Investec is Leveraging PAM as the Key to Their Zero Trust Strategy—Here’s How

BeyondTrust, a leader in the Intelligent Identity and Access Security solutions, recently collaborated with Investec, a distinctive bank and wealth manager in South Africa, to host a hybrid event showcasing Investec's journey to achieve zero trust with BeyondTrust Privileged Access Management (PAM) solutions. The purpose of the event was to educate and increase awareness about the importance of zero trust for companies looking to enhance their overall security posture, and the importance of prioritizing privileged access management (PAM) to achieve a successful zero trust strategy.

The event featured an unbiased, honest, and comprehensive analysis of how Investec achieved zero trust goals with BeyondTrust privileged access management (PAM) solutions. The presentation covered the challenges, dos and don'ts, overall experience, business outcomes, and value of adopting a zero trust architecture.

This blog will recap the key points made by speakers Brandon Haberfeld, Global Head of Platform Security at Investec, and Morey J. Haber, Chief Security Officer at BeyondTrust, as they explored how Investec achieved its zero trust goals, the challenges they faced, the methodologies and strategies they used, and their advice on common mistakes to avoid.

Through this blog, we hope to provide businesses across the globe with the necessary knowledge to kick-start their journey towards a successful zero trust strategy. We also aim to reassure enterprises everywhere by showing that zero trust is actually doable.

What does zero trust mean to Investec?

Link copied

The National Institute of Standards and Technology (NIST) defines zero trust (ZT) as “an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.” It is a collection of concepts that are designed to “minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as contested.”

The challenge this definition of zero trust presents is that it’s overall meaning is tied to the specific needs and outcomes of the organization. “The definition of [zero trust] is specific to each individual, and the lens through which you view zero trust definitely determines the journey that you go on,” said Haberfeld. “What zero trust means to you and what it means to me is going to be relative to where we are in the industry. The prism through which we view our particular technology bias determines how are we going to see it. But it's a road, and how far down that road you want to go is the key question.”

For Investec, achieving zero trust meant having fine-grained administrative privilege secured behind authenticated and authorized approval, fronted by single identity. Everywhere.

The concept of “everywhere” is key for Investec: “If you don't intend to have a holistic everywhere strategy of 0 trust, then it's not a zero trust strategy. It's 1%, 5%, or however much trust is tolerable to you—and I can guarantee you, the threat actor doesn't care about how you define zero trust. They only care about where they can and can't get in. If you want to stop them, you need to stop them everywhere.”

How can zero trust help organizations stop threats?

Link copied

A zero trust posture can help organizations:

• Standardize ways of doing things
• Secure all privileges
• Sanitize legacy policies
• Achieve just-in-time access
• Enforce least privilege
• Achieve single identity
• Enforce machine-to-machine and human-to-machine identification and authorization.

Investec’s journey to zero trust

Link copied

2011 - The journey to “Single Identity”

The first step of Investec’s journey to zero trust began with the decision to eliminate local accounts and segregate identity. To accomplish this, they deployed Active Directory Bridge. The goal was to have one identity for each person logging in to all of their Linux systems. The rule that came out of this goal is that you cannot have human accounts inside your local account database anymore. You can't have human or MetaHuman identities sitting on the servers anymore. It has to be an identity provider, and what's left on the local machines can only be accounts that are needed to run your applications—typically, service accounts.

2015: The journey to least privilege

In 2015, the best way to control privilege was with Sudo, but Sudo posed a number of challenges. First, the Sudo environment was very complex and, for Investec, was made even more complex by their Active Directory integration. Second, the typical way to control privilege using Sudo was to provision users into groups, with each group having specific levels of privilege. However, this often meant not realizing that you were giving users rights in other groups. For Investec, the complexity inside the Sudo world became so huge that it became impossible to humanly manage it. This began their search for an alternative solution and ultimately led them to BeyondTrust’s endpoint privilege management portfolio.

In 2017, Investec deployed Privilege Management for Unix and Linux and Password Safe in parallel. Where the traditional implementation would involve a vertical deployment by product, Investec turned the project model vertically by making least privilege the most important component. As a result, they found implementing both solutions at the same time to be the biggest enabler to their project. By making least privilege the most important part, password management and account control came along as almost an ancillary.

By the time Investec got to 2020, they’d completed their deployment of least privilege for Unix and Linux in a beautifully and elegantly engineered way. That project, which was expected to take about three years to reach maturity, was completed in 9 -10 months across their entire estate.

2020: From least privilege to a formal strategy for complete zero trust

Between 2017 and 2020, it became apparent to Haberfeld that their journey was about more than just enforcing least privilege on hosts. This was about least privilege everywhere. As a result, Investec began to build a formal strategy to subsume everything in the organization into their least privilege model. From database connections to APIs to cloud privileges, zero trust would touch everything.

2021: The journey to zero trust

In 2021, Investec had their entire set of strategies laid out for what the journey to zero trust meant as an end goal. As the project progressed along, they subsumed more and more and more into the zero trust world. Now Haberfeld estimates Investec’s zero trust model to be about 60-70% implemented, and they are ready to take the next step forward in their roadmap to deploy zero trust across their expanding infrastructure, at each level and every piece of the stack.

What are the challenges to zero trust implementation?

Link copied

1. The tools that you choose have to match the theory – You need to start with tools and technologies that can enable your objectives instead of creating implementation roadblocks and barriers to success. They also need to fulfill your operational objectives well. Otherwise, you're trying to install something that people won't want, won't use, and unfortunately have the authority to say no to. Off-the-shelve zero trust tool are not nearly what they purport to be.

2. The tools need to integrate seamlessly – When zero trust needs to manifest at its smallest, most atomic level, you need to be able to glue your tools together on a fine, granular level to prevent security gaps from forming. Finding tools that will coalesce into one platform is key here. You don't want to double the spend or double the chaos by trying to managing the same account in multiple different products or landscapes. Coalescing everything into a single product that works for both your zero trust goal and your operational needs is very desirable.

3. You need to achieve a single identity – For Investec, least privilege built on top of a single identity is the pathway to zero trust. You need to minimize the number of accounts with privileges associated with that identity. Then you use the rest of the zero trust model to enforce and manage what that identity can do, where they can do it, and when they can do it.

4. Resistance to change – There is always resistance to change, and those objections can carry a lot of weight. Investec found the best strategy to mitigate this challenge was to co-create the solution. They provided numerous opportunities for open discussion ahead of implementation, built and defined a clear framework, and allowed their management teams to define the rules that would go into that framework.

1. Have passion for the end goal

Passion for getting to that end goal is one of your critical success factors. The size of the organization is nowhere near as important as having an individual who is advocating for the journey and the end state to the organization and to all the executives. It's an education process. Get in front of as many people and auditors as possible throughout the organization.

2. Pick the right tools for the journey

You don't want to come up against the problem where the tools you are using can’t support your zero trust strategy. In many cases, that might be inevitable, but if you do run into this problem, you need to have the tools that can solve the problem.

It’s important to consider the granular capabilities of those tools. The real-world problems in all of our organizations are very complex. There are very specific things that need to be solved at every turn. You want tools that are very flexible and very powerful. They need to have very rich APIs that will allow and simplify integrations, and you need to be able to script these tools so you can enable automation wherever possible.

3. Automate everything

The key to creating a zero trust model that can be managed by an individual or team within your organization is to automate as much as possible—automatic onboarding, automatic provisioning in a breach, automatic everything. Investec had to write a lot of code—and developers are key to that outcome.

4. Don’t underestimate your onboarding strategy

The onboarding strategy was one of Investec’s key success factors for deploying zero trust. They sat down in multiple design sessions with all of their technical people to visualize the outcome, then worked with those teams to co-create a solution that enabled them to feel comfortable in that world. It’s important to work towards a vision where it doesn't feel like zero trust is an overarching thing that is taking their ability to do their jobs away from them. It’s important to make them feel supported. What we are really doing as technology experts is pulling our business users with us into a world that they're a little bit unfamiliar with and rather afraid of. We need to make them as comfortable as possible that their world will change in a way that they can tolerate and that will allow the organization to continue to work. That's the actual end goal and it is so possible.

5. Allow policies to change

One of the fundamental challenges Investec had to accept to achieve their zero trust architecture was the fact that they had to change legacy policies. Part of this process involved making sure people in the organization understood that the policies were updated, and they now had to follow new protocols that were strict and uniform.

“It is my very strong belief that uniformity to the standards is absolutely essential for getting zero trust as far down that road as you can, because the outlying exceptions, or the places where the policies don't conform, are where the attackers will go. In order to have policies that can be applied across the organization accurately and correctly, you need to have uniformity. And then you need to sanitize the legacy things that you've left behind. And I know that's a scary thought because we all have applications and infrastructures and architectures in the organization that don't necessarily conform. But fixing that technical debt is absolutely necessary to achieving zero trust.”

The four BeyondTrust products that make up Investec’s zero trust stack are:

1. Active Directory Bridge - Enables streamlined identity management and access control by extending Microsoft AD authentication, SSO capabilities, and Group Policy configuration management to Unix and Linux systems.
2. Password Safe - Discovers, onboards, and manages all privileged credentials (human, application, and machine), consistently enforcing password security best practices.
3. Privilege Management for Unix and Linux - Removes admin rights for all users, limits the privileges associated with any account or process, and advances toward a zero-standing privilege (ZSP) state by dynamically elevating privileges just-in-time for processes, application, etc.—but not for end users.
4. Privilege Management for Windows and Mac – Combines least privilege management and application control to minimize the endpoint attack surface, eliminate unwanted lateral movement, and protect Windows and Mac systems from known and unknown threats.

“There are your least privilege components, and your singular identity components,” said Haberfeld. “I assert that zero trust lives at the intersection of these products. These products intersect and overlap in the most unbelievably complex and beautifully engineered way, and the fact that you can integrate all these products together enabled zero trust to manifest itself. I'm not describing an ethereal concept that I wish existed. It runs like this every single day in reality. Really.”

Click here to learn more about BeyondTrust and Investec, and watch the full presentation on-demand here: https://www.beyondtrust.com/webinars/investec-zero-trust