Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

How to get your entire company on board with Privileged Access Management

Written by Jordan True

November 13th, 2018

Maybe you’ve recently failed an audit, or you can’t stand yet another password being uploaded to your IT team’s risky, shared Excel doc. For whatever reason you are here, you are ready to tackle Privileged Access Management head on.

But hold on, you may have a few hurdles you have to overcome first.

Before you propose a team process change, it’s important to get the right stakeholders on your side by helping them to understand the benefits of Privileged Access Management. And what better way to show you how than to share the success story of Information Security Director of Blue Cross Blue Shield Louisiana, Dayle Alsbury. He successfully gained enterprise-wide adoption of their PAM solution by leveraging ROI, ambassadors, and creating a successful adoption plan.

Who is Blue Cross Blue Shield Louisiana?

Blue Cross Blue Shield Louisiana is a franchise and part of the greater Blue Cross Blue Shield organization. They currently service over 2 million members and must meet all types of regulations ranging from HIPAA and PCI all the way to supplemental federal regulations.

With personally identifiable data involved, they are audited from every which way

A Privileged Access Management Nightmare: With personally identifiable data involved, they are audited from every which way, and it’s Dayle who puts it into perspective perfectly, “On any given day out of 365 days a year, I like to tell people that I have an auditor working with us at least 366 of those days.”

What Blue Cross Blue Shield Louisiana looked for in a PAM solution

Their Privileged Account Management journey started a few years back and had very specific requirements. First, they identified access security gaps that came out of an audit and needed to be fixed. Next, they looked at the threat landscape and were very aware of what was happening with other institutions around the country and not just the healthcare industry. They analyzed the root cause driving breach exposures—privileged account exposure. Next, they took a hard look at their access management program, and it didn’t take long for them to see they needed to make some changes to how they managed access to privileged accounts.

We asked, what is the risk if this type of account has access to large amounts of data and is exposed?

“We looked at those legacy accounts, everything from domain administrators, security administrators, local administrators, service accounts, database accounts, and we began to ask: what is the risk if this type of account has access to large amounts of data and is exposed?

Next, they started asking important questions:

  • How does this help us meet audit and compliance requirements more effectively?
  • How will a PAM solution help with limiting support cases?
  • How does having a centralized vault for our “keys to the kingdom” help to meet our needs for activity monitoring and detection?

Even more important, Dayle’s team wanted to ensure whichever solution they chose would be cost-effective and user-friendly.

“We wanted to make sure whatever solution we put out there was a solution that not only lived behind the scenes in the IT Shop but could also be out there for the end-users and it could be something that was pleasant for them to use, it was intuitive for them to use, that drove adoption. Because at the end of the day, an IT Shop and the Security Shop within IT can only do so much, and then you’re limited.”

You don’t need to be an accountant to get funding

According to Dayle, it is critical to get executive buy-in early on. Once implemented, the key is to show real risk-reduction but at the same time, doing it in a very cost-effective manner. In a previous life, Dayle wanted to be a CPA but quickly found out how much he loved digging into code. His CPA past has helped teach him how to get the funding he needs, but you don’t need a CPA education to figure out calculated risk. He simply took cost estimates of loss per account (in Dayle’s case this was Member records) and then calculated for privileged account types that had the ability to access and/or control access to sensitive data.  Dayle also calculated for both human and system/application service account types. BCBSLA was then able to attribute a number to each potential lost record. Dayle then took that risk calculation to the CIO and VP level.

It is critical to get executive buy-in early on

Here’s an example Dayle provided:

“Let’s say the risk is 100. Let’s divide that. What comprises that 100? Which team is 25, which team is 85, and so on and so forth. So, we then took that 100, and that’s a fictitious number, but we divided it to show which team had the most risk. We then vaulted those teams right out of the gate, we did Security first, to show what that risk reduction was over time. So, you take X days. Let’s say it’s 90 days for your Security team… vault those accounts. Then you go back to your executives and say, that macro risk exposure number has shrunk by this much. As part of that feedback loop, we’re continuously updating Security and IT management to make sure they know what it (the risk exposure and reduction) is. By building an expectation and socializing an expectation of the risk reduction per team, we make this, in our case we made this part of our annual goal.”

Want to figure out your PAM Risk Assessment Score?

We’ve made this part easy for you by developing a free Privileged Account Management (PAM) Risk Assessment Tool which gives you an immediate risk score. This free tool is based on standards from ISO, NIST, PCI, CIS CSC, and EU GDPR that indicate an organization’s compliance with risk lowering controls and best practices. Risk is assessed in several privileged access management domains such as role-based access control, audit procedures, password strength, and security policy enforcement. The score uses traditional risk methodology that combines the probability of the threat occurring with the severity that the occurrence would have on the organization.

Ask your executives: How much do you want to risk it, or how much do you want to spend now?

Create a snowball effect

Dayle started with the Security team because they “wanted to eat their own dog food.” They then began securing accounts and were living proof that it could be done. They then went to different teams and started to gain major traction.

His biggest success was celebrating the top teams and ambassadors who helped with real risk-reduction and the most vaulted credentials in front of the Senior Leadership and the Board. He invited them to present during their meeting to discuss the success of their Privileged Access Management program.

A negative social post could be incredibly detrimental

As they continued with mass adoption, oddly enough, it was their Social Media team that needed PAM next. A major concern was addressing what would happen if a disgruntled employee who had access to a social media credential hurt their public image by posting a negative message online. For Blue Cross Blue Shield Louisiana, a negative social post could be incredibly detrimental. They began to vault their social identities and addressed this issue head on. Other teams began to hear of the successes and wanted to join, including their Finance and HR teams. With each team, Dayle was able to account for yet another major win.

We found as we started to socialize that they began to reach out to us and the adoption rate for those use cases went through the roof. And I’m happy to say that’s been a very well celebrated success story internally now.

How to calculate continual cost savings

It does not take a PhD, it does not take high dollar prof services to run this system.” Dayle initially launched their PAM program, but then passed the baton on to an intern who they eventually hired on full time and today fully maintains their Secret Server instance. Upkeep and maintenance of Secret Server doesn’t account for much labor cost and no professional services are needed.

“So, we gave him some training …and before you know it, I’ve got an intern doing all the maintenance of the system.”

Blue Cross Blue Shield Louisiana has moved past the initial wave of assigning costs at a team level and is now working to automate just about everything privileged security related- a major time save and in turn cost saving.

You’ve learned from Dayle how to calculate risk and develop a risk score to take to your executives and show the value of implementing a PAM solution. Will you be a celebrated PAM success story too?

Request a Quote

What does cyber security like this cost?
Not as much as you think.

Get a quote for the ONLY enterprise-grade PAM solution available both in the cloud and on-premise.