DXC Secures Valuable Assets and Admin Accounts with BeyondTrust

By Jammin Jablanski, Director, Identity and Access Management at DXC Technology

Cloud environments are highly flexible and customizable, but they can quickly become extensive and complex when managing thousands of customers. That’s what happened when CSC and HPE Enterprise Services merged in 2017. The resulting company, DXC Technology, had more than 6,000 clients to serve on day one.

Today, DXC has 120,000 employees across 70 countries. Some of the world’s biggest companies, from private enterprises to public sector organizations, look to us for IT consulting solutions.

I joined DXC a year after the merger and now lead a team of 30 that manages digital identity for DXC. It’s my job to run directory services, oversee governance, and supervise privileged access management for more than 100,000 customers and staff. The only way to provide security at this scale — and continue growing — is to find technology partners with a global footprint and comprehensive offerings.

We had used a legacy password management solution for years, and it desperately needed an upgrade. It only supported a very small portion of our organization, and there wasn’t any clear guidance or controls around tailoring the platform to our needs.

We committed to the board of directors that we would protect our critical assets by assuming management of local administrative passwords. But to do so, we’d need a new security partner.

We performed an extensive RFP for a privileged access management platform that would allow us to secure passwords across our global, cloud-based infrastructure. Our requirements were simple: we wanted a SaaS-first product with very little on-prem infrastructure that we could easily manage with as few full-time employees (FTEs) as possible.

BeyondTrust was the clear winner. Password Safe offered everything we wanted at a price that fit our budget. The deployment went very smoothly. Despite some internal complexity, such as firewall rules that we had to adjust, we met the prerequisites and began managing our passwords very quickly.

Our relationship with BeyondTrust has gradually expanded from there. Today, they’re a critical piece of our zero-trust strategy.

In a large organization like DXC, we split our efforts between internal and external customers. Gaining visibility into each cloud environment and having a clear understanding of our responsibilities can be tricky. It’s easy to lose track of who has which access and where requests come from. BeyondTrust has helped us solve these challenges. Even in our complex environment, we’ve increased visibility across the organization and can consistently secure accounts, protect assets, and roll out new features.

With Password Safe, for example, we can secure all of our administrative accounts, privileged access accounts, and non-human accounts. We can also easily perform constant password rotations, check-ins, and check-outs so users don't have to jump through different hoops to keep their user accounts secure. Now, we can record sessions without actually giving the user direct access. It appears to the user as though it's direct access, but it's actually filtering through a BeyondTrust point where that data is being proxied into the appropriate server. We've created a perfect hybrid of the seamless experience the user expects, with an additional layer of security.

After implementing Password Safe, we decided to mature and expand our secure access capabilities to Total PASM by pairing Password Safe with Privileged Remote Access (PRA). Attack surface management is always a difficult thing to handle because there are so many different avenues. One thing we’ve done to address this is consolidating our remote access. Think of things like remote desktop protocol (RDP) and secure shell (SSH). We’ve blocked these on the networks. By removing all other tools and implementing PRA, even if somebody compromises a system, PRA prevents lateral movement by enforcing access segmentation at the protocol and identity level, so the identity has no option but to come back through BeyondTrust to gain access.

As we get into Linux devices specifically, we now have Active Directory Bridge, which allows us to add employees to our active directory domain and continue to use those credentials. In other words, we now have granular control over which commands and rights the user gets on that particular endpoint.

BeyondTrust improves our auditability too. As a global enterprise, we must comply with a variety of regulations from SOX to GDPR, and we also have to pivot frequently to meet new expectations and regulations.

Now, DXC can demonstrate that administrative passwords change daily, with a clear audit trail showing who accessed what and when. Once we’ve completed a walkthrough with an auditor and they understand the product and output, follow-up audits are quick and easy.

The more resources you have on-prem, the more things there are to maintain. Often, internal teams are responsible for that maintenance, including upgrading, patching, troubleshooting, and covering associated overhead. For these reasons alone, a cloud-first strategy is a great option.

SaaS providers like BeyondTrust enable any organization to minimize the extra time and costs it takes to maintain an on-prem solution. BeyondTrust deploys upgrades and patches in real time, and downtime is practically non-existent. Since adopting BeyondTrust, I can confidently report to our board that we’ve secured all highly valuable assets and administrative accounts. With the additional implementation of PRA, we’ll dramatically reduce the time and effort it takes to get to a targeted server.

Beyond organizational improvements, I can't say enough good things about the BeyondTrust team. BeyondTrust listens unequivocally to its customers. They’ve always been willing to jump on a call, tackle new projects, and provide firm timelines for deploying new ideas. They take our feedback seriously, and we see results happen in months, not years.

Now, I can focus strictly on what the product does, and not necessarily on maintaining it. Our users consume the service, we pay for what we consume, and all concerns go to BeyondTrust, whose team handles everything so we can focus 100% on our security. With their help, and the easy usability of their solutions, I know we've got a secure process, end to end.

• Paths to Privilege™ Explained (guide)
• The Guide to Identity Security Defense-in-Depth (guide)
• Buyer’s Guide for Complete Privileged Access Management (PAM) (guide)
• Ninja Van Increases Security and Boosts Flexibility with BeyondTrust (case study)
• Investec's Journey to Zero Trust: from Theory to Practice (case study)