PMI

How PMI obtained better visibility into who has access to critical information

PDF download

The Customer

Location: New York, USA

Industry: Manufacturing

Products: DatAdvantage for Windows, DatAdvantage for SharePoint

Philip Morris International, or “PMI” in short, is the leading international tobacco company, with products sold in approximately 180 countries.

What we have now is unprecedented visibility into who has access to which information.

– Jan Billiet, Director of IS Security and Risk Management

The Challenge

PMI wanted global visibility and easier access to the growing amount of access control information replicating within and across Active Directory, SharePoint, and file server installations. PMI recognized that tools available prior to this program were not satisfactory and that a proper solution had to be found to complement its global identity management system which primarily deals with protection of structured information. The company did not just want to install software – it wanted to implement a strategic solution with well-defined use cases, documentation and service level agreements.

Evaluation Parameters

PMI created a plan to move away from their legacy systems and practices for reviewing group and individual access to selected data sets. Their plan involves implementing a more systematic approach to appointing data owners and engaging them more efficiently in entitlement reviews.

Jan Billiet, Director of IS Security and Risk Management, explains, “Overall we realized that available solutions, either packaged or custom developed, were not sufficient in helping us with the review of access permissions in Active Directory and file servers. And they could not keep up with the growth of the data and the complexity of these access permissions.”

The Solution

To this end, PMI initiated a program which it calls EPICS (Enhanced Protection of Important Information and Collaboration Systems). EPICS uses Varonis software to provide an overview of all user access control information maintained in Active Directory.

PMI also installed DatAdvantage for SharePoint and DatAdvantage for Windows, as part of a strategy to achieve overall visibility across the company of who has access to what information on Active Directory, SharePoint and file servers. A centralised solution was planned and built around use cases which PMI drew up during the planning stage. Examples of use cases implemented include:

  • Identifying which objects (e.g. shared folders) relating to important company
  • information should be subject to scheduled reporting and/or ongoing
  • monitoring
  • Reviewing group memberships, e.g. for Active Directory groups granting
  • Server Administrator privileges
  • Reviewing file server permissions
  • Reviewing sFTP permissions
  • Removing inactive accounts
  • Reviewing user activity on file servers
  • Verifying segregation of duties within IT functions
  • Reviewing accounts not managed by the company’s identity management system
  • Requesting ad hoc reports

The company wanted to support in a standardized way execution of Active Directory and file server related base-line security controls, while being able to move away from legacy tools and practices around review of group or individual access to selected data sets so as to more systematically appoint data owners and engage them efficiently in such reviews. It was also important to implement a system that could provide over time the capability to extend the reporting and monitoring of access control permissions with technology for more centralized access control administration and coordination of entitlement reviews.

The EPICS infrastructure and service covers access control information of more than 50,000 users in 48 countries, 2+ million Active Directory relationships, and 7 million folders in SharePoint and file servers spread over 80+ servers in Europe, Asia and Latin America. The deployment of DatAdvantage took approximately one year, in line with project goals. Since the release of the EPICS service, 20,000 reports are generated for the company’s 50+ information security personnel giving them regular and detailed information about how access control list information is defined, maintained and reviewed. The company continues to make progress in developing EPICS, for example through development of new use cases.

Next steps include a pilot of Varonis’ DataPrivilege solution to manage better entitlement reviews, automate data owner involvement in the authorisation process and further ensure that data owners and service providers adhere to corporate requirements.

Business Benefits

Global visibility of Active Directory, file server and SharePoint permissions from a single in frastructure

EPICS uses Varonis software—DatAdvantage for SharePoint and DatAdvantage for Windows—as part of its strategy to enhance overall visibility across the company of who has access to what information on Active Directory, SharePoint and file servers.

Quantify access control challenges and drive initiatives around “Active Directory hygiene”

Using the forensic capabilities of DatAdvantage allows the IT team to trace files that have disappeared from certain locations or are being created without the group leader’s approval.

Identify and remediate excessive privileged access to servers

The metadata intelligence collected by Varonis DatAdvantage enables PMI to investigate permission administration inconsistencies, engage data owners more in the review of access to important company information, and increase opportunities for access control automation.