TCS transitioned from manual systems for privileged user access and password management to Secured Access by implementing ARCOS, a Privileged identity Management (PIM) solution By Abhishek Raval
With ARCOS, the entire IT governance around the privileged access management is now automated, which has further created efficiencies in the data centre operations
TCS, India’s largest IT services company, is also on the forefront of offering services to its clients on a shared services model. The shared services unit of TCS was started with a team size of only 15 employees. Now it has grown to 350 employees, handling around 35 clients. The employees in this unit work with the highly confidential and critical business data of the customers.
Need for Secured Access Management Solution
Till 2010, TCS was using manual processes for access as well as password management of several privileged user ids to ensure adequate control over access to client servers. However these manual processes had inherent limitations. Further, the size of the shared services (MSP) business was growing at a fast pace. This created several operational challenges in managing multiple client systems and efficiency of shared staff (controlled by manual processes) was constantly an issue. The larger issue was however the higher risk from shared access, unlimited privileges, incomplete audit trails and limited password management capability due to large number of client systems.
“Too many passwords, multiple accesses and excessive privileges were being generated and shared, which was against the TCS internal compliance norms”, says Nilesh Bhate, Head ICC Delivery, IT Infrastructure Services, TCS.
Also there was an expectation especially from the BFSI clients that while the services were shared there should be complete logical segregation of client systems during a live session. The governance teams at the client’s end also started demanding audit trails on a regular basis and thus compiling them with adequate tagging to the IDs and the name of the employees was a cumbersome task. “The reporting of which employee was working in which shift and accordingly map their system activities in line was a challenge. Thus fixing accountability was also near to impossible because the same IDs and passwords were being used by different employees,” explains Bhate.
In the recent past, there has been a focus on risks emanating from outsourcing of IT operations whether on site, through MSP or the cloud. There are now various standards on governance and oversight of outsourced operations. Also various regulators require companies to have stringent policies on access control, password management and audit trails especially in an outsourced environment.
TCS anticipated these risks and challenges. In order to create efficiency in a complex environment and provide highest possible governance around privileged access and client data, the company established a crack team to identify and implement a system which could provide a holistic solution and improve governance.
Reliable, Scalable and Cloud Ready PIM
In the enterprise space, clients generally operate on multiple platforms viz: Windows, UNIX, AIX and AS400, or several databases like Oracle and MS SQL. Further there are many networking devices viz: CISCO, Juniper, Nortel etc. The complexity increases when some systems are onsite and some are hosted with a service provider.
In an environment such as above, any solution should be highly reliable with flexibility to cut across platforms. Also for an MSP, reliability would mean a solution that is highly available and secured as they service several clients. While the PIM had to provide functions to mitigate risks highlighted above, it was essential that the solution was scalable as the complexity would only increase with more clients and more devices in future.
The architecture of the solution should be such that it could be rapidly deployed and being cloud ready could be of added advantage as a single implementation could be leveraged for several clients.
Currently, The ARCOS monitoring dashboard is being improvised to offer end-user analytics and identify rogue devices or user accounts in the data centre
Anil Bhandari Chief Mentor, ARCON
To address this issue, TCS implemented ARCOS, a Privileged Identity Management (PIM) solution from ARCON.
The system governs the access to the administrator user ids of all the client systems managed by TCS under the MSP business. The solution creates an arc around the client systems and manages the entire lifecycle of all privileged accounts which includes granting secured access based strictly on “need to know” and “need to do” basis. The access can be regulated based on criticality of the systems, time of the day, period of access, type of access and with many other control features. The entire access mechanism is based on approval workflow to ensure that requisite authorizations are taken from appropriate levels before any super user access is granted.
The entire session/activity of the user on client systems is recorded or tracked with his employee id. In the event of any untoward incident, whether intentional or unintentional, the system has the capability to alert and infact logs can be reviewed to establish accountability. This has significantly improved the entire governance process. In fact, the feature of live recording helps to monitor in real time all commands fired on a particular system, which are then tracked in the TCS Command & Control Centre in Mumbai, “With the password vault, we can change the password based on the policy set by the customer on a single click. If the customer policy states that there has to be a monthly change in passwords, with 15 character length password, the policy will be applied and the change will be made across the systems and all the users. The person implementing the new policy knows the policy, but not the password. There is a virtual vault, which activates dynamic password change and it also keeps the password secure. Whenever the engineer is logging in, he does not know what password is being used. This solution can manage passwords for thousands of systems/devices at the same time and that too with uncommon and strong passwords,” says Bhate.
This is a marked change from days where the passwords were manually changed for hundreds of servers, recorded on paper and stored in envelopes.
This solution can manage passwords for thousands of systems/devices at the same time and that too with uncommon and strong passwords
Nilesh Bhate, Head ICC Delivery, IT Infrastructure Services, TCS
Key Benefits of ARCOS
With ARCOS, the entire IT governance around the privileged access management is now automated, which has further created efficiencies in the data centre operations. The visibility on all systems and devices is better from an operational perspective and it also helps to mitigate risks from misuse of super user-ids and passwords. In fact, the logs of all administrator usage is now kept secured in a vault and can be used for forensics.
This solution has ready integration with several other leading solutions viz: Bio-Metrics, Hard Tokens etc for Dual Factor Authentication, SIEM (Security Information and Event Management System), Change Management Systems and GRC (Governance Risk and Compliance Solutions). This offers interoperability and better RoI across various security solutions.
ARCOS is a cloud based architecture, which can be managed centrally. “We have done some customizations in the cloud architecture to allow auditors of our clients to access certain logs. Further Privilege Identity Management as a service can now be offered from our Cloud Infrastructure ,” says Bhate.
Anil Bhandari, Chief Mentor, ARCON explains that currently the efforts are on to bring deeper integration in the system. The monitoring dashboard is being improvised to offer end-user analytics and identify rogue devices or user accounts in the data centre.