increasingly complex environment became a priority. A three-year strategic roadmap was put in place to focus on improving identity governance, administration, and privileged account management. The company needed a solution that went beyond traditional password vaults to address operational efficiency and end-user experience.

As a large communications services company, BT's infrastructure is complex and vast, spanning numerous business units and geographical regions. BT had several point solutions in place to manage privileged access and identities but found that these solutions were inconsistent and did not scale well to meet its requirements. Following a significant internal report, BT decided to improve its existing architecture and extend its security of privileged access to the enterprise. The company wanted a single solution, standardized across the global organization, that could be scaled up easily as required. This solution would complement BT's existing portfolio of managed security services, providing its rapidly expanding customer base with privileged access management to help them better meet compliance requirements.

One of Canada’s leading institutional fund managers faced significant risks from potential insider threats. With over $200 billion in assets, the company needed to protect against both external and internal cyber attacks. The primary concern was the abuse of privileged accounts, which could allow malicious insiders to move freely and undetected within the network. The company had hundreds or thousands of privileged accounts that were unknown, unmanaged, or unsecured, posing a critical vulnerability. The challenge was to identify and secure all privileged accounts to mitigate the risk of insider threats.

Avoid the build-out of a high-cost disaster recovery co-location for a product that was already difficult to implement and manage. Simplify app integration, address MDM requirements and SOX compliance, and ensure a more robust security stature. When SBA Communications began using SaaS-based apps like Innotas, ExpenseWatch and Yammer, they implemented Microsoft’s Active Directory Federation Service (AD FS) at an approximate total cost of $35,000 for identity management. While implementation and application integration proved challenging, the product met the company’s requirements at the time. As their environment evolved, however, the solution became increasingly difficult to manage. To assist in the implementation, they hired a consulting firm with AD FS expertise, which took six weeks to get the initial solution implemented. However, a new version of AD FS was soon released, and the company was faced with having to migrate the entire infrastructure. Integration was so painful the first time around that they dreaded having to migrate those same apps into the new environment. The unfortunate result was two live versions of AD FS, each with its own set of SaaS applications that required significant resources and a coordinated effort to maintain. The real issue arose as cloud-based solutions became more pervasive within the company’s environment. While they had previously incorporated only a few, less-critical SaaS apps, the benefits of cloud-based solutions led the company to adopt more until eventually disaster recovery became an issue.

At Chugai Pharmaceutical Co Ltd, three different tools were used to provide single sign-on (SSO), enterprise mobility management (EMM) and multifactor authentication (MFA) across the company’s European and US divisions — Chugai Pharma Europe, Ltd. With a limited IT staff in each location, management of these separate solutions created unnecessary strain and considerable expense. Looking to simplify IT processes and save money, the company first considered expanding its relationship with its existing SSO provider. The company was also looking to replace its existing MFA tool with a solution that leveraged users’ mobile devices. They needed a cloud-based solution that included SSO, MFA and EMM to protect Chugai’s intellectual property as well as the personal information of patients participating in their clinical trials.

A leading provider of online services to the automotive industry planned to implement a robotic process automation (RPA) solution from Blue Prism to streamline business operations. Blue Prism’s unattended digital worker robots require privileged credentials to access IT resources and automate functional tasks. In the wrong hands, these privileged credentials can be used to wage attacks or steal confidential data. The company sought to safeguard its RPA implementation without complicating security operations or slowing down the RPA rollout.

The Court of Justice of the State of Amapá, a judicial body in Brazil, was faced with the challenge of updating and streamlining its justice system in the face of unpredictable, complex, and urgent cybersecurity threats. The Brazilian Superior Court of Justice had previously been a target of a ransomware attack, which halted operations for a week and affected up to 12,000 pending lawsuits. In response to these threats, Brazil’s National Council of Justice launched ‘Justice 4.0,’ a package of reforms designed to modernize the justice system by adopting technology to improve access, transparency, and speed. This required each state judiciary to implement an identity security and management system. The Court of Justice, Amapá, needed to boost its safety procedures, particularly Identity Security, to meet these compliance demands and to better match larger business and market trends. The shift to remote work during the COVID-19 pandemic further highlighted the need for a strong identity management solution.

Gamania Group, a Taiwanese conglomerate with businesses in online gaming, e-commerce, e-payment services, and IT, was facing a significant cybersecurity challenge. With over 10 million registered members worldwide, the group was a prime target for hackers and ransomware attacks. The group's flagship business, Gamania, a mobile games publisher, was particularly vulnerable due to the nature of its operations. The company manages one of the world's most famous massive multiplayer online role-playing games, MapleStory, which attracts a diverse range of participants, including malicious individuals intent on causing damage or seeking to extract money from the business and its customers. Other businesses in the group, such as the GASH Mall online payment system and GAMA PAY payment-payment service, were also prime targets for cyberattacks. Aware of the high-level threat it faced, Gamania Group set out to build a modern and robust cybersecurity defense strategy.

Federated Insurance, a national insurance business based in Owatonna, Minnesota, was facing challenges in managing cybersecurity risks, particularly in the area of privileged access management and identity protection. The company was aware of the growing threat of cyberattacks, especially for organizations in the financial sector. A few years ago, the company reviewed its cybersecurity capability and realized that it could be improved. The company found that most passwords were written down somewhere or linked to user IDs, which posed a significant security risk. The company wanted to make privileged accounts easier to manage so people did not have to keep remembering long passwords or write them down. Additionally, the company was aware that regulations and insurance standards around cybersecurity were getting tougher, so it needed more robust privileged access and identity protection.

Maximus, a global government services company, was in the process of implementing a digital transformation strategy to improve program efficiency, work smarter, and drive productivity and quality. A key part of this strategy was the transition to a cloud-first enterprise through the migration of key systems and applications to the cloud. This change provided an opportunity to rethink and strengthen the company's approach to privileged access management (PAM) across the organization. However, the existing PAM solution that had been selected for Maximus' legacy environment required a lot of customization, had limited integration capabilities, and could not handle complex use cases. The challenge was to create widespread improvements across the $3.4 billion corporation with only a modest-sized team and limited resources.

Svensk Travsport, the governing body for Swedish trotting, was facing a high number of cyberattacks on its sensitive data. The data included information about races, transactions related to horses, rider and horse performance, history of wins, and horse pedigrees. This data was used by owners, trainers, and the public to make investment, training, and betting decisions, making it a prime target for cyberattacks. In addition to this, the organization had to comply with constantly changing regulations such as GDPR. The data also included information on staff and around 15,000 external members such as riders, owners, and breeders. The cybersecurity landscape was also changing, with a shift from on-premises to the cloud, requiring a different protection approach. The organization aimed to achieve a high level of assurance for data and stakeholder protection while making access to data and applications easy for users.

Turkcell, a leading digital operator in Turkey, faced a significant challenge in protecting its 40 million customers, 300,000 network devices, and 40,000 employee and partner identities across Turkey, Ukraine, Belarus, and Northern Cyprus. As the largest telco in Turkey, Turkcell offers a wide range of services, making cybersecurity a critical business operation. The company has won several awards for its digital security products and plays a key role in the Turkish cybersecurity industry. However, the company's aggressive digital transformation path, which includes new digital services such as instant messaging, TV and music platforms, personal cloud services, search engine, and email services, increased its attack space. The COVID-19 pandemic further complicated matters as most staff began to work remotely, potentially exposing Turkcell to new, unforeseen risks. A risk assessment initiative highlighted a potential vulnerability in Windows servers, prompting the company to seek a robust security solution.

As an IT service provider to the banking industry, IT security is a top priority for Fiducia. Fiducia continuously strives to enhance the protection it provides its customers and their data, and as such, turned its focus to privileged password and account management. With a highly complex, heterogeneous data center environment consisting of more than 10,000 UNIX and Windows servers, five IBM mainframes, some 400 databases and 1,500 network components, Fiducia had more than 20,000 privileged accounts that needed to be secured and managed. Previously, Fiducia employees managed all of these privileged accounts and identities manually. To reduce the time and effort and risk involved in managing privileged accounts, Fiducia decided to introduce an automated password management system. The system needed to be easy to implement and integrate with the existing complex system environment while offering high reliability and absolute data security. Requirements included a secure central password repository, 24/7 application availability, access to stored passwords in a disaster scenario, logical and physical access protection, end-to-end monitoring, full traceability of all activities and rapid recovery in an emergency.