Like many enterprises, GCI had large teams of administrators with generic user accounts, which prevented IT management from tying a specific change to an individual user. As the number of users grew from less than 500 to over 2,600, compliance and monitoring user access became a priority.
Motivated by the Sarbanes-Oxley Act of 2002 (SOX), GCI’s IT team set out to improve their security posture through management of users, privileges and access to servers, apps and data. New requirements, specifically the SOX Section 404’s Internal Controls Report, came with threats of $1 million dollar fines if companies were found non-compliant.
Controlling root access goes back to the auditability of everything. You can control your end users, but if you don’t control your admins, security means nothing. You can’t walk into an audit and say ‘I trust my admins’ – you have to demonstrate that you can also verify and control them. -Karl Adriaenssens, CISSP, Chief Technology Officer, GCI
Their IT Security Management team took control of root admins and established preemptive guidelines for what junior and senior admins could access. They quickly realized they needed a solution that could deliver a scalable method for managing user access while offering traceability and verification at a granular level.