Protection from within: Gulf Air opts for privileged access management
Solution designed to prevent the company from falling victim to data loss through an insider threat.
Over the past few years, Gulf Air has built a sophisticated ICT infrastructure to host over 100 applications with more than 100 terabytes of business data that go through around 250 servers, both physical and virtual. Through its infrastructure, the global airline processes millions of online financial transactions monthly, with an estimated monetary value in the realm of tens of millions of Bahraini Dinars annually.
The data and information stored on Gulf Air servers and within business applications are arguably some of the company’s most valuable assets, meaning that every precaution is being taken by the company to protect its information from loss or unauthorised access. This is a particularly pressing matter in an age when every month brings news of a major company being hacked or breached.For an airline, security risks are paramount: failure to safeguard data confidentiality, integrity and accessibility could risk disrupted operations as well as reputational damage from the public disclosure of confidential and sensitive company information.
And while Gulf Air has taken many precautions to ensure high levels of security from the outside (it is now in its fourth year of having the ISO 27,001 certification), the company recently decided that it needed assurance that its information couldn’t be compromised from the inside, either.
Currently, Gulf Air’s datacentre (made up of a hybrid cloud infrastructure) manages a large number of servers, databases, applications and network devices requiring privileged administrative access and password management. Previously, review and approvals for user access and privileges was controlled using e-mails and Modification Requests (tickets, essentially). However, this manual approach had several limitations and eventually weakened the manageability level of privileged access control, leading to risks related to insider threats. This risk was detailed in a number of security reviews and audits conducted by Gulf Air.
Indeed, Gulf Air found that the complexity and variety of its technology solutions was becoming difficult to manage and could potentially jeopardise the service availability and impact airline operations. As part of the change management, detailed changes applied on systems were not recorded or captured. What’s more, in case of system failures it was becoming difficult to troubleshoot the issue due to the unavailability of tools to track the changes applied. As a result human mistakes or diverting for the approved change requests were difficult to identify and flag.
“We have managed the external threats, the malware, the external devices, and we have so many points on security that we have to handle. But one of the major ones, obviously, becomes your internal threats, although we have no encountered any major ones, but it was important to prevent that,” explains Dr Jassim Haji, director of IT at Gulf Air.
“One mistake that most organisations do is wait for an insider to misuse the privilege and the access. So what we did was say that it’s an obvious point, although we have people who we can say we trust and we’ve had no incidents. But that does not discount it, so we wanted a privileged access management solution, where we could record it, review it with somebody who is independent, and make the guys well aware of it.”
Administrator and super-user accounts are extremely powerful, allowing a privileged user to anonymously logon and have complete control over the target system with full access to all information and infrastructure. In addition, third-party vendors also require privileged access to deliver and support their solutions. The challenge faced in managing these type of internal and external users is how to ensure that the right access required to undertake their authorised responsibilities is provided.
Gulf Air’s target, then, was to implement a solution that would provide automated access control for the critical systems, as well as a solution that could monitor activity once users are logged in, so that audits can be conducted in the event of an incident.