Improve protection and customer confidence across multiple sites

Saunderson House is an independent wealth management firm that for over fifty years has been providing a comprehensive financial planning and investment management service to high-net worth individuals, charities and trusts. Security at Saunderson House has always been considered an absolute priority. One of several regular audits highlighted the need to review management and access to privileged accounts as part of a long term strategy to ensure continuing security for the company and its customers.

The Infrastructure Team had already implemented a system of managing elevated accounts, but could see that over time, with the business growing, they would need a comprehensive Privileged Access Management solution. With an expanding infrastructure comprising well over 100 servers distributed across 2 data centres, they identified the need for rigorous control of privileged credentials, detailed audit trails of access activity, and an intuitive model for securely managing different levels of specialist skills across a growing team.

“From the beginning it was clear we wanted a vendor that would work with us as a partner to plan and implement our long term strategy,” said Dave Pritt, IT Infrastructure Manager. “ We knew that privileged access was central to Saunderson House’s security. Our vision was to have not just an excellent PAM solution ensuring the day to day security of the business, but also to have a PAM capability at the centre of our universe that could easily integrate with the other key components of our infrastructure. ”Several PAM suppliers and solutions including Osirium PAM were evaluated, and a comprehensive Proof of Concept programme established. The essential POC criteria for determining ‘fitness for purpose’ were simplicity of setup and management, security of credentials, granular audit functionality, and ease of integration with the infrastructure and VM environment. Additionally, a consultative engagement model was seen as key.

"Working with the Osirium team we had Osirium PAM up and running in under a day,” explained Dave Pritt. “We were able to use the intuitive controls straight away and start testing Osirium PAM against our selected criteria. The other PAM solutions took over 3 days to get to a basic working state, and even then we found them overly complex by comparison. ”On the basis of the successful POC and Osirium’s collaborative approach, Osirium PAM was then selected as Saunderson House’s PAM solution. The core focus has been on implementing internal access controls. With credentials never revealed to users the Infrastructure Team is able to ensure there is no inadvertent sharing of passwords with potential security consequences. Likewise, Osirium PAM’s ‘identity in, role out’ model addresses the challenge of varying levels of expertise in the team: users are only allowed access to the parts of the infrastructure they are identified as approved to manage.

"users are only allowed access to the parts of the infrastructure they are identified as approved to manage"

To maintain the highest levels of security but also drive efficiencies, Saunderson House has made considerable use of Osirium’s task automation capabilities. The facility allows tasks requiring privileged access to be automated and delegated to less experienced staff with no credentials exposed. At the same time, Osirium PAM’s auditing function keeps detailed records of who accessed which system, when, and to carry out which activities.

One particularly innovative approach implemented by Saunderson House has been using Osirium PAM as a central hub for securely managing credentials across the whole IT environment. For example, AppViewX’s Cert+ system had been selected for certificate management and distribution. “We wanted to be sure our certificate distribution had secure access with high levels of privilege to update certificates,” explained Dave Pritt. “We set out the challenge and AppViewX and Osirium both shared the collaborative approach we needed. We defined a POC, with emphasis again on simplicity of integration. ”The integration was successful and thorough. Cert+ securely connects with Osirium PAM to retrieve credentials to access the required devices, and establishes the connection before performing its credential certificate management tasks. Cert+ users never have access to those credentials, so they are protected from potential exposure to phishing or other attacks.

Saunderson House has seen benefits from the partnership with Osirium on multiple fronts. “Ease of use stands out a key factor,” said Dave Pritt. “Osirium’s task automation allows vital processes to be automated and delegated without compromising security. Additionally, the local support and flexibility of approach have delivered real value, such as the willingness to collaborate with other vendors like AppViewX to deliver the solution we need.”

Benefits extend beyond the IT department to the overall business. As a closely regulated provider of financial services, Saunderson House takes part in a comprehensive peer review auditing programme. A scoring system based on completeness of security posture ranks Saunderson House against peer organisations. Already in the top quartile, the company’s innovative approach to raising the security bar with Osirium has seen them consistently and steadily raising their relative score.

With firm foundations in place Saunderson House is now looking at future phases of Osirium deployment, including further integration with other systems across the infrastructure. “It has been and continues to be a real partnership,” concluded Dave Pritt. “We’re passionate about security and, seeing that being matched by the Osirium team, we’re confident we can continue to deliver the levels of security we, our internal users and our customers need.”

Osirium’s task automation allows vital processes to be automated and delegated without compromising security