HOTLINE: +84-283920 8030
Home page
Introduce
Service
V-SOC
Penetration Testing
Red Teaming
Digital Forensics & Incident Response
Cyber Threat Intelligence Services
Threat Hunting
Secure Configuration Services
Solution
Vendor
News
Blog
Video
Recruitment
Document
Event
Contact

[CASE STUDY] AD&C builds trust for digital transformation with Delinea

04/03/2024
"It's a pretty complex organizational system. Similar to banking, a lot of data circulates in this ecosystem that we have to protect." → Wilson Lucas, Head of Digital Transformation, AD&C

Portuguese agency AD&C is responsible for coordinating over $50 billion of European funds within the country. It’s an important role that carries great responsibility. Funds support all types of economic development projects, such as transportation, training, and technology innovation. AD&C pays the funds, monitors execution, audits and certifies their payment, and communicates results to the European Commission.

Challenges

 

When Wilson came to AD&C in mid-2021, he was charged with managing the agency’s digital transformation process at several levels. His goal was to modernize the agency IT infrastructure, improve the user experience for the 230 agency employees, and, more broadly, for the 350,000 Portuguese companies that receive agency funds. As part of this effort, AD&C has moved 100% to the cloud to support innovation and agility and doubled the staff responsible for IT transformation projects.

“It’s impossible to perform digital transformation in a non-secure environment,” says Wilson. “Success is all about digital trust — information security, transparency, privacy, and ethics.” To increase trust, Wilson and his team had to address several weaknesses in the agency’s security posture.

One concern was the number of unmanaged accounts, including domain admin accounts, scattered and duplicated across 88 Active Directory instances. “We needed to simplify user management and get a handle on the identities of our users and their credentials,” Wilson explains. He worried: “If we have one credential exposed, someone can log in with that credential, and then they’re inside, able to move laterally.

It’s a quite complex organizational system. Similar to a bank, a lot of data circulates within this ecosystem that we have to protect.” → Wilson Lucas, Head of Digital Transformation, AD&C

AD&C also needed to address third-party risk. They rely on a network of consultants to support IT operations, including system administration, database administration, and code development. Previously, these third parties had broad access to critical systems with high privilege. “They had a lot of special powers. They could change root access and lock us out. They could wipe out the entire infrastructure. The risk is you lose all your applications, all your servers, and that’s a place I would never like to be,” Wilson shares. AD&C had limited visibility and control over third parties, using only a jump box to manage remote access. The central IT team didn’t know which remote user had access to which systems and had no ability to set fine-grained controls to limit access.

AD&C knew they had to act when another public organization in Portugal with similar vulnerabilities was attacked. They didn’t want to be caught in the same situation.

“We needed a global view of all existing privileged access relating to domain and local accounts. We also needed a uniform solution for all partner companies to access servers with controls and monitoring of their sessions.” Says Filipe Duarte, Senior System Engineer and Project Manager.

Solution

AD&C partnered with Delinea to reduce their attack surface, gain control over privileged accounts, and take a user-centric approach to technology. “We chose Delinea Secret Server because the quality of the solution was high, and the team was very engaged,” says Wilson. “They were willing to take the walk with me.”

Due to the size of AD&C, they needed to be able to customize Secret Server’s folder structure, create lists, and categorize secrets to ensure partner companies had access only to authorized services specific to them.

AD&C leveraged Secret Server’s Discovery to quickly identify and manage privileged accounts and users while seamlessly controlling access for partners needing access to the AD&C systems.

As AD&C consolidates its numerous Active Directory instances, they’re also reducing their privileged account attack surface. They’ve gained a clear understanding of identities and the privileged accounts associated with them.

In addition to an encrypted vault that centrally manages privileged accounts and credentials, Delinea’s session recording capabilities now provide Wilson and his team the ongoing visibility and oversight they were lacking. AD&C is also implementing remote access controls for third parties. Granular controls mean AD&C can define which systems consultants can access and what they can do with their privileges.

Results

“The experience with the platform was quite simple since the platform is very user-friendly and flexible,” explains Filipe.

Now, when they undergo Portuguese and European Commission audits, AD&C can demonstrate PAM policies, procedures, and technical controls that align with compliance requirements. By applying these security controls to internal staff and third parties, AD&C has also set the foundation for aligning with ISO standards, a major initiative for the organization.

“The message I tell my board is that we’re more secure than we were yesterday,” says Wilson. “I’m quite confident that we have the right product. It’s a mandatory solution. There is no other way.”

 

Delinea PAM

Maybe you are interested