Learn With Leaders — Privileged Account Management with Robert McCausland
Welcome to our August edition of Learn With Leaders. This month we hear from Robert McCausland, Director of Identity and Access Management, Allstate Information Security, who is going to discuss exciting innovations within his team around Privileged Account Management (PAM).
In business, there are employees who need enhanced system access to do their jobs. Privileged account users have access to a company's most critical assets, posing a high level of risk if they are compromised. Allstate's Privileged Account Risk Reduction ("PARR") project was kicked off in September 2019 to reduce risk and improve user experience. We strengthened security controls, eliminated thousands of high-risk accounts, and decreased the time a threat actor could gain access to an account. Changing our culture was challenging, but with innovative service delivery and alignment from the organization, Allstate Information Security successfully completed the project at the end of 2020.
The biggest challenge to the successful implementation of the project was changing the mindset of the users. Effective adoption of the project required a behavioural change for users who had historically managed their own privileged credentials. For this project, the user community was split into adoption waves, resulting in several groups of users switching over to the vaulting tool in each cascade. This allowed the team greater opportunity to work with individuals to address issues and concerns, rather than be overwhelmed with feedback had they tried to move all users at once.
One of the most ambitious efforts of the project, was the innovation which came from moving privileged users from our standard quarterly passphrase rotation to a few hours going beyond industry standards and expectations. The goal of implementing the new hourly passphrase rotation was to reduce the attack surface for exposed credentials. Decoupling the user from their credential management is a crucial and significant first step in moving us closer to an environment of zero trust, where we only release privilege under certain controls and for a limited period. One of the key pillars in zero trust is to support the principle of least privilege, discovery processes in the project remediated more privileged users than we vaulted. That discovery process persists to ensure we act to drive down privileged access.
Another innovation for the team was treating the adoption waves as sprints - moving away from traditional waterfall timelines. We didn't have a lengthy period for running proof of concepts with each platform technology being integrated before starting. Instead, we built and learnt as we moved forward into each wave with agility. This shaved at least nine months off the project had we gone with our traditional safer delivery approach.
The PARR project's biggest achievement is the significant reduction in risk, as well as the change in culture that it brought about for our privileged users. This project was an essential step to evolve to concepts like zero trust and building a hard-internal perimeter with just-in-time access. For these reasons Allstate joined the likes of Adobe, Visa, PayPal and Microsoft as an IDG CSO50 Award honouree, a global accolade that recognises 50 organisations every year for their cybersecurity strategies.
Feedback on the project shows that people are genuinely happy with result. The project is responsible for reducing the potential attack surface from privilege accounts by 10's of millions of hours.