Views and announcements

Robert McCausland on Privileged Account Management

  •  Written by Rober McCausland, Director of Identity and Access Management at Allstate Information Security. 

    Robert McCausland,  discusses exciting innovations within his team around Privileged Account Management (PAM).

    In business, there are employees who need enhanced system access to do their jobs. Privileged account users have access to a company's most critical assets, posing a high level of risk if they are compromised. Allstate's Privileged Account Risk Reduction ("PARR") project was kicked off in September 2019 to reduce risk and improve user experience. We strengthened security controls, eliminated thousands of high-risk accounts, and decreased the time a threat actor could gain access to an account. Changing our culture was challenging, but with innovative service delivery and alignment from the organization, Allstate Information Security successfully completed the project at the end of 2020.

    The biggest challenge to the successful implementation of the project was changing the mindset of the users. Effective adoption of the project required a behavioural change for users who had historically managed their own privileged credentials. For this project, the user community was split into adoption waves, resulting in several groups of users switching over to the vaulting tool in each cascade. This allowed the team greater opportunity to work with individuals to address issues and concerns, rather than be overwhelmed with feedback had they tried to move all users at once.

    One of the most ambitious efforts of the project was the innovation which came from moving privileged users from our standard quarterly passphrase rotation to a few hours going beyond industry standards and expectations. The goal of implementing the new hourly passphrase rotation was to reduce the attack surface for exposed credentials. Decoupling the user from their credential management is a crucial and significant first step in moving us closer to an environment of zero trust, where we only release privilege under certain controls and for a limited period. One of the key pillars in zero trust is to support the principle of least privilege, discovery processes in the project remediated more privileged users than we vaulted. That discovery process persists to ensure we act to drive down privileged access.

    Another innovation for the team was treating the adoption waves as sprints - moving away from traditional waterfall timelines. We didn't have a lengthy period for running proof of concepts with each platform technology being integrated before starting. Instead, we built and learnt as we moved forward into each wave with agility. This shaved at least nine months off the project had we gone with our traditional safer delivery approach.

    The PARR project's biggest achievement is the significant reduction in risk, as well as the change in culture that it brought about for our privileged users. This project was an essential step to evolve to concepts like zero trust and building a hard-internal perimeter with just-in-time access. For these reasons Allstate joined the likes of Adobe, Visa, PayPal and Microsoft as an IDG CSO50 Award honouree, a global accolade that recognises 50 organisations every year for their cybersecurity strategies.

    Feedback on the project shows that people are genuinely happy with the result. The project is responsible for reducing the potential attack surface from privilege accounts by 10's of millions of hours.

    About the author

    An article that is attributed to Sync NI Team has either involved multiple authors, written by a contributor or the main body of content is from a press release.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

    Sign up now for a FREE weekly newsletter showcasing the latest news, jobs and events in NI’s tech sector.

Share this story