The information that is handled by Clearstream on a daily basis is extremely sensitive. In order to address security concerns surrounding this, Clearstream initially needed to automate its manual administrator password management process to control access to privileged accounts based on pre-defined security policies. As the connection and transfer of data was regularly password protected, Clearstream required a more mature, professional solution to manage and control its passwords to ensure that corporate and customer information was appropriately protected. Strong authentication, information integrity and encryption were also essential so that only the right people had access to the right information and that this access could be adequately tracked, logged and monitored. In order to satisfy auditors as regulations continue to evolve, Clearstream sought a forward thinking solution that offered a clear overview of administrator activity and that could facilitate secure storage of this information in logs. Due to auditors having to adhere to extremely strict and tight timelines, Clearstream needed a solution that could quickly and accurately deliver the information required. This is a constant regulatory requirement and Clearstream wanted to work with a technology partner that could continue to evolve with the company to meet these needs.

Protecting the privacy and security of data is a top priority. The company’s highly diverse IT environment runs multiple Windows platforms, and more than 85% of end users had administrative rights to their machines which was a security risk. To reduce the attack surface, the company was compelled to rewrite IT security policies in support of removing administrative rights from business users on endpoints. Ultimately, the goal was to implement the new IT security policies with the least disruption to and resistance from end users, while doing so in the most cost effective way possible. Due to the company’s IT environment and the applications supported, it was critical to have the ability to define a specific application to run with elevated rights without having to give the same rights to child processes.

For this global communications company, Pass-the-Hash attacks posed an immediate and troubling challenge. While the company was able to identify the existence of these types of attacks before a serious breach occurred (evidence of password theft and password cracking was clear and eminent), they struggled with the unique nature of a stolen hash. As a first step, the IT team opted to restrict access to their admin and privileged accounts by issuing Smart Cards. Unfortunately, this did not solve the problem, as vulnerabilities persisted within these Smart Card-enabled accounts. Smart Cards, which are touted to prevent credential theft through multifactor authentication, actually exacerbate the problem. With Smart Cards, the passwords associated with each privileged account, by default, never expire and are never changed again. As a result, once the hash is stolen, the attacker can exploit it in perpetuity. To truly combat Pass-the-Hash attacks against Smart Card-enabled admin accounts, the organization would need to deploy a custom solution that ensures admin and privileged passwords are automatically changed with some frequency to proactively protect against stolen credentials and abuse.

According to the 2017 Verizon Data Breach Investigative Report, 81 percent of data breaches involve weak or stolen credentials. Understanding that many cyber attackers focus their efforts on harvesting privileged credentials, the real estate services company has trusted CyberArk for more than six years to protect, control and monitor privileged access to critical information—including 500+ systems and one of its primary data centers. In the past three years, the organization has accelerated its move to the cloud to improve efficiencies, scale processes, deliver enhanced client services and maintain its edge in the ultra-competitive real estate market. Despite its many benefits, the cloud’s multiplier effect has created exponentially more privileged account credentials and secrets that are highly targeted by attackers and need to be properly managed and protected. As part of their cloud journey, the organization’s security team sought a way to further enhance security around these powerful, privileged account credentials through an additional, complementary security layer: multi-factor authentication (MFA).

Growing both organically and through acquisition since 1865, Milliken amassed unprecedented intellectual property, which has powered much of the company’s success. It has also presented challenges to protect that information and mitigate risks presented by the modern IT environment. Privacy and data security were a top priority. With the company operating more than 50 locations around the world, they needed a solution that could cover every endpoint and scale with the growing company. Amidst a current landscape of large breaches occurring at other companies, Milliken’s desire to protect its associates and its intellectual property led them to perform an internal security assessment, which included hiring a third-party security consultant to independently evaluate their environment. The assessment’s outcome demonstrated to the Milliken security team that changes were needed, leading to new security policies for managing this global IT environment. At Milliken, end users were running with full administrative rights on their company devices. A goal was established to eliminate this high risk and only allow certain individuals to have elevated privileges and only for specific applications and functionality. Along with establishing least privilege, the company sought better capabilities to govern application control. To ensure that users continued to have the freedom needed to do their jobs effectively, the right solution needed to balance the needs of the business around innovation but also minimize risk to the company and brand.

Changing customer expectations, greater digital use, and the evolving cyber threat landscape are challenging financial institutions to balance innovation with effective security practices. Privileged access management (PAM) is critical to enable flexible yet controlled access to critical systems holding sensitive customer PII and other valuable information. As financial systems grow in size and complexity, privilege is everywhere, making strong PAM essential for banks to move with agility without jeopardizing their brand or regulatory compliance.

The company faced challenges with their existing SharePoint workflows and DevOps processes, which were frequently breaking. They needed a more reliable and efficient way to manage privileged access without the need for submitting tickets, going through workflows, or waiting for approvals. Additionally, they had a tight deadline to meet an external customer requirement for privileged access management, which included signing the purchase order, installing the solution, and managing a larger number of servers than initially anticipated.

Drive flexibility across the business. Deliver employees single sign-on access to all the apps they need, located in one central portal. Ease the onboarding process and increase productivity for all users. When Chief Technology Officer Sébastien Huet joined Rémy Cointreau in 2015, one of his primary objectives was to help transform the company into a more agile organization. A key component of that transition would be the upgrade of its IT infrastructure to provide more flexibility, respond better to changing worker habits and deliver exceptional support for the business. Huet encountered another example underscoring the need for an overhaul. It took months to open their new office in Asia. One of their key objectives is to have the flexibility to open a new office anywhere in the world in a matter of days. Huet and his team set out to transform IT and with it, the business as a whole. The company was moving to a cloud-based architecture, with the goal of relying exclusively on web apps. They wanted to be able to access apps from any device, anywhere and at any time, so mobile management was crucial. And for optimal security, they needed to transfer focus from the network and the device to the applications. Identity management would be essential to achieving these goals.

Build out a cloud infrastructure to support rapid company growth. Ease the transition to cloud with single sign-on to Office 365 and other apps. Include two-factor authentication for stronger security. Protect and manage company smart phones with EMM. Nearing the end of a contract that outsourced the community services ELC supervised, the company decided to bring the services in house and offer them directly to the public. It was a large undertaking that would require nearly 100 new employees and the opening of new satellite offices. Success would depend on an environment that could support the company’s 300% growth projections. “We didn’t have the infrastructure or services necessary to handle the anticipated increase in employees,” says Luis Mena, Director of IT at Early Learning Coalition. “So we were under a tight deadline to roll out an entirely new infrastructure.” Mena decided to leverage the cloud to the greatest degree possible. “We considered building out our own on-premises infrastructure, but that approach would have required initial hardware costs in the hundreds of thousands of dollars and significantly more time and IT resources than we had available,” he says. “The ease and speed of building out a cloud-based environment made it a better choice. But we needed a strong solution that would help us in the transition.” ELC began looking for a solution that would provide authentication and single sign-on for the cloud services they were evaluating. Security would be a top consideration in any solution, as well as compliance with state and local government regulations similar to HIPAA. Strong, two-factor authentication for remote users would also be required. And if they could locate a complementary solution to securely manage their mobile devices, it would be ideal.

Find a single sign-on solution to dramatically reduce complexity, minimize calls for password assistance, increase security and help keep users engaged and using key apps. Designed to act as a portal for growers, packers, exporters and local marketers, the NZ Avocado system provides access to highly-specialized apps including a Spray Diary to log essential information about growing activities, as well as an AvoTools app and associated websites used to ensure compliance to international regulations. In order for New Zealand growers to export overseas, they must register with the association and record all use of sprays on their orchards. This is an essential component in assuring quality, guaranteeing that international standards are met and protecting a multi-million dollar industry. But with over 1350 members, NZ Avocado was having significant issues with users logging into their applications and online tools. Each app required its own set of credentials for access and that meant users had to remember multiple passwords. Compounding the issue was the fact that each orchard required its own user name and password as well, so owners of multiple orchards often found themselves managing dozens of passwords. As a result, the NZ Avocado team was frequently inundated with calls for password assistance. The problem was so great that the organization resorted to keeping user names and passwords on a spreadsheet that was available to most of the office staff. Lacking its own IT department, NZ Avocado contacted IT consultant Andrew Nimick with Point Concept, and enlisted his help in finding a solution that would dramatically reduce complexity, minimize calls for password assistance, increase security and help keep users engaged and using the apps.

A Financial Institution overwhelmed with the administrative privileges sprawled across their end-user environment needed a solution which would reduce the attack surface these network entry points exposed without affecting the strict Service Level Agreement’s (SLA’s) they have with their customers. With thousands of applications in use, the company’s immediate need was to remove local administrative rights from end-user machines. This was necessary to prevent end-users from granting themselves privileged access to applications they hadn’t been authorized to use. Since both Windows and Mac computers were being used to access applications, they needed a solution that would account for both operating systems. Beyond reducing insider risk, the lack of controls around local privilege management could also make it easy for attackers to establish a foothold in the company through these machines, escalate privileges and move laterally across the environment until a jackpot of data is discovered that can be exfiltrated outside of the network. To add to this, the institution needed to implement a simple process for their users to request access to the applications they may have had unrestricted access to previously, but are now being restricted by the solution. The goal was to keep the users with the minimum rights they needed to do their day to day tasks.

Healthfirst 是纽约州最大的非营利性健康保险公司，在发展其网络安全业务方面面临着重大挑战。随着会员数量快速增长至 180 万，医疗保健环境日益复杂，该组织需要一个强大的网络安全计划。 Healthfirst 拥有一个包含会员相关信息的综合数据库，包括注册、计费、客户服务、付款、处理索赔和健康数据。保护这些高度敏感的医疗记录以及会员和工作人员的身份至关重要。该组织采用了云优先策略，大约 70% 的系统和应用程序现在基于云，有 10,000 个端点，其中 70% 是远程的。这需要一个复杂且强大的安全解决方案。该组织旨在通过数字化支持其成员来改变行业，其中包括对数字应用程序、基于虚拟社区的办公室和移动解决方案的大量投资。

Kainos 是一家总部位于英国的数字技术公司，在保护其全球员工的敏感数据方面面临着重大挑战。该公司在 22 个国家/地区拥有 3,000 多名员工，必须确保远程工作和客户位置操作的安全。该公司的员工可以自由选择、下载和安装应用程序，这虽然方便，但也带来了安全风险。审计显示，全球有 50,000 个不同的应用程序在使用。该公司还面临着持续的威胁，例如网络钓鱼、假冒 Office 365 密码重置诈骗以及针对新员工的 LinkedIn 诈骗。面临的挑战是在不妨碍不同用户组（包括开发人员、业务人员和高级管理人员）工作的情况下增强安全性，他们需要不同的访问权限。

o9 Solutions 是一家领先的人工智能规划、分析和数据平台提供商，在确保财富 500 强客户数据的安全方面面临着重大挑战。该公司通过基于 AWS、Azure 和 Google 的多租户云环境提供服务，这使得身份保护和管理对于访问控制至关重要。然而，随着网络威胁变得更加普遍和复杂，身份和威胁的可见性变得很差且脱节。没有集中的方式来监视和控制公司使用的各种云环境。该公司需要开发更强大、更有效的特权访问管理 (PAM) 功能，以匹配或超越其大型全球客户的网络安全和公司治理策略。客户需要了解 o9 Solutions 如何管理和控制对其数据和环境的访问。

Pacific Dental Services (PDS) 是一家领先的牙科支持组织，面临着管理和控制其分布在各地的团队中的大量特权帐户、密码和移动设备的挑战。该公司支持 900 多家牙科诊所，并负责保护全美牙医及其患者的个人和敏感医疗保健信息。 PDS 团队成员可以访问大约 20,000 个临床服务网站，这些网站的密码记录在托管的 Intranet 上电子表格，导致安全问题和混乱。此外，PDS 还为国家支持办公室的团队成员和大量远程/移动团队成员管理 5,000 多台笔记本电脑和移动设备。管理员权限被授予，通常用于安装网络摄像头或更新驱动程序等基本操作。然而，这些管理员帐户会保留在设备上，有时会保留数年，从而带来安全风险。 PDS 需要一种更好的方法来监控和管理此环境中的用户访问。

一家领先的欧洲银行为超过一千万客户提供服务，希望通过 Kubernetes 和云原生计算环境增强其数字银行服务。然而，随着服务数字化程度的提高，安全性成为银行利益相关者和客户最关心的问题。随着该银行开启云之旅，它采用了多种基于云的技术来快速解决和响应新的业务需求，例如为客户提供安全的家庭银行服务和安全的手机应用程序。该银行意识到，采用云和相关开源技术会在管理和安全限制方面付出代价。云之旅最关键的方面之一是如何跨不同云服务正确管理身份和秘密（特权凭证或授权）。跨不同云和混合服务管理机密通常是每个组织的云之旅中的一个痛点。

巴西北部司法机构 Tribunal do Trabalho da 8ª Região (TRT8) 面临着激增的网络攻击，考虑到其处理的数据的敏感性，这种情况尤其令人担忧。该组织最近对其法庭案件管理系统进行了数字化，使所有与法庭程序相关的信息（包括涉及雇佣纠纷的个人的高度敏感的个人信息）数字化。尽管拥有强大的安全策略，TRT8 对访问这些信息的用户和密码几乎没有控制权，而且特权访问是分散的。强制执行安全信息策略（例如定期更改和更新密码）是一个手动且耗时的过程。端点保护依赖于基本的防病毒工具，使组织容易受到病毒或恶意攻击的影响，这些病毒或恶意攻击可能在整个网络中传播并损害法院的运作。

To improve services, reduce costs, and increase business efficiency, a digital transformation initiative was launched that embraced a cloud-first, mobile-first strategy. Previously outsourced services were brought in-house, and most infrastructure was transferred to a multi-cloud environment using Microsoft Azure and AWS. As the IT team expanded from seven to over 140 employees, ensuring the security of this increasingly complex environment became a priority. A three-year strategic roadmap was put in place to focus on improving identity governance, administration, and privileged account management. The company needed a solution that went beyond traditional password vaults to address operational efficiency and end-user experience.

As a large communications services company, BT's infrastructure is complex and vast, spanning numerous business units and geographical regions. BT had several point solutions in place to manage privileged access and identities but found that these solutions were inconsistent and did not scale well to meet its requirements. Following a significant internal report, BT decided to improve its existing architecture and extend its security of privileged access to the enterprise. The company wanted a single solution, standardized across the global organization, that could be scaled up easily as required. This solution would complement BT's existing portfolio of managed security services, providing its rapidly expanding customer base with privileged access management to help them better meet compliance requirements.

One of Canada’s leading institutional fund managers faced significant risks from potential insider threats. With over $200 billion in assets, the company needed to protect against both external and internal cyber attacks. The primary concern was the abuse of privileged accounts, which could allow malicious insiders to move freely and undetected within the network. The company had hundreds or thousands of privileged accounts that were unknown, unmanaged, or unsecured, posing a critical vulnerability. The challenge was to identify and secure all privileged accounts to mitigate the risk of insider threats.

Avoid the build-out of a high-cost disaster recovery co-location for a product that was already difficult to implement and manage. Simplify app integration, address MDM requirements and SOX compliance, and ensure a more robust security stature. When SBA Communications began using SaaS-based apps like Innotas, ExpenseWatch and Yammer, they implemented Microsoft’s Active Directory Federation Service (AD FS) at an approximate total cost of $35,000 for identity management. While implementation and application integration proved challenging, the product met the company’s requirements at the time. As their environment evolved, however, the solution became increasingly difficult to manage. To assist in the implementation, they hired a consulting firm with AD FS expertise, which took six weeks to get the initial solution implemented. However, a new version of AD FS was soon released, and the company was faced with having to migrate the entire infrastructure. Integration was so painful the first time around that they dreaded having to migrate those same apps into the new environment. The unfortunate result was two live versions of AD FS, each with its own set of SaaS applications that required significant resources and a coordinated effort to maintain. The real issue arose as cloud-based solutions became more pervasive within the company’s environment. While they had previously incorporated only a few, less-critical SaaS apps, the benefits of cloud-based solutions led the company to adopt more until eventually disaster recovery became an issue.

At Chugai Pharmaceutical Co Ltd, three different tools were used to provide single sign-on (SSO), enterprise mobility management (EMM) and multifactor authentication (MFA) across the company’s European and US divisions — Chugai Pharma Europe, Ltd. With a limited IT staff in each location, management of these separate solutions created unnecessary strain and considerable expense. Looking to simplify IT processes and save money, the company first considered expanding its relationship with its existing SSO provider. The company was also looking to replace its existing MFA tool with a solution that leveraged users’ mobile devices. They needed a cloud-based solution that included SSO, MFA and EMM to protect Chugai’s intellectual property as well as the personal information of patients participating in their clinical trials.

A leading provider of online services to the automotive industry planned to implement a robotic process automation (RPA) solution from Blue Prism to streamline business operations. Blue Prism’s unattended digital worker robots require privileged credentials to access IT resources and automate functional tasks. In the wrong hands, these privileged credentials can be used to wage attacks or steal confidential data. The company sought to safeguard its RPA implementation without complicating security operations or slowing down the RPA rollout.

巴西司法机构阿马帕州法院面临不可预测、复杂且紧迫的网络安全威胁，面临着更新和精简司法系统的挑战。巴西高等法院此前曾成为勒索软件攻击的目标，导致该法院停止运营一周，并影响了多达 12,000 起未决诉讼。为了应对这些威胁，巴西国家司法委员会推出了“司法 4.0”，这是一揽子改革，旨在通过采用技术来改善准入、透明度和速度，实现司法系统现代化。这要求每个州司法机构实施身份安全和管理系统。阿马帕法院需要加强其安全程序，特别是身份安全，以满足这些合规性要求并更好地适应更大的业务和市场趋势。 COVID-19 大流行期间向远程工作的转变进一步凸显了对强大的身份管理解决方案的需求。

橘子集团是一家台湾企业集团，业务涉及在线游戏、电子商务、电子支付服务和 IT，面临着严峻的网络安全挑战。该组织在全球拥有超过 1000 万注册会员，是黑客和勒索软件攻击的主要目标。该集团的旗舰业务游戏橘子（一家手机游戏发行商）由于其业务性质而特别容易受到影响。该公司管理着世界上最著名的大型多人在线角色扮演游戏之一，MapleStory，该游戏吸引了各种各样的参与者，包括意图造成损害或试图从企业及其客户身上榨取金钱的恶意个人。该集团的其他业务，例如GASH Mall在线支付系统和GAMA PAY支付服务，也是网络攻击的主要目标。意识到所面临的高级威胁，橘子集团着手建立现代而强大的网络安全防御策略。

Federated Insurance 是一家位于明尼苏达州奥瓦通纳的全国性保险公司，在管理网络安全风险方面面临着挑战，特别是在特权访问管理和身份保护领域。该公司意识到网络攻击的威胁日益增长，特别是对于金融领域的组织而言。几年前，该公司审查了其网络安全能力，并意识到其可以改进。该公司发现大多数密码都写在某处或与用户 ID 相关联，这构成了重大的安全风险。该公司希望使特权帐户更易于管理，这样人们就不必一直记住或写下长密码。此外，该公司意识到围绕网络安全的法规和保险标准变得越来越严格，因此需要更强大的特权访问和身份保护。

Maximus 是一家全球性政府服务公司，正在实施数字化转型战略，以提高项目效率、更智能地工作并提高生产力和质量。该战略的一个关键部分是通过将关键系统和应用程序迁移到云来向云优先企业过渡。这一变化为重新思考和加强公司在整个组织内的特权访问管理 (PAM) 方法提供了机会。然而，为 Maximus 遗留环境选择的现有 PAM 解决方案需要大量定制，集成能力有限，并且无法处理复杂的用例。我们面临的挑战是，如何利用规模适中的团队和有限的资源，在这家价值 34 亿美元的公司中实现广泛的改进。

瑞典快跑运动管理机构 Svensk Travsport 的敏感数据面临大量网络攻击。这些数据包括有关比赛、与马匹相关的交易、骑手和马匹的表现、获胜历史以及马匹血统的信息。这些数据被业主、培训师和公众用来做出投资、培训和投注决策，使其成为网络攻击的主要目标。除此之外，该组织还必须遵守不断变化的法规，例如 GDPR。该数据还包括员工和约 15,000 名外部成员（如骑手、业主和饲养员）的信息。网络安全格局也在发生变化，从本地转移到云端，需要不同的保护方法。该组织的目标是实现数据和利益相关者保护的高水平保证，同时让用户轻松访问数据和应用程序。

Turkcell 是土耳其领先的数字运营商，在保护土耳其、乌克兰、白俄罗斯和北塞浦路斯的 4000 万客户、300,000 台网络设备以及 40,000 名员工和合作伙伴身份方面面临着重大挑战。作为土耳其最大的电信公司，Turkcell 提供广泛的服务，使网络安全成为关键的业务运营。该公司因其数字安全产品荣获多项奖项，在土耳其网络安全行业发挥着关键作用。然而，该公司积极的数字化转型路径，包括即时通讯、电视和音乐平台、个人云服务、搜索引擎和电子邮件服务等新数字服务，增加了其攻击空间。由于大多数员工开始远程工作，COVID-19 大流行使事情变得更加复杂，这可能使 Turkcell 面临新的不可预见的风险。一项风险评估计划强调了 Windows 服务器中的潜在漏洞，促使该公司寻求强大的安全解决方案。

As an IT service provider to the banking industry, IT security is a top priority for Fiducia. Fiducia continuously strives to enhance the protection it provides its customers and their data, and as such, turned its focus to privileged password and account management. With a highly complex, heterogeneous data center environment consisting of more than 10,000 UNIX and Windows servers, five IBM mainframes, some 400 databases and 1,500 network components, Fiducia had more than 20,000 privileged accounts that needed to be secured and managed. Previously, Fiducia employees managed all of these privileged accounts and identities manually. To reduce the time and effort and risk involved in managing privileged accounts, Fiducia decided to introduce an automated password management system. The system needed to be easy to implement and integrate with the existing complex system environment while offering high reliability and absolute data security. Requirements included a secure central password repository, 24/7 application availability, access to stored passwords in a disaster scenario, logical and physical access protection, end-to-end monitoring, full traceability of all activities and rapid recovery in an emergency.