Identity is the New Perimeter

As part of an extensive digitalization project, a retail company will be relying heavily on the Microsoft Azure Cloud in future. The aim is to gain broader access to technologies, establish more transparent cost structures within the company and become less dependent on local data centers. Due to different levels of knowledge within the company, a central cloud competence center is to be defined and established in order to empower individual teams and business units.

TEAL supports the customer in the coordination and overarching planning for the central competence center. The first step was to determine the needs of the internal customers and to ascertain their level of knowledge. Services must be established in order to automatically develop deployable infrastructure-as-code services, an internal consulting and onboarding team must be set up to ensure a secure and simple start in Azure and a connectivity team must be implemented for the standardization and operation of network services. All operational tasks must be largely automated and handed over to an external provider.

Together with the customer, TEAL developed an appropriate operating model including all associated processes and standards. These were tested, improved and introduced as part of a hypercar. Operational tasks were outsourced to an external service provider where possible and appropriate.

A leading global engineering service provider in the automotive industry turned to TEAL to consolidate and best secure an evolved Active Directory environment with two forests. The focus was on better integration of IT services and usability for the 6000 customer employees.

With the help of our assessment, we analyzed both forests for technical vulnerability or deviation from design recommendations. Requirements and goals were defined in workshops. The resulting packages of measures were prioritized by the customer and a roadmap for achieving the target was created.

TEAL supports the customer in securing and standardizing the Active Directory. Extensive information is also available in our blog series on the topic of (E)SAE.
Started approaches are consequently continued, which accelerate and optimize the implementation.

A customer in the healthcare industry was operating in a relatively inhomogeneous security infrastructure world, which led to two challenges:

1. The security setup is not optimal and

2. employees, IT services could only be provided with difficulty, resulting in inconsistent service usage.

Together with the customer, an analysis of the current situation was carried out and guard rails as well as requirements for a new IT infrastructure were defined. In the further course, TEAL developed several target architectures and evaluation criteria for a management decision.

The customer has several options and evaluation criteria to decide how to make the IT infrastructure secure and efficient in the future.

An internationally active development partner in the automotive industry for complex metal and hybrid structures with a large number of locations and more than 10,000 employees approached us to secure the complex and globally distributed infrastructure. In the course of security-relevant incidents in the said industry, TEAL was commissioned to check and secure the Active Directory infrastructure. TEAL was also commissioned to make preparations for the use of cloud services.

For this purpose, a detailed analysis of the customer’s security infrastructure was undertaken, risks were evaluated and weighted, and finally an action plan was proposed. TEAL was then commissioned to implement this plan. For this purpose, we designed a new security concept (TIER0), which we implemented with the customer in a cooperative atmosphere.

The security aspects of the customer infrastructure are thus conceptually re-implemented and secured, and at the same time prepared for the use of cloud services. This minimizes potential attack risks while at the same time future-proofing the core infrastructure.

The goal was to migrate the existing Groupwise infrastructure of a leading retail company (nearly 10,000 employees) with decentralized personal archives to Microsoft Exchange Online.

We supported the customer in project management as well as the selection of suitable technology partners, migration software and adaptation measures for end users. This also included establishing rollout support and integrating the local helpdesk.

The project we managed was already able to migrate 10,000 mailboxes within eight months. The migration of the personal archives to Exchange Online Archive also worked smoothly. In addition, an Office365 backup solution was introduced.

After in-depth online research, a government agency approached us to analyze and secure their existing Active Directory infrastructure for full protection against cybersecurity attacks.

Due to the ever-increasing security awareness factor in the media, the customer wanted to restructure in this area and stabilize the basic pillars of infrastructure and identity management through external expertise.

In order to work out a suitable solution, we first carried out a three-day assessment in the customer’s environment to find out how possible attackers could get into the company’s network and how the customer could ideally protect itself against this. This resulted in a roadmap with recommendations and concrete implementation measures to effectively increase infrastructure security.

In further steps, implementation packages were derived, structured and prioritized. These packages were then implemented together with the customer. This included both organizational and technical measures and individualized concepts, which were adapted on the basis of the customer’s environment and other circumstances.

First, we started by establishing the common SAE basics. These include both the tiering concept and the introduction of PAW systems combined with consistent account separation. Extensive info is also available in our blog series on (E)SAE.

In the future, we will use the Enforce Suite to achieve extensive and permanent system hardening of the infrastructure as well as compliance with established hardening standards such as BSI or CIS.

The goal was to harden and secure an existing Active Directory of an international company with 5,000 employees in the manufacturing industry according to SAE standards. In addition, PAWs were to be introduced for Tier 0 and Active Directory objects were to be assigned to the Tiers in order to implement all measures to make potential lateral movement more difficult.

In order to find a suitable solution, we first conducted a three-day assessment in the customer’s environment to determine how potential attackers could gain access to the company’s network and how the customer could effectively protect itself against them. The corresponding findings were then elaborated and evaluated by us. Our consultants were then able to implement these together with the operations team and carry out the process changes.

Meanwhile, the customer can administer its secured Active Directory structure through special secured PAWs (including multi-factor authentication) and has also established an encapsulated and hardened Tier0 environment.

In order to be able to provide IT services to the specialist areas of the international insurance group with 40,000 employees faster, the company’s internal IT service provider set themselves the objective to accelerate the request fulfilment process and to reduce the error rate. The inconsistent service descriptions as well as the multiple media inconsistencies were identified as the source of the problems, complicating the co-operation with the external service provider who were fulfilling the process. By introducing a digital request fulfilment platform, these problems were to be solved.

TEAL supported the introduction of the request fulfilment platform based on ServiceNow (SaaS) substantially. We created the requirements analysis, developed a data protection and security concept and led the project management as well as the operational rollout.

The lead times of the orders were reduced significantly thanks to the new request fulfilment platform. TEAL facilitated the successful integration of the SaaS order platform into the existing landscape. This was successfully established as one of the first cloud solutions of the entire group.

As part of a major strategy program, the international insurance group with 40,000 employees restructured its IT portfolio. In the course of the restructuring, open source operating systems were largely to be provided by the internal IT service provider for the first time. As the company was, up to the strategy program, heavily relying on Microsoft-based operating systems and software, the portfolio of the infrastructure services, their management systems and the application development tools and processes had to be expanded.

TEAL assisted the client in selecting the open source platform (RedHat Enterprise Linux and CentOS) as well as choosing suitable management systems (RedHat Satellite, GIT, Jenkins and RedHat Identity Manager). The platform was supplemented with a Docker runtime environment based on Docker Swarm. TEAL also supported the architecture’s creation, development and integration. Additionally, TEAL also provided the project manager.

The IT service provider is now also able to offer open source software solutions to departments based. Through skilful integration, many synergies with the existing  Microsoft systems and architectures could be used.

In order to be able to offer high-quality and cost-efficient IT services for its 15,000 employees worldwide, the Swiss industrial group launched a comprehensive modernisation program. The main objectives were to centralise IT operations and to implement a service-orientated operating structure. TEAL was given the task of consolidating and modernising the internal data centres. The data centres were to be designed as a private cloud infrastructure based on Microsoft virtualisation and management technologies to ensure maximum flexibility and cost efficiency.

TEAL accompanied the entire project from requirement analysis through design creation and implementation all the way through to acceptance. After it went live successfully, we temporarily controlled the operations team and supported service onboarding until the operation was successfully transferred to an offshore delivery centre.

Thanks to the co-operation with TEAL, the group was able to start productive operations of the private cloud within a few months. In the course of the co-operation, the client’s centralisation objectives were supported significantly through continuous expansion and improvement of the solutions.

A telecommunications service provider with 5,000 employees wanted to modernise its IT workplaces. This was to enable flexible working and offer employees an attractive working environment. At the same time, operating costs were to be reduced by consolidating the IT infrastructure to be able to continue to offer the companies service at a competitive price. To achieve these goals, cloud services were to be used increasingly.

TEAL assisted the company with their provider selection, architecture development for Office 365, data protection assessment as well as the change enablement process. This, in our experience, is indispensable for successful Office 365 projects.

By fundamentally renewing IT workplaces, the employees of the telecommunications service providers now work in a modern work environment that enables flexible and mobile working. The IT operating costs have been substantially reduced through the targeted use of cloud services.

The global pharmaceutical company with over 40,000 employees faced the challenge of modernising its SharePoint-based intranet system while reducing operating costs for the platform and the hosted third-party web applications. These goals were to be achieved by consolidating the platform into three modern private cloud data centres in Europe, the USA and Asia, as well as by outsourcing operations to the US and India.

TEAL supported the project in definition, validation and operations implementation of the business continuity processes based on NetApp Snap Manager and offering support with the introduction of measures to increase security. These measures involved a Privilege Access Management solution based on DELL TPAM in conjunction with RSA SecurID for two-factor authentication. Furthermore, the Windows systems were hardened using Microsoft Best Practices and special AppLocker guidelines.

By setting up and securing private cloud data centres, the basis for the managed intranet service could be successfully built up and put into operation. The intranet is now sustainable with a current Microsoft product stack and is used extensively by over 40,000 of their employees worldwide. The operations team in the USA and India ensures that the defined KPIs are met and user queries are resolved.

In order to increase the customer functionality of the largest IP TV solution in Germany with nearly 2 million customers even further, the provider decided to implement a new version of the Microsoft IP TV solution. Along with the new release, the basic infrastructure was to be extended, modernized and to be brought up to the current software version.

TEAL supported the modernisation of the infrastructure by upgrading the server operating systems as well as their management systems (system centre configuration, operations, and data protection manager) in several environments with a total of over 1,000 servers. Furthermore, a modern certificate infrastructure, secured by HSM modules, was implemented and transferred to operations.

Thanks to the comprehensive infrastructure modernisation project, the basis was created to operate the new version of the IP TV solution securely, steadily and at a high performance. After the successful launch of the new version, the provider was able to offer their customers mobile access for the first time as well as an enhanced video-on-demand platform with many new and enhanced features.

The development team of a public data centre operator in Austria couldn’t focus its full capacity on the development of new features and products because, with each new build, it had to carry out numerous manual steps until the packages were developed, tested and deployed. To resolve this drawback, an automated testing and deployment pipeline was to be implemented.

TEAL employees developed a standardised, fully automated and monitored build environment based on Red Hat RPM and augmented by the products of GitLAB, Jenkins and Mock. A distributed GIT instance stores and manages the source code which can be automatically compiled in the build environment by Jenkins at any time. Subsequently, MOCK processes create and check new RPM packages in a rule-based manner which can then be rolled out to the target systems via Satellite.

The client is now able to use the capabilities of its development team more efficiently to further develop business applications. At the same time, the number of errors was reduced thanks to the fully automated processes and test procedures and the deployment time for new releases was significantly reduced.

One of the leading manufacturers for commercial vehicles with more than 30,000 employees was faced with the challenge of implementing a comprehensive strategy program to realign its IT infrastructure and increase IT security. Protecting the Active Directory has a major impact on this increase in security. The corporation has a blueprint based on the Microsoft ESAE approach which it uses for this. The aim of the project was to adapt and implement this blueprint to the local circumstances.

TEAL supported manufacturer by analyzing the company blueprint, designing the target architecture and implementing the Secure Administration Environment (SAE). The solution consists of three Active Directory Forests for production (“Gold Forest”), administration (“Red Forest”) and the hypervisor (“Iron Forest”) with corresponding admin tiering. Each tier is protected by numerous measures such as 2-factor authentication, Privilege Administration Workstations (PAWs), Security Baseline GPOs and secure operating processes. This provides an exceptionally high level of protection against Pass the Hash and Pass the Ticket attacks.

The project has significantly increased the security level of all high-priority IT assets and has thus laid the foundation for further measures to increase IT security. Together with TEAL, the commercial vehicle manufacturer was not only able to implement the corporate blueprint, but also improve it. The SAE architecture has thus become a key element in the IT security of the entire corporation.

As part of a major strategy programme, the international insurance group with 40,000 employees restructured its IT portfolio. The goal was to improve co-operation among the group’s individual companies and to intensify the use of global services. These services were to be recreated centrally and operated as safely as possible. The first step was to be the development of a global authentication platform for both Kerberos-based and token-based services.

TEAL assisted the client in defining the architecture and implementation of this global authentication platform in two new co-located data centres. The authentication platform consists of an active directory architecture based on Microsoft’s Enhanced Security Administrative Environment (ESAE, you can find out more about this in our blog) for Kerberos-based services and an ADFS platform for token-based applications. Administrative rights are granted only temporarily by a Privileged Access Management (PAM) solution to minimise the risk of being attacked (and from subsequent consequences) due to stolen passwords. By almost exclusively using Windows Server 2016 Core, the points of attack were reduced further. Hereafter, the monitoring of the use of high privileges can be further improved by the complete integration in an SIEM system and the pairing of the distribution of rights to the change and incident tools.

Thanks to the new authentication platform based on ESAE, the foundation for the globally shared services has been laid. These systems can now be operated within a secure environment and made available to the end user.