An American Financial Services Firm. FSOC designated Systemically Important Financial Market Utility.
Over $100 Billion in margin holdings
Employee Size: ~1000 Employees
The customer had both Sailpoint IdentityIQ (IIQ) and CyberArk implemented into their environment; IdentityIQ had full Lifecycle integration (Joiner/Mover/Leaver). However, the currently implemented processes were unreliable, and required significant daily manual intervention to support. Additionally, configuration and code changes were performed entirely manually, limiting the ability to keep pace with business need. For CyberArk, additional management and automation of service accounts was required to maintain SCI compliance.
SecureITsource performed an analysis of the existing Identity Lifecycle, IdentityIQ deployment, and CyberArk Architecture.
An updated design and refactoring of the Identity Lifecycle was implemented:
- Migrated from a workflow-based model to a hybrid model. 80% roles, 20% workflow
- Workflows were designed to utilize best practice and out-of-the-box functionality wherever possible
- Workflows were designed to be reattempted on error
- Upgrade IdentityIQ to 7.3 to take advantage of newer connectors, replacing custom functionality
An automated build and deployment process was implemented:
- Source control repository built upon the Services Standard Build (SSB)
- Production configuration used to populate the repository
- Documented and implemented the new automated process
Standardized CyberArk management of service accounts:
- Developed standardized AIM wrappers for Shell Scripts, Python, Ant, PowerShell, Java, and C++
- Developed Linux and Windows deploy scripts for installing Credential Providers
- Integrated applications with AIM where feasible
- Otherwise, integrated applications with automated credential rotation
The value of the IdentityIQ design changes and CyberArk deployment had a significant impact to the business. New employees and contractors were more quickly and accurately onboarded with less manual intervention. Reported incidents fell from several per day to a few per month. With the updated build and deployment processes, changes went from 2 or 3 per month to multiple per week. Vulnerability patches were deployed the week of release. For CyberArk, over 9000 service accounts were onboarded. 4000 of which were AIM integrated applications. Much of the manual management required of the IAM and PAM teams was mitigated.