Protecting Third-Party Access to Critical Systems

The University of Reading is one of the leading universities in the UK (ranked in the top 30 UK universities in world rankings). With over 18,000 students and 4,500 staff spread over three campus locations, a relatively small team of about 20 is responsible for keeping all student and infrastructure systems running and secure. They manage on-premises data centres, networks, cloud services in Azure, telephony, Microsoft 365 and more.

Many business systems are supported externally by vendors/partners. The University used to grant access to these suppliers via Virtual Private Network (VPN) connections, but that didn’t provide visibility and control over who could access which systems and what they did while connected.

When Kevin Mortimer, Head of Operations, Digital Technology Services Department, joined the University in 2017, he prioritised getting control over vendor access.

Mortimer had the experience of privileged access management (PAM) at a previous employer. He set out to find a PAM solution that would be easy to adopt and manage for the University’s complex infrastructure.

As we were introducing PAM for the first time, we wanted to ensure it would be straightforward to implement and use as possible. There are bigger brands in the market, but they are considerably more complex and expensive. From a capability and cost point of view, Osirium came top of the contenders.

After reviewing several vendors offerings, he quickly focused on Osirium PAM. “As we were introducing PAM for the first time, we wanted to ensure it would be straightforward to implement and use as possible. There are bigger brands in the market, but they are considerably more complex and expensive. From a capability and cost point of view, Osirium came top of the contenders.” says Mortimer.

Implementation started with a small set of vendors onboarded with PAM and then expanded usage. That’s a typical deployment pattern with Osirium PAM and an excellent way to show early benefits without large, all-encompassing projects. Now, almost all vendors can only access systems via PAM.

Administrator accounts on the target systems and devices are protected because the vendor never has direct access and can never discover the administrator credentials. Access can also be granted for specific periods, for example, only during working or non-working hours. Occasionally, access may be set up for a vendor for a short period around a specific project, for instance, during a recent upgrade to the campus CCTV system.

Since adopting Osirium PAM, whenever any issues were found, the University worked closely with the Osirium support team have been able to do everything they wanted to do, and now PAM “just ticks over and we have one less treat actor to focus on.”

Almost all suppliers now use Osirium PAM, and the University has complete visibility into who from the vendor accesses their systems. Using the Osirium PAM MAP server, they can also control which applications are used. As sessions are recorded, the University has a complete record of exactly what the vendor did while connected, if they ever need to investigate an incident. “PAM is like an insurance policy you hope to never need to use in that regard,” says Mortimer.

For vendors, there’s nothing to install locally, and, if appropriate, they can let multiple staff members share access to the account on the university system.

Looking forward, endpoint management is becoming a priority. Many professional and academic staff want local admin rights to install and run their applications, but that opens a potential entry point for attackers. The University is interested in Osirium Privileged Endpoint Management (PEM), which allows approved applications to run with elevated privileges without local admin rights.