-
43
Federal Government Departments
-
10k
Privileged Accounts
-
100's
Hours of manual work eliminated
The Government of Canada’s Shared Services Canada (SSC) is an agency responsible for delivering strategic I.T. and cybersecurity services to 43 Departments of the Federal Government
THE OBJECTIVE
As part of ongoing efforts to modernize and secure the Canadian
federal government infrastructure and computing resources, SSC was
given the mandate to provide a centralized privileged access
management (PAM) program for SCC and its 43 Partner Departments.
With assistance from KeyData, SSC developed the
concept, technology suite and operating model for a centralized
PAM service to allow departments to securely manage privileged
access.
ASSESSMENT AND STRATEGIC GUIDANCE
KeyData provided a wide range of services necessary to take the service from inception to deployment.
KEY PROJECTS UNDERWAY AND COMPLETED
PAM and IAM Current State Assessment
Conducted a current state assessment against industry-leading IAM
and PAM Best Practices to identify gaps. KeyData defined their
target state IAM/PAM architecture and developed a phased
multi-year roadmap along with an implementation plan. The business
priorities and pain points were used to help drive the phases of
the IAM/PAM roadmap.
The target-state architecture and
roadmap captured the SSC’s strategic goals and provided guiding
principles for the successful implementation of an integrated
solution using industry leading IAM (SailPoint) and PAM (CyberArk)
technologies.
The roadmap introduced new target-state
IAM/PAM processes, which delivered seamless user experience while
simultaneously addressing any potential for abuse of privileged
accounts across the client’s network. KeyData was able to define
exactly how the privileged access and enterprise identity
management controls would integrate to cover all control gaps
using the government’s security and controls framework.
Critical PAM Use Case Inventory
As a core deliverable of the assessment, KeyData gathered requirements from multiple stakeholders to develop a comprehensive set of recommendations addressing governance, people, processes and technology. The assessment included detailed recommendations for protecting both personal (i.e., admin accounts owned by a single person) and non-personal privileged accounts (e.g., break-glass accounts/firecall IDs, generic admin accounts). These use cases formed the initial operating capability of the service.
Cloud PAM and IAM Framework Development
To complement existing use cases and workflows, a specific PAM Cloud Framework was developed to consider the unique control requirements of securing privileged accounts in federal public cloud tenants. The framework included use cases that would deliver value to both the human admins managing cloud tenants at scale, and the application and automation processes running within the environments. KeyData created a prototype design of a uniform cloud framework that would then be deployed nationally.
Service Operating Model
In order to deliver this managed service, SSC required an
operating model to define the roles and responsibilities of SSC,
clients and any third parties involved in the service delivery.
KeyData delivered an operating model that included a
detailed RACI, service level parameters, support functions and
detailed customer responsibilities. This allowed SSC to present
the service when on-boarding other department clients.
From Prototype to Production Deployment
KeyData is leading every phase of the project to design, deploy
and enable SSC to operate and maintain the IAM/PAM program.
Along with the technical deployment, KeyData is
developing robust test plans, training documentation and
educational materials to keep government staff skills current
during all phases of this multi-year project.
Production Service Launch
Once the initial phases of the target-state roadmap are deployed,
SSC will have the ability to manage and monitor more than 10,000
privileged accounts. The personal privileged accounts will be
tightly managed through consistent, reliable and repeatable
automated provisioning, self-service access request, and access
certification processes.
This represents the largest PAM deployment nationally in Canada
and one of the largest in North America. This program will
eliminate hundreds of hours of manual approvals and compliance
audit preparation time. By deploying a unified PAM framework
across 43 internal government departments, SSC will lower total
cost of ownership, reduce risks, as well as rapid time to value.
AT A GLANCE
-
COMPANY:
Shared Services Canada (SSC)
-
LOCATION:
Ottawa, Canada
-
EMPLOYEES:
400,000 employees
10,000 privileged accounts -
CHALLENGE:
Develop and deploy a unified IAM/PAM framework for both on-prem and cloud and deploy an integrated technology solution for SSC and its 43 Partner Departments
-
SOLUTION:
CyberArk (PAM) & SailPoint (IAM)
-
SERVICES PROVIDED BY KEYDATA:
- Conducted IAM/PAM current state assessment
- Developed target-state IAM/PAM architecture, strategy, roadmap and implementation plan
- Managed execution of IAM/PAM program
- Developed operating model and client onboarding artifacts for launch of the managed PAM service
- Technical design, solution configuration, integration and customization (off-prem, on prem and cloud)
- Developed and deployed training for admins, end-users, developers and operations