By: Chris Stucker, Associate Director at University of Utah
The University of Utah is a dynamic and fast-paced organization, with 17 colleges and 32,000 students across 100 departments. We have a full academic healthcare system, including a hospital, right on campus. The university was founded in 1850 and was one of the first four nodes on the ARPANET, which is the predecessor of the modern internet. We do a tremendous amount of research and have a thriving Research Park that currently lists 48 companies and 14,000 employees. Innovation and technology have deep roots at the University of Utah.
I started my career in military intelligence, became a civilian and moved around to some other security and IT jobs, and eventually joined the as the associate director for Identity and Access Management (IAM). The challenges were new, but the goals were the same: to keep people safe and secure.
It didn’t take long to notice the university’s unusual IT challenges. From an identity perspective, it's a complicated place. In a traditional organization, people typically onboard with one role or job, and get promotions, change roles, or take on new responsibilities over time. When someone leaves, that account is terminated.
Our university has an unusual blend of students, professors, contractors, staff, visitors, IT, and more. Our user roles can change and even pause over many years, and many people hold multiple roles concurrently. Many of our employees are also students, and they may switch roles based on whether they access the system from a student persona or an employee persona.
Our hospital environment adds to the complexity, as some students are also employees with access to Protected Health Information. A lot of people have access to a lot of sensitive data, so we have to ensure that the access they have from each role is appropriate and that controls are in place to safeguard that information. Managing all those permissions, privileges, and access is exponentially more difficult than it is in a more traditional organization. It’s difficult to ensure the right people get the right access to the right things, without compromising security or productivity. All of that is especially critical in the context of privileged access.
We do a good job of provisioning accounts when somebody gets a new role or when an employee or student joins the university. The harder part is managing these accounts or removing them if the user changes role or leaves the university, and keeping track of all those moving parts. Knowing who has access to what isn't enough; we have to know what role or persona is associated with that so that we can add and remove the right things for people with many roles. We had to increase visibility into our accounts and reduce our risk. Specifically, we had to improve the way we handle privileged accounts.
We use an identity governance solution that helps us to try to manage those identities and those personas and try to keep the roles separate, but it doesn’t cover everything. We needed to do better.
You can't protect what you have unless you know what you have—and we had no idea what we had. The hospital is a well-managed environment, and we had a good handle on user access and activity. The university campus side, however, was a different story. No one knew what hardware or software resources we had available, let alone all of the accounts. No one could see which people had access to which privileged accounts, or how to manage them. Many privileged accounts were managed on spreadsheets. We have system scanners that scan the networks, but they don't analyze accounts to see how service or privileged accounts are used. It was a major blind spot.
We decided that we needed a privileged access management (PAM) solution and we wanted to do it fairly quickly. We looked to Gartner to begin our research, and developed a shortlist of the leaders in this space, which included
I need to point out that what I say here does not constitute an endorsement for any product or service on the part of my employer, only my experiences in this journey and some of what I've learned along the way. Our in-depth comparison lasted about six months, after which we decided on BeyondTrust. Not only did they have the technology we needed, but they demonstrated an eagerness to become a long-term partner. BeyondTrust has the ability to handle dynamic changes within our organization, which was a critical part for us. We had a really strong use case to handle our students, faculty, staff, and affiliates with , and a solution that would facilitate secure and low-friction access for our vendors and unaffiliated partners.
We were most excited about BeyondTrust’s approach to , which makes access to a privileged account available only when it's needed. The exposure isn’t just based on time; attack vectors that utilize techniques like lateral movement are also mitigated since there is no “always-on” privileged account to leverage across resources. Privileged users gain access to resources in an ephemeral nature.
Privileged access can be tied to other criteria, like whether there's an approved change window or service ticket, and logic and rules can be applied to everything—it's not just a static set of privileges. We can write rules that allow an engineer all of the access needed when that person is acting as an engineer, but turn all of that off when that person isn't, or when that person is functioning as a student. We can combine it with logic and rules in other solutions like MFA for even more control and flexibility. On the productivity side and in keeping a current list of all of our assets, we can write rules that watch for a new server to pop up and then automatically provision the correct access based on defined criteria. Combined with other good practices like network segmentation, it gives a solid reduction in risk.
Our first step was to get it in place. We used for deployment, and simply followed their instructions. They configured the solutions remotely to meet the requirements of our engineers, and there wasn’t a lot of heavy lifting on our part. I'm firmly convinced that we have the smartest and hardest working IAM team around, but being able to offload some of that effort on someone else and to take advantage of the expertise of a team that does this every day was a big deal for us.
After that, we put a framework in place based on the systems we knew existed, and then we turned on discovery and let it go. We got results almost immediately, and within a week, we had a comprehensive inventory.
We have a long way to go, but we began with some easy wins. Together, PWS and PRA give us the ability to understand privileged access at the university. When someone connects, whether they're internal or external, we can see exactly who did it and when. We began to use PWS and PRA with our thousands of vendors, consultants, and outside suppliers that connect to our systems every single day.
We also began to create groups and rules to enable users automatically, which is a practical benefit when individuals switch roles or leave the university. We don't have to rely on system owners to remember to deprovision departed people, or to manually rotate all of the passwords the departed might know. We identify the use cases of a particular group and then structure PAM to meet our needs. That automated provisioning and deprovisioning was another one of the big differentiators of BeyondTrust, and we couldn’t adequately control the risk in our organization without it. Our organization and infrastructure are just too big to manage privileged access manually. As my team gets more confident in our expertise, we’ll start to take on more difficult use cases.
From an auditing and compliance perspective, BeyondTrust gives us a level of control and capability we never had before. If you can name a compliance requirement, it probably applies to us: HIPAA, FERPA, PCI, and so on. We now have a place to collect all of the data required for regulatory compliance, which acts as a single source of truth when it comes time for audits. Not only is this data easy to collect, but it allows us to demonstrate that we have administrative and technical controls in place for all compliance requirements, as well as a segregation of duties.
We've also used governance groups and our broad base of really smart IT people as champions in the community. Securing buy-in from these groups is key because it helps with widespread implementation. With these groups, we use real-world examples to show how we’ve become more secure, and the steps we’re taking to either prevent those situations from happening altogether or that would mitigate the damages.
Different stakeholders like BeyondTrust for different reasons, so sharing the possibilities is important to get everyone on board. Even though we are early in the process, we’ve already developed some true believers. 2020 has demonstrated the absolutely critical need for this kind of control and its ability to put us in more of a proactive model rather than having to react to every new threat that emerges.
Before, we spent so much time managing identities and controlling access. Now, it’s never been easier to onboard new hires, and PAM allows us to provision access and make someone productive quickly. An administrator doesn't have to remember different IP addresses and different passwords anymore. This not only increases security, it increases productivity.
The task of increasing security and reducing risk at the university is daunting, especially after we gained visibility and could see the full scale of the challenge. Finding a good partner has made all the difference. The support we've received has been phenomenal—both technical support, and their commitment to our success. I would’ve started on this project much sooner had I known how painless BeyondTrust would make it.
Just-In-Time PAM has been the best thing we’ve done for our security recently, and we couldn’t have implemented it at a better time unless it was simply "sooner". It’s a huge step toward a clearer, more secure future—one where we finally have the control and audit capabilities we need.
Chris started his career as a US Army Intelligence officer. Since his departure from that life, he has worked in a variety of IT and security roles in both the private and public sector, His current role involves a primary focus on the IAM program for University of Utah.