How Canadian Federal Government implemented a Privileged Access Management

The Government of Canada’s Shared Services Canada (SSC) is an agency responsible for delivering strategic I.T. and cybersecurity services to 43 Departments of the Federal Government

THE OBJECTIVE

As part of ongoing efforts to modernize and secure the Canadian federal government infrastructure and computing resources, SSC was given the mandate to provide a centralized privileged access management (PAM) program for SCC and its 43 Partner Departments.

With assistance from KeyData, SSC developed the concept, technology suite and operating model for a centralized PAM service to allow departments to securely manage privileged access.

ASSESSMENT AND STRATEGIC GUIDANCE

KeyData provided a wide range of services necessary to take the service from inception to deployment.

KEY PROJECTS UNDERWAY AND COMPLETED

PAM and IAM Current State Assessment

Conducted a current state assessment against industry-leading IAM and PAM Best Practices to identify gaps. KeyData defined their target state IAM/PAM architecture and developed a phased multi-year roadmap along with an implementation plan. The business priorities and pain points were used to help drive the phases of the IAM/PAM roadmap.

The target-state architecture and roadmap captured the SSC’s strategic goals and provided guiding principles for the successful implementation of an integrated solution using industry leading IAM (SailPoint) and PAM (CyberArk) technologies.

The roadmap introduced new target-state IAM/PAM processes, which delivered seamless user experience while simultaneously addressing any potential for abuse of privileged accounts across the client’s network. KeyData was able to define exactly how the privileged access and enterprise identity management controls would integrate to cover all control gaps using the government’s security and controls framework.

Critical PAM Use Case Inventory

As a core deliverable of the assessment, KeyData gathered requirements from multiple stakeholders to develop a comprehensive set of recommendations addressing governance, people, processes and technology. The assessment included detailed recommendations for protecting both personal (i.e., admin accounts owned by a single person) and non-personal privileged accounts (e.g., break-glass accounts/firecall IDs, generic admin accounts). These use cases formed the initial operating capability of the service.

Cloud PAM and IAM Framework Development

To complement existing use cases and workflows, a specific PAM Cloud Framework was developed to consider the unique control requirements of securing privileged accounts in federal public cloud tenants. The framework included use cases that would deliver value to both the human admins managing cloud tenants at scale, and the application and automation processes running within the environments. KeyData created a prototype design of a uniform cloud framework that would then be deployed nationally.

Service Operating Model

In order to deliver this managed service, SSC required an operating model to define the roles and responsibilities of SSC, clients and any third parties involved in the service delivery.

KeyData delivered an operating model that included a detailed RACI, service level parameters, support functions and detailed customer responsibilities. This allowed SSC to present the service when on-boarding other department clients.

From Prototype to Production Deployment

KeyData is leading every phase of the project to design, deploy and enable SSC to operate and maintain the IAM/PAM program.

Along with the technical deployment, KeyData is developing robust test plans, training documentation and educational materials to keep government staff skills current during all phases of this multi-year project.

Production Service Launch

Once the initial phases of the target-state roadmap are deployed, SSC will have the ability to manage and monitor more than 10,000 privileged accounts. The personal privileged accounts will be tightly managed through consistent, reliable and repeatable automated provisioning, self-service access request, and access certification processes.

This represents the largest PAM deployment nationally in Canada and one of the largest in North America. This program will eliminate hundreds of hours of manual approvals and compliance audit preparation time. By deploying a unified PAM framework across 43 internal government departments, SSC will lower total cost of ownership, reduce risks, as well as rapid time to value.