IT Security Compliance and Audit Case Study | Secret Server

Specialist insurer Beazley has exponentially more secrets than employees. The volume and variety of their privileged accounts made them difficult to manage and time-consuming to audit.

An external security audit identified gaps in Beazley’s secrets management processes that opened the door to potential privileged account attacks. “The audit discovered privileged account passwords that hadn’t been changed for a long time,” explains Carl Broadley, Beazley’s Head of IT Security and Technology Risk.

Secret sprawl is a common problem for complex enterprises like Beazley. In a growing organization, privileged account credentials provide access to hundreds—sometimes thousands—of scheduled tasks, cloud services, DevOps workflows, and business applications. During an IT security audit, auditors check for Secret sprawl to make sure unmanaged privileged accounts don’t become vulnerable points of entry.

“At any point in the year, we’re undergoing some audit,” explains Carl. “External auditors say, ‘prove to us that these credentials haven’t been used for anything they shouldn’t have been used for.’”

Answering auditors’ questions were extremely tedious for Carl and his team. In addition to meeting auditing requirements in their home country of Ireland, they must demonstrate adherence to compliance standards around the world, such as GDPR, Lloyd’s market standard, the Information Commissioner’s Office (ICO) in the United Kingdom, the Monetary Authority of Singapore, and New York State cyber requirements.

When the auditors came back this year, they gave us high marks

“We had to go back and trawl through the logs manually and it took months,” Carl recalls. He and his team turned to Delinea to help them demonstrate compliance more efficiently. Using Secret Server they were able to shave two to three months off preparing for each audit as well as eliminate costs for additional audit consultants.

Most importantly, Carl says, “When the auditors came back this year, they gave us high marks. Nice green checks make my boss and his boss very happy.”

Increasing visibility and control of privileged accounts

Beazley began with Secret Server Discovery to identify all privileged accounts, including service accounts, that needed to be managed centrally to meet compliance requirements. They expanded their use of Secret Server so that, for the first time, they were able to centrally manage secrets used in the development process to build servers, change configurations, and conduct other rapid development activities.

Balancing security and productivity in the development process

For Beazley, downtime isn’t an option. With Secret Server, Beazley’s development team is able to do their jobs quickly because they can get access to the resources they need on the fly. Passwords are now changed automatically, and developers never see passwords at all. Developers like that “everything happens in the background and it doesn’t create a lot of noise,” says Carl.  As a next step, Beazley is planning to use Secret Server as a jump box to give developers point-in-time access to machines in the production environment, eliminating the risk of standing access.

Secret Server gives Beazley the capacity to grow

Beazley’s four-person IT operations team can now manage their workload more effectively thanks to automated workflows and approvals. “We generate accounts and passwords in Secret Server, saving us time with help desk calls, avoiding typos and other human errors, and making sure sensitive information like passwords aren’t exposed,” Carl explains.

They also recognize that privileged access isn’t limited to IT. Beazley has rolled out Secret Server to business users who are accessing sensitive data, including finance and human resources teams.

As Beazley’s organization continues to grow and adopts new privileged accounts and IT systems, Secret Server can scale to support them.

To learn more, read the full Beazley Insurance Case Study.