Skip to content

Beazley Insurance: Compliance Audit Case Study

Industry:
Insurance

Company Size:
800 employees

Beazley is a specialist insurer subject to compliance with numerous regulatory requirements. In addition to requirements for Bank of Ireland, where Beazley is headquartered, it also must adhere to compliance standards around the world, including GDPR, Lloyd’s market standard, the Information Commissioner’s Office (ICO) in the United Kingdom, the Monetary Authority of Singapore and NYDFS.

“At any point in the year, we are undergoing some audit. External auditors say, ‘prove to us that these credentials haven’t been used for anything they shouldn’t have been used for.’”

– Carl Broadley, Head of IT Security and Technology Risk

Challenge

Beazley has exponentially more secrets than employees. Privileged credentials are used for scheduled tasks, cloud services, DevOps workflows, and business applications.

Beazley conducts regular audits to stay ahead of threat actors and comply with regulations. Each year, external auditors place more emphasis on cybersecurity. They dig deeper into Beazley’s security practices, including management of privileged credentials, before they sign off on data to be used in the company’s annual report. A flag raised in the cybersecurity review calls all information into question.

Project Drivers

When an external audit identified gaps in Beazley’s PAM practices, the security team needed to make some changes. “The audit discovered privileged account passwords that hadn’t been changed for a long time,” explains Carl Broadley, Head of IT Security and Technology Risk. Answering auditors’ questions was extremely time consuming. “We had to go back and trawl through the logs manually, and it took months,” he recalls.

“Downtime is not an option. We need to be up and running so we can pay out claims. Especially in times of COVID, with more claims and event cancellations, our customers are counting on us.”

The Solution

A Delinea customer for 12 years, Beazley used Secret Server as a digital password vault but had not taken advantage of more advanced PAM capabilities. They worked with the Delinea team to expand their use of Secret Server to address audit findings.

The process began with Discovery to identify all privileged accounts, including service accounts, that needed to be managed via Secret Server. Beazley’s team of 250+ developers uses scripts to build servers, change configurations, and conduct other rapid development activities. “We realize that the sheer number of developers increases our risk, but we don’t want to create a bottleneck,” notes Carl.

The four-person IT security team now relies on automation to protect privileged accounts. “We generate accounts and passwords in Secret Server, saving us time with help desk calls, avoiding typos and other human errors, and making sure sensitive information like passwords aren’t exposed,” Carl explains.

With Secret Server, passwords are now changed automatically, and developers never see passwords at all. To increase oversight of privileged account activities, Beazley has added workflows and approvals.

As a next step, Beazley is planning to use Secret Server as a jump box to give developers point-in-time access to machines in the production environment, mitigating the risk of standing access. They also recognize that privileged access is not limited to IT. Beazley has rolled Secret Server out to business users accessing sensitive data, including Finance and HR.

Delinea’s Professional Services team was instrumental in helping Beazley get set up. “They made sure our installation has High Availability, not all on one server, and our new environment is scalable and resilient.” When the deadline for the project was accelerated, “Delinea helped us get access to a quick resolution,” Carl reports.

Aha Moment

Using Secret Server has saved the Beazley team two to three months preparing for an audit as well as eliminated costs for additional audit consultants.

From a product development perspective, the team is able to do their jobs more quickly because they can get access to resources they need on the fly. “Everything happens in the background, and it doesn’t create a lot of noise.”

“When the auditors came back this year, they gave us high marks.
Nice green ticks make my boss and his boss very happy.”

– Carl Broadley, Head of IT Security and Technology Risk