Enhancing Security with PAM in the Finance Sector

In today’s fast-evolving security landscape, financial institutions must meet strict regulatory requirements, such as PCI-DSS certification, to ensure the protection of sensitive data. Recently, Soffid IAM had the opportunity to assist a finance client in achieving PCI-DSS compliance by implementing a robust Privileged Access Management (PAM) solution. Here, we explore the challenges, solutions, and outcomes of this rapid, three-week project.

Project Scope and Goals

The finance sector customer needed to enhance security across their network infrastructure, specifically by:

• Enabling Multi-Factor Authentication (MFA) for secure access.
• Implementing session recording for accountability.
• Supporting a variety of devices, including:
  • Windows and Linux servers
  • Backbone routers
  • Basic network switches
  • Critical management applications

This broad device range required a flexible approach to integrate different protocols and technologies, ensuring the new security measures aligned with their existing infrastructure.

Implementing a Multi-Factor Authentication (MFA) Solution

To facilitate user access while enhancing security, we deployed an MFA solution that allowed users to self-register their MFA devices. By integrating with Active Directory, end users could verify themselves using their AD password, simplifying and expediting the enrollment process.

Addressing Legacy Application Access

One significant challenge was securing legacy applications. While some applications supported SAML or OpenID Connect protocols, others did not, requiring alternative solutions:

• For SAML and OpenID-Compatible Applications: We configured Soffid’s identity provider to offer MFA, ensuring a consistent and secure login experience.
• For Non-Compatible Applications: We deployed a web single-sign-on module, acting as a reverse proxy, to connect legacy applications to the identity provider via SAML. This setup enabled seamless user authentication without modifying the application itself.

Securing Server and Network Access

To secure access to various network devices, we used Soffid’s PAM launch server, which allows MFA-based access:

• For Windows and Linux Servers: The PAM server enabled secure access via RDP for Windows and SSH for Linux servers.
• For Backbone Routers: TACACS+ MFA was configured to support any TACACS+-compatible device, which enabled fast configuration for IOS routers and switches.
• For Basic Switches: As these switches lacked TACACS+ support and used a web-based management interface, we employed Soffid’s browser-in-browser PAM addon, providing administrators with secure browser sessions that supported recording and monitoring.

Just-in-Time Permissions for Testing Environments

To meet the customer’s needs for dynamic access in their development environments, we implemented just-in-time (JIT) permissions. This feature allowed testers and developers access to necessary systems while ensuring these privileges were automatically revoked after the testing period, minimizing exposure to security risks.

Key Challenges Overcome

Throughout this project, several complex challenges were addressed:

• Integrating Legacy Applications without altering their core login processes.
• Supporting Simple Switches through innovative browser-based access solutions.
• Implementing Just-in-Time Permissions within a diverse technological landscape.

Results Achieved

Within the short timeframe of three weeks, the Soffid team delivered a powerful solution that achieved PCI-DSS compliance for the customer. Key benefits included:

• Enhanced Security through MFA across all critical systems.
• Increased Monitoring capabilities on vital assets, helping ensure accountability and compliance.
• Reduced Risk Exposure by removing unnecessary permissions for development and testing environments.

This case study demonstrates Soffid IAM’s expertise in delivering adaptable and effective PAM solutions, even in complex and mixed technology environments like the finance sector. With a flexible, integrated approach, we were able to meet our client’s stringent security requirements on time and within scope, further reinforcing Soffid’s commitment to providing industry-leading security solutions.