German IT Services Firm Improves Cybersecurity Productivity by 25% With CyberArk

Summary

By using a CyberArk Identity Security Platform, SaaS service provider Matrix42 improved security management by 25%, achieved time-to-value in six weeks, and reduced the number of privileged accounts by 20% while strengthening security, without impeding user productivity. Furthermore, the CyberArk solution is an important step toward the company’s goal of delivering an identity-centric security strategy.

Company profile

Matrix42 is a developer of workspace management software for small, medium, and large-sized enterprises and corporations. The company’s centralized and automated platform and SaaS solutions support workspaces across aggregated physical, virtual, and mobile environments. Matrix42 automates processes, license management and support functionalities, enabling clients to improve IT department efficiency. The company is headquartered in Frankfurt, Germany, and serves customers in Germany, Europe and worldwide.

Employees: 400

Challenges

90,000 national and international students at one of Europe’s oldest universities, the University of Vienna, rely on IT applications and services to improve learning. The university is one of 5,000 organizations and businesses, and millions of individuals that use digital solutions from Matrix42, a Germany-based IT services firm, to automate and streamline workspace operations. Because its products and services underpin many mission-critical internet and cloud systems, Matrix42 has made identity protection a key objective of its cybersecurity strategy.

“Identity-centric security is important because many organizations are moving from on-premises to the cloud, which in turn, proliferates the number of credentials and privileges that need to be protected,” said Thomas Langholz, Director, Information Security at Matrix42. “Before, we protected IT assets and had a security perimeter to protect information. But information is now processed in many different places and the simplest, most cost-effective and most impactful way of protecting it is securing digital identities that have access to the system. I do not care about laptops, phones and tablets or location. What is important are the identities that access services and their privileges.”

Matrix42, based in Frankfurt, Germany, provides SaaS products and services to enable customers to improve and streamline IT operations. Many of these products and services are delivered via new environments like PaaS and the cloud-based services and are constantly threatened by cyber attacks. For this reason, the business has developed a robust cybersecurity position. Its main SaaS application runs on Azure and benefits from Azure security tools and SOC operation. Nevertheless, the business needed a higher standard for safeguarding privileged identities including unalterable auditing capabilities. The company had a password manager to share accounts and passwords, but the governance of privileged access was overly complex, time consuming and costly.

The company has a large number of developers and engineers who have local administrator access to their endpoints for testing and quality assurance, which need to be controlled and protected. “Matrix42 needed to increase security around local privileged accounts and remove permanent access to them,” shared Langholz. “We have engineers producing software and managing our SaaS operations and lots of privileged identities, but handling those privileged accounts was very challenging. It was a slow, manual, and expensive process. We needed to improve it without blocking developers from working efficiently.”

CyberArk was chosen because it was the best product to support SaaS environments. Matrix42 has a hybrid IT infrastructure comprising on-premises, internal systems in a small data center along with a cloud environment hosted on Azure for its SaaS customer solutions. The company also selected CyberArk because of its high performance, flexibility, and support for multiple technologies.

“It is important for our engineers to have a native experience,” explained Langholz. “And that is not always the case with IT products and services. If we put something like a security tool into the access process, it can hinder performance. A one-second delay does not sound like much, but it can drive developers crazy. That is why it is critical to have a partner like CyberArk with solutions that are close to native experiences.”

Solutions

Helping Matrix42 address privileged access is a CyberArk Identity Security Platform comprising CyberArk Privilege Cloud and CyberArk Endpoint Privilege Manager (EPM). Matrix42 started deployment with important privileged accounts used by IT and developers to access customer services and applications. The first phase of deployment also included admin support and analyst users, with less technical knowledge than a developer, who need occasional access and use CyberArk for a seamless experience. As an example of flexibility, Matrix42 uses CyberArk with both its on-premises and Azure cloud environments.

Before fully deploying CyberArk EPM, Matrix42 used it to audit activity and assess what applications needed elevated privileges across its workstations. Department managers could not request access accurately because they did not have a clear view of what staff needed. One user claimed they had to use an application with elevated privileges 20 times a day when in fact it was only once a week. CyberArk EPM was used to gain visibility and create policies to reduce and manage the use of privileges on the endpoints. “We used CyberArk EPM to create an application allowlist upfront and thus give users access to those applications without them being local administrators on their machines,” explained Langholz. “CyberArk EPM created the seamless experience of having local admin access without actually giving it.”

Langholz also mentioned that when CyberArk EPM was first deployed, it uncovered a lot of excessive privileges that were problematic and once the privileges were removed, there was pushback from users who were saying CyberArk EPM should be switched off. But it was very clear that CyberArk EPM wasn’t the issue. “Because CyberArk EPM shone a light on what we had been doing, it helped us to correct and to enforce change management. Also, we learned pretty quickly how to fine tune the policy enforcement to completely remove the user friction, and now we have best of all worlds – complete visibility, greater control and security, and a great user experience.”

To help improve staff productivity, Matrix42 does not impose strict rules on laptop use. We have put CyberArk EPM on all of its 380 endpoints to maintain this policy while also improving security. Deployment of the CyberArk solution was supported by local CyberArk business partner, Priomni AG.

Results

“At Matrix42, CyberArk improves privileged access management (PAM) and is an important part of the company’s journey towards an identity-centric security posture. Matrix42 needs to fulfill its business operations securely and CyberArk helps do that efficiently. Our customers expect professional, high-quality privileged access management. Before, we spent ages explaining the actions and processes used, now we just say we use CyberArk, and it is a two-minute discussion.”

– Thomas Langholz, Director, Information Security at Matrix42

With CyberArk, Matrix42 has realized multiple costs, resource, and time improvements. CyberArk has cut time and effort managing privileged access across the hybrid infrastructure and workstations, reducing security risks by at least 25% because governance is automated, access is transparent, and time spent setting up policies is minimized. CyberArk allows the company to share privileged accounts without reducing security, which was challenging for Matrix42 before. This means the company has reduced the number of privileged accounts and the local administrator accounts by as much as 20% with more reductions to come. With CyberArk being a SaaS solution, it saves Matrix42 significant time and money because the company does not need to invest in on-premises data center and infrastructure resources.

CyberArk time-to-value – for standard, security-related use cases such as securing Windows and Linux systems – takes just four to six weeks. Part of that achievement was due to working with CyberArk to run a proof of concept in a live environment versus a test lab, to understand how CyberArk performed in a real situation.

“Improving cybersecurity and advancing towards an identity-centric security strategy is not about solving technical issues. It is about understanding pain points and how to create value and best outcomes,” explained Langholz. “In my experience, CyberArk strives and succeeds to deliver that, and it helps us understand and deal with those challenges.”

Key benefits

• Reduces risk and makes security control efficient
• Achieves time to value in six weeks
• Delivers a 25% productivity improvement managing privileges
• Reduces the number of privileged accounts and local administrator accounts by 20%
• Avoids investing in costly data center and infrastructure resources