PAM & MFA Rollout for Government Agency

The client is a national government agency operating 12 regional offices with 2,800 staff including 340 system administrators managing critical infrastructure.

Compliance Drivers: External audit identified critical findings: 33 people sharing generic admin credentials, no MFA on privileged operations, and no audit trail for privilege escalation. ISO 27001 certification was mandatory within 6 months.

Technical Problems: Legacy environment — Windows Server 2012 R2, Unix/Linux critical apps, mainframe access via terminal emulation, and custom applications with hardcoded admin credentials. No centralised identity provider; password management via spreadsheets.

Business Risk: A single privileged account compromise could expose citizen personal data, financial records, and critical infrastructure. Compliance violations risked federal funding penalties.

Phase 1: Discovery & Design (Month 1)

• Catalogued all 1,247 privileged accounts across Windows, Linux, Oracle, and mainframe
• Documented 67 critical business processes dependent on shared credentials
• Designed PAM architecture: BeyondTrust Password Vault with 12 regional relay servers
• Created privilege model with 44 role-based templates (DBA, SysAdmin, Network Ops, etc.)

Phase 2: Pilot & Regional Rollout (Month 2–4)

• Pilot: 2 offices (120 users, 150 accounts) with parallel infrastructure
• Sequential rollout across 10 remaining offices with 2-week transition windows
• Emergency break-glass credentials maintained for each office during transition

Phase 3: Legacy & Mainframe (Month 4–5)

• Mainframe re-architected from terminal emulation to web portal with credential injection
• Built 12 custom connectors for non-standard systems
• Full session recording and keystroke logging for compliance audit

• Account Coverage: 1,247 of 1,247 privileged accounts (100%) now managed by PAM, up from 0%
• Shared Accounts: Eliminated 33 shared accounts — all users now have individual identities
• Security Incidents: Zero breaches attributed to privileged account misuse in 24 months
• Help Desk: Password reset requests dropped 35% (180/month → 117/month)
• Investigations: Average time to investigate privilege misuse dropped from 8 hours to 15 minutes
• ISO 27001: Certification achieved in Month 7; auditors cited PAM controls as exemplary

Financial Impact: $1.2M in avoided federal penalties; $400K annual operational savings.

Multi-System Privilege Management: Unified management across Windows AD, Unix/Linux sudo, Oracle database roles, mainframe APF authorisation, and custom government applications.

Mainframe Integration: Custom gateway replaced direct terminal access with encrypted web portal; credentials injected via emulation session with full keystroke logging.

High Availability: BeyondTrust in active-active configuration across two data centres with real-time replication. Achieved 99.97% uptime in Year 1.

Session Recording: All 1,247 privileged accounts recorded; detected and blocked two unauthorised privilege escalation attempts in Month 9.

Best Practices: Engage compliance auditors in Month 1 (not post-implementation) — this organisation iterated on privilege model twice but avoided certification rework by involving auditors early. Parallel operations during transition eliminated single-point-of-failure risk.

Common Pitfalls: Legacy system integration is always more complex than estimated — mainframe work took 8 weeks vs 4 planned. Design privilege models carefully; overly complex roles lead to workarounds. Deploy sequentially across regions, not all at once.