CHALLENGES
Maximus is implementing a digital transformation strategy to improve program efficiency, work smarter and drive productivity and quality. A core component of this strategy has been the transition to a cloud-first enterprise through the migration of key systems and applications to the cloud. The change provided an opportunity to rethink and strengthen the approach to privileged access management (PAM) across the organization.
Previously selected for Maximus’ legacy environment, the company’s existing PAM solution required a lot of customization, had limited integration capabilities and couldn’t handle complex use cases.
Maximus hired Nigel Miller into the pivotal role of senior manager for identity and access management to drive the company’s PAM strategy forward. Miller’s first challenge was to determine how to create widespread improvements across the $5.4 billion corporation with only a modest-sized team and limited resources.
Miller reviewed multiple solutions from different PAM vendors before finally deciding to partner with CyberArk, a Palo Alto Networks company, and implement Idira™ Privileged Access Manager. The solution offered Maximus the flexibility, scalability and future-proofing needed to support business goals, coupled with comprehensive out-of-the-box features such as ease of integration with other applications and rapid deployment.
“The number one factor in our decision to choose Idira (formerly CyberArk) was my comfort level with the team. The support and understanding it offered and the commitment to get us up and running fast were exceptional,” said Miller.
– Nigel Miller
Deputy CISO at Maximus
SOLUTIONS
Gaining user acceptance and managing change are often significant challenges with any new solution. However, Maximus holistically approached privileged access management — comprised of people, processes and technology — with Idira acting as the centerpiece. Also, Miller engaged senior leaders early in the process, which helped build an understanding of the need for change at the top level. Then, it was a step-by-step process understanding day-to-day access needs and starting with key users such as domain administrators followed by server administrators.
Miller recalled, “Although some people were not immediately happy about the proposed changes, we were able to share the exposed risks and to give them the correct levels access. We also took time to listen, communicate, test and train.”
Idira proved invaluable in helping the small security team implement the PAM solution. “I had a lot of faith from the discussions and collaboration with the Idira (formerly CyberArk) team, which proved critical in deploying the solution in record-breaking time,” Miller said. “We went from zero to having Idira up and running within two weeks, and over the next month we were pulling domain administrators into the system. I have never had an implementation that was so smooth. I would love to have more.”
In the first three months of deployment, all domain administrators were secured; in six months Windows servers were protected; and by the end of eight months, all Linux administrators had been enrolled. Around 350 users were onboarded, and access privileges were reduced to more appropriate levels for approximately half of all users.
-
Centralized solution
To manage and control privileged access -
Solution deployed in just two weeks
Full integration in a few months -
Removal of admin access
50% reduction in admin access without disrupting productivity -
Cut costs and reduced burden
Saving valuable skills and resources
Nigel Miller
Deputy CISO, Maximus
Miller described Idira as “The single place for users to get access to systems they need, when they need it, but not before. It is a place where we have oversight, where we have credentials rotating and where we can control privileged access.”
Miller explained why Idira is central to the company’s PAM strategy: “With Idira, we can increase awareness, direct users in their processes, and create more precise scope of privileged access for our users. Although that might seem bold, our users have been very involved in streamlining processes. In this way, we are changing the way Maximus thinks about and embraces privileged access.”
Maximus applied Idira Privileged Access Manager across the whole spectrum of users from those who only have one access-related function to those that need continuous, multiple access points. Miller said, “Before, power users would try a slew of different passwords to see what worked. Now they understand why we use Idira, and the advantage is huge for them because they have one consistent location to gain access to all the systems they need.”
Miller cites multifactor authentication (MFA) from Idira as a huge win. Maximus uses MFA to consistently rotate credentials — even for those who need continual access. They now go through Idira for all access and the MFA capability gives the company an extra level of verification, which has elevated security and compliance significantly.
Security services helped Maximus scale its PAM capability. When a specific scenario requires a nonstandard modification, the Idira team has been very proactive in coming up with a solution. This kind of support has enabled the company to maximize security resources while also saving time and money, and in turn, removing the need to dedicate resources to manage the backend operations.
