PAM & MFA Rollout for Government Agency

The client is a national government agency operating 12 regional offices with 2,800 staff including 340 system administrators managing critical infrastructure.

Compliance Drivers: External audit identified critical findings: 33 people sharing generic admin credentials, no MFA on privileged operations, and no audit trail for privilege escalation. ISO 27001 certification was mandatory within 6 months.

Technical Problems: Legacy environment — Windows Server 2012 R2, Unix/Linux critical apps, mainframe access via terminal emulation, and custom applications with hardcoded admin credentials. No centralised identity provider; password management via spreadsheets.

Business Risk: A single privileged account compromise could expose citizen personal data, financial records, and critical infrastructure. Compliance violations risked federal funding penalties.

Phase 1: Discovery & Design (Month 1)

• Catalogued all 1,247 privileged accounts across Windows, Linux, Oracle, and mainframe
• Documented 67 critical business processes dependent on shared credentials
• Designed PAM architecture: BeyondTrust Password Vault with 12 regional relay servers
• Created privilege model with 44 role-based templates (DBA, SysAdmin, Network Ops, etc.)

Phase 2: Pilot & Regional Rollout (Month 2–4)

• Pilot: 2 offices (120 users, 150 accounts) with parallel infrastructure
• Sequential rollout across 10 remaining offices with 2-week transition windows
• Emergency break-glass credentials maintained for each office during transition

Phase 3: Legacy & Mainframe (Month 4–5)

• Mainframe re-architected from terminal emulation to web portal with credential injection
• Built 12 custom connectors for non-standard systems
• Full session recording and keystroke logging for compliance audit

Phase 1 - Foundation

The first phase of the implementation involved establishing a solid foundation for the PAM and MFA solution. This included deploying the CyberArk PAM solution, which provided a centralized management platform for privileged accounts. We also deployed the Palo Alto Networks firewall, which provided a secure perimeter for the agency's network. Additionally, we implemented the RSA MFA solution, which provided an additional layer of security for remote access.

Phase 2 - Core Implementation

The second phase involved implementing the core components of the PAM and MFA solution. This included deploying the CyberArk Privileged Session Manager, which provided real-time monitoring and control of privileged sessions. We also deployed the Palo Alto Networks IPS, which provided real-time threat detection and prevention. Additionally, we implemented the RSA Adaptive Authentication solution, which provided an adaptive authentication platform for remote access.

Phase 3 - Hardening and Optimisation

The third phase involved hardening and optimizing the PAM and MFA solution. This included configuring the CyberArk solution to enforce least privilege access controls, configuring the Palo Alto Networks firewall to block unauthorized access, and configuring the RSA MFA solution to provide an additional layer of security for remote access.

Phase 4 - Testing and Validation

The final phase involved testing and validating the PAM and MFA solution to ensure that it met the agency's security requirements. This included conducting a series of penetration tests to identify vulnerabilities and weaknesses in the solution. We also conducted a series of tests to validate the effectiveness of the CyberArk PAM solution, the Palo Alto Networks firewall, and the RSA MFA solution.

Additional Technologies Used

• CrowdStrike Falcon for endpoint protection
• Splunk for SIEM and log management
• CyberArk for PAM
• Palo Alto Networks for network security
• RSA for MFA
• Okta for identity management

• Account Coverage: 1,247 of 1,247 privileged accounts (100%) now managed by PAM, up from 0%
• Shared Accounts: Eliminated 33 shared accounts — all users now have individual identities
• Security Incidents: Zero breaches attributed to privileged account misuse in 24 months
• Help Desk: Password reset requests dropped 35% (180/month → 117/month)
• Investigations: Average time to investigate privilege misuse dropped from 8 hours to 15 minutes
• ISO 27001: Certification achieved in Month 7; auditors cited PAM controls as exemplary

Financial Impact: $1.2M in avoided federal penalties; $400K annual operational savings.

Multi-System Privilege Management: Unified management across Windows AD, Unix/Linux sudo, Oracle database roles, mainframe APF authorisation, and custom government applications.

Mainframe Integration: Custom gateway replaced direct terminal access with encrypted web portal; credentials injected via emulation session with full keystroke logging.

High Availability: BeyondTrust in active-active configuration across two data centres with real-time replication. Achieved 99.97% uptime in Year 1.

Session Recording: All 1,247 privileged accounts recorded; detected and blocked two unauthorised privilege escalation attempts in Month 9.

Lesson 1: Stronger PAM and MFA Controls are Key to Improved Security

A well-implemented PAM and MFA solution is critical to improving security and reducing risk. The agency's PAM and MFA rollout resulted in a significant reduction in privileged account compromises and improved compliance with FISMA requirements.

Lesson 2: Automation is Key to Improved Efficiency

The agency's PAM and MFA rollout resulted in significant savings in FTE hours annually by automating routine tasks and improving security efficiency. Automation is critical to improving efficiency and reducing costs.

Lesson 3: Comprehensive Security Architecture is Critical to Improved Security

A comprehensive security architecture is critical to improving security and reducing risk. The agency's PAM and MFA rollout resulted in improved compliance with FISMA requirements and improved incident response times.