Background & Challenge

As a global company managing 1,000 users, over 12,000 managed target devices, and over 1,000 managed applications, Global Retail Corp faced complex identity and access management hurdles. Device administrator accounts were in the hands of each team, password change policies were not implemented properly, and there were high-risk accounts that had not changed their passwords for a long time. Furthermore, outsourced developers used personal accounts for operations, and permissions were scattered across various systems, making management difficult.

Global Retail Corp's existing security tools were fragmented. They originally used CyberArk to handle SSO and password modification for their infrastructure, but due to the high cost of CyberArk's customized plug-in services, it was not enough to cover all of their assets. At the same time, HashiCorp Vault was used to manage application credentials in DevOps. Because CyberArk and HashiCorp were two independent solutions, Global Retail Corp suffered from password synchronization problems between them. Additionally, HashiCorp Vault could not be sold in China and did not support password changes for databases, which forced applications to reboot whenever a database password was changed. These gaps made it difficult to meet the regulatory requirements mandated by their US Headquarters

Solution

To resolve these issues, Global Retail Corp implemented RankEZ's Multi Data Center Centralized Management deployment scenario to establish unified login, auditing, and access control. The RankEZ deployment provided the following solutions:

• Unified Account Management: RankEZ separated personal accounts from operation accounts, establishing unified approval, creation, and authorization processes. It automatically and regularly changes the passwords for all operation and maintenance accounts.

• Comprehensive Integration: RankEZ successfully integrated more than 30 operation tools to achieve Privileged SSO across the environment.

• Seamless HashiCorp Replacement: Global Retail Corp replaced HashiCorp Vault with RankEZ's Credential Provider without needing to change any application code. The transition simply required changing the application YAML file from the HashiCorp vault IP address to the RankEZ Credential Provider Address and utilizing a dual account model for service accounts to ensure a seamless switch to the new platform.

• Advanced Database and DevOps Controls: The solution introduced HTML5 Access, batch commands for the DevOps team, and PSM for Database in Web (SQL Auditing)

Benefit

• Enhanced Developer Controls: RankEZ provides database control for developers that ensures they access data in the right way, avoiding mistakes like dropping tables accidentally. It also enables SQL Auditing with notifications sent to related stakeholders when policies are violated.

• More User-Friendly Experience: Users benefit from a web terminal, session collaboration, and faster connect speeds.

• High Efficiency: The DevOps team can now utilize batch commands to achieve high efficiency.

• Solid, Localized Support: RankEZ provided a faster response time by locating R&D resources near locally and actively listening to customer requirements.

Quote

"We originally would like to use CyberArk for the SSO and password modification of the infrastructure, but due to the high cost of CyberArk's customized plug-in services, CyberArk was not enough to cover all assets. Switching to RankEZ offered seamless HashiCorp Vault integration and solved the password synchronization problems we had between our disparate systems. It is a far more user-friendly experience that gives us advanced database control for our developers and solid, highly responsive support."