Keller Group's Efficiency and Security Go Hand-in-Hand with BeyondTrust

By Kamil Krezlewicz, Senior Security Administrator, and Evan Leake, Computer System Analyst, Keller Group

Modern organizations use such complex webs of systems and devices that even the smallest startup is vulnerable to security breaches. At an enterprise the scale of Keller Group, listed on the London Stock Exchange and a constituent of the FTSE 250 Index, this complexity multiplies many times over.

Keller Group is the world’s largest geotechnical specialist contractor, preparing the ground for safe and lasting structures. With more than 10,000 employees on six continents, Keller is a global powerhouse with a large IT team to match.  

Our respective roles give us unique perspectives on Keller’s security. Kamil is our senior security administrator responsible for securing the entire IT infrastructure. Evan is a cloud engineer on the device management team, supporting endpoint management services. From these two vantage points, we arrived at the same conclusion: Keller needed a holistic approach to Privileged Access Management (PAM).

At Keller, we used to manually manage privileged access. We would deny access to all users by default, so anyone who needed admin privileges for their work had to submit a request that security administrators reviewed on a case-by-case basis. Protecting a large attack surface this way was time-consuming and labor-intensive. This approach also lacked granularity, meaning users could have access longer than necessary.

Additionally, we didn't have a cohesive view into identities across our many global systems, which introduced potential vulnerabilities. Evan’s team supports on-site field users working in every time zone worldwide, yet there was no unique approach to how these teams handled remote support. If a remote support solution existed, we had it — including 15 separate TeamViewer accounts used across the business without any central oversight. The sheer number of platforms and accounts in use made it challenging to address vulnerabilities, and minimizing shadow IT became a nightmare.

It made life difficult on the ground too. Field teams at project sites experienced delays as they had to wait for us to sort through local admin permissions and manually connect to their devices. Clients were similarly very frustrated with constant delays.

Keller needed a globally capable PAM solution  that would:  

• Centralize visibility and control

• Eliminate shadow IT and other vulnerabilities caused by unsanctioned apps/tools

• Ensure compliance

• Offer cloud infrastructure so we could avoid server management

• Include robust automations

If we found something to check all these boxes, we were confident security would enable — not delay — the productivity at Keller Group.

We reviewed several PAM solutions, but BeyondTrust caught our eye from the start. They took a uniquely comprehensive approach to securing privilege pathways and offered full cloud support, which other companies didn’t offer at the time. BeyondTrust also had a mature platform that would allow our distributed IT systems to work seamlessly across time zones. Plus, we had an exceptional account manager who increased our confidence in moving forward with the partnership.  

Our first move was implementing BeyondTrust Endpoint Privilege Management (EPM), which gave us the visibility and control we needed. The BeyondTrust EPM solution lets us manage our endpoints at a far more granular level than we could before, specifying which applications and actions are allowed on each device. Rather than manually providing access to individual users on an ad-hoc, ticketed basis, we automatically grant the necessary access through policies. In this way, we adopted a streamlined and stronger security posture, while increasing efficiency by eliminating manual work.  

The BeyondTrust team had our backs during the implementation, starting with a thorough review of our existing policies and logs. Learning more about our existing setup ensured a smooth deployment, and everything worked flawlessly from day one.

From there, we introduced BeyondTrust Privileged Remote Access (PRA). Keller works with many contractors and external parties who require access to our infrastructure. Before working with BeyondTrust, we didn’t have a straightforward way to grant and restrict access to the appropriate people.

Privileged Remote Access solves this issue by eliminating VPN, providing just-in-time access, and enforcing least privilege to only allow contractors to access the systems they are supposed to be accessing. The solution also simplifies the process for Keller’s trusted partners, who now access our resources through an identity-secure portal. Privileged Remote Access logs every action from login to logout, ensuring we have a complete audit trail of what happened when.

Endpoint Privilege Management and Privileged Remote Access gave Keller a solid foundation in privilege access management. The next step was to address our team's unique pain points. Our engineers required temporary access to systems and devices to solve issues, but lacked a cohesive, efficient process and workflow to do so.

We addressed these concerns by implementing BeyondTrust Remote Support. By integrating with our other BeyondTrust solutions and Keller’s ServiceNow instance, Remote Support allows engineers to request additional time-limited permissions to resolve tickets.

The simple click request within the ServiceNow interface facilitates support and shares the right tickets with the right teams. It takes one click to approve, and then gives the support engineer a response in under a minute.

BeyondTrust Remote Support has enabled Keller to rein in disparate remote support tools and give field users unattended access to job site computers. Through the integration with ServiceNow, we've improved our onboarding to these teams for a seamless experience from request to resolution — entirely automated and without any IT interaction.

Additionally, we integrated Endpoint Privilege Management with our ServiceNow environment. If a user wants to run an application or perform an action that isn't allowed per our policy, they can request access. The designated team can then review and either allow or deny the request. The direct integration between ServiceNow and Endpoint Privilege Management accelerates the response process for the user. We can simply click approve and, just as with Remote Support, the user will be allowed to run the software within a minute or less, a process that used to take hours.

By adopting Endpoint Privilege Management, we've bridged the gap between software requests and execution, especially with small portable apps such as banking or field device equipment. We've improved our response times and effectiveness in delivering this level of support to the users.

In the first two years of implementing BeyondTrust solutions, we have handled over 2,200 requests directly from ServiceNow. BeyondTrust’s integration solutions have saved our help desk thousands of hours of otherwise manual tasks. Improved response times for our users translates to happier clients.

BeyondTrust has given us the tools we needed to consolidate all our privilege access management under one roof. We can keep our security and endpoint teams in sync and quickly evaluate any urgent business request, and it's easier to prevent vulnerabilities from creeping into our environment because we have a clearer picture of the platforms being used and the people using them.

Ultimately, BeyondTrust didn’t just provide solutions; they supported us during a massive transition. We learned that security doesn’t have to compromise security. With both under control, we can continue solving geotechnical challenges around the world.