A Cultural and Technological Transformation
When we rolled out BeyondTrust, we went region by region, starting with the smaller countries, working with smaller sample sizes, finding any problems and fixing them. We then took what we learned and rolled it out to the next biggest office. This approach meant as each office/region was rolled out we had already addressed some of the problems they may have seen.
The smooth rollout was largely due to the time we spent working with an implementation specialist at BeyondTrust to not only help with adoption, but also sort out application permissions. We created four different lists: White, black, grey, and red.
Everyone has access to install applications on the white list, and no one has permission to use blacklisted applications. The grey list consists of applications collected during the audit phase and pending review. When somebody tries to install one of these applications, a pop-up asks them whether they’re sure they want to install it. If they click “yes,” we let them do it, but we reserve the right to block them if our security analysis suggests the application is dangerous and we constantly review the grey list and move those applications to the other permanent lists, it bought us some time and allowed us to begin the rollout.
We also have a theoretical red list for unknown apps. Should a user try to install something that isn’t on any of our lists, a pop-up appears asking for user credentials., and they have to contact IT to approve the app in question.
Using these lists, we have whittled down the number of apps in use. We started with 8,800 items on our grey list. It’s down to 3,000, while our white list is close to 2,000 apps. When you consider that we started seeing 32,000 unique apps (including different versions) worldwide, we’re looking at a substantial reduction in vectors for malware and cyberattacks. We have also consolidated many of our business tools, which has further simplified the work of our IT teams.
All of this required support not just from management, but from all of our IT leads. I spoke with all of our team leads and personally trained our support desk teams. I didn’t send out faceless emails, which often get ignored. Instead, I picked up the phone and spent a lot of time talking to people about BeyondTrust, showing them how it worked, and explaining its benefits. Getting our IT people to buy into the platform required a personal touch.