Klésia secures its administrator access through temporary virtual workstations

To enhance the security of privileged accounts, Klésia has chosen to deploy the IPdiva Cleanroom solution from French software editor Systancia. This temporary single-use work environment approach represents a break off from the initial project of deploying traditional bastion hosts.
Created by the fusion of two companies in 2012, the insurance company Klésia group is currently redesigning its information system. A large number of projects are running in parallel, especially since GDPR compliance has proven a challenge in combination with security optimization. In October 2017, a master plan for the information systems security was designed. Among the main topics, the management of privileged accounts was strongly highlighted. This included being able to accurately trace the actions of the notorious “privileged user”. Therefore, after an audit performed in spring 2018, it became clear that administrators’ accounts also needed to be better protected in order to prevent identity theft.
In February 2018, a call for tenders was issued to traditional bastion hosts market players. The final selection was scheduled for the end of spring. In the meantime, beside the security audit, an unrelated project led to choose a Systancia solution to virtualize workstations in order to solve a performance-related application issue. This led to a broader presentation of the editor’s solutions to the IT Systems Management. “At the beginning, during our preliminary market study, we had not identified Systancia as being able to meet our needs at all,” recalls Yann Renaud, head of the architecture, security and cross-functional projects departments at Klésia.

A temporary virtual workstation

The selection process ended with a short-list made of three vendors. Yann Renaud explains: “Systancia’s solution offers all the classic features of bastion hosts, which are always more or less the same. The difference, however, was precisely the Cleanroom element.” Systancia is indeed an editor that initially operated in the virtualization field, not in the security field. Its approach is therefore different compared to traditional editors. It involves working only with “sterile single-use tools” as indicated by the editor, in the same way as is practiced in the field of surgery.
IPdiva Cleanroom solution provides temporary virtual workstations, generated from reference OS images only when an administrator needs them. As soon as the administrator has finished, his virtual workstation is immediately destroyed. Each type of administration task or administrator profile (network administrator, application administrator, etc.) has a reference OS image. Of course, as with a classic bastion host, actions are recorded so that they can be replayed if an incident is detected. Passwords (e.g. to connect to databases) and encryption keys are managed in vaults with a SSO connection when a virtual workstation is generated. Real passwords are automatically reset and managed. Therefore, an attacker must not only be able to break into a well-protected workstation but, in addition, he can do it only for a very short time period, with the obligation to start from scratch for each hostile action and at an unpredictable time. Moreover, all actions carried out are recorded. Even if no security system will ever be perfect, Yann Renaud note: “the attack surface is significantly reduced”.

A very relevant licensing

Systancia’s solution is also used for external service providers who can perform remote maintenance by connecting to dedicated virtual workstations available for their profile via a web portal. In general, Klésia uses a lot of outsourcing. However, by definition, the means of outsourcing companies are not under Klésia’s control: it is up to each one to define how many people they need at a given time to fulfill their contractual obligations. “We cannot control the number of administrators who may work on our IS,” notes Yann Renaud.
Systancia’s solution do not work with named users but with simultaneous users. For Yann Renaud, “this may seem like a small detail… but, in our context, it is not!” The cost of the deployment was thus limited to a very reasonable range. Chosen at the end of the spring, the solution was installed immediately. “For the moment, we have been on a pilot project since September,” says Yann Renaud, who is delighted with the reactivity of the editor’s teams.

Some difficulties related to a perfectible maturity

Klésia is the first customer for the IPdiva Cleanroom packaged solution. However, this one is the result of the integration of several pre-existing blocks. Yann Renaud admits, “Obviously, we still have a maturity issue on our hands, especially since Systancia was not familiar with an architecture as complex as ours. But I am happy to help them to progress.” The solution has been set up on a dedicated infrastructure to prevent any problems. A challenge was to understand the exact role of each module, whose name is not explicit, in order to open the right network flows in firewalls.
The relationship between Systancia and Klésia being excellent, another project was launched at the same time. A heavy and complex legacy module to migrate is the reference directory, currently under Lotus Notes. This migration will be carried out using a Systancia solution by the end of the year. “We won’t just do a simple migration, but we’ll also do some additional work, which is why the deadline is so long,” says Yann Renaud. The migration will involve the implementation of automated processes for the arrival, departure and transfer of employees (life cycle management) with a trigger performed in HR Access by the HR department and a ticket performed in Service Now.

About Klésia

Klésia is a joint social protection group with two main business lines: life and health insurance and provident insurance, on the one hand, and complementary pension management (AGIRC-ARRCO), on the other hand. Unlike most mutual insurance companies, Klésia distributes its services mainly as collective contracts: the protection contract for a group of individuals is concluded by a single entity (for example, a company on behalf of its employees).
This group was created in 2012 by the merger of the Mornay group (very active in hotels, restaurants, pharmacies, etc.) and D&O (powerful in the transport sector) as well as several mutual insurance companies that have gradually joined the group. Klésia therefore includes multiple branches, some of which include the name of the group (Klésia Retraite Agirc, Klésia Retraite Arrco, Klésia Mut’…), others not (IPRIAC, CARCEPT…).

Essentially centralized IT

The central services are under the responsibility of AMK (Association de Moyens Klésia). Centralized IT: when a structure joins the group, its IT undergoes a convergence with that of Klésia, which begins with a migration to the infrastructures. The ISD-GP (ISD and Grands Programmes) has a total of 180 to 260 employees, permanent or service providers. The traditional workstation has already largely migrated to the cloud with the adoption of Office365.
The twenty-five Klésia sites connect to the group’s information system via an extranet. Clients and partners are passing via the Internet, of course. In both cases, the connection is made via a pair of “netcenters” located in the Paris region where security and some basic services are managed. These are connected by fibers dedicated to the datacenter pair for applications and data placed near Montpellier, in the south of France. Each pair is in active/active mode with a guaranteed physical security distance between the two server rooms.

An information system being currently redesigned

Datacenters use an SDx architecture with VMware technologies, while the storage uses Dell/EMC bays virtualized with Vplex. For the past two years, Klésia has been using the Nutanix hyperconvergence on some projects. Netcenters and datacenters are outsourced at IBM but the infrastructures belong to Klésia. Workstations and networks are outsourced at Consort NT.
Since 2012, the IS has first been built by merging the existing ones. As a result, there is still some mainframe left, but an ongoing evolution will base the IS on a distributed Unix architecture. Based on an integration by Sopra-Steria, Klésia is migrating its core IS to Active Infinite from Cegedim, which is currently being adapted to Klésia’s specific business needs, such as collective contracts.

Article written by Bertrand Lemaire, Editor-in-Chief at CIO France

Source: cio-online (in french)