Métropole du Grand Nancy deploys a PAM solution for its third-party providers

Half a day — that is all it took for the Métropole du Grand Nancy to deploy the PAM (Privileged Access Management) software designed to secure access for its third-party providers.

Alban Coujard, CISO of the local authority — a metropolis of 260,000 inhabitants — explains the initial need that drove him to launch this fast-track project: "We are a shared IT department serving 20 municipalities and 8 additional entities such as the Nancy Opera House, for example. Our challenge is to ensure optimal cybersecurity while dealing with a vast range of operational needs. We have IT, OT, strong mobility requirements, and local authorities of very different sizes. Some have more than 2,500 staff, others have just one."

The IT department must deliver cybersecurity equal to the stakes while ensuring compliance with regulations including GDPR, the ANSSI General Security Framework, and preparing for NIS2 — with no dedicated cybersecurity role other than the CISO's own position.

Remote maintenance : a proven cyber risk

When Alban Coujard joined the Metropolis, he succeeded in joining the Cybersecurity Pathway of ANSSI's France Relance Cyber plan: "I audited the entire IS, drew up an action plan, and we chose to focus on one essential point : privileged access management, and in particular remote access. We considered it crucial to put a PAM system in place."

Given that compromise via third-party access is relatively common, the CISO chose to focus initially on the external access of remote maintenance operators and third-party providers : "There were two reasons for this. These are the accesses we control the least, but it also had to prove to our internal infrastructure teams that a bastion was not necessarily an added constraint, and could even become an enabler."

Drawing on ANSSI guides for the secure administration of IS, based on Active Directory, the CISO wanted to apply new confidentiality and traceability functions to these privileged accounts, while prioritising simplicity.

"I don't have the luxury of a dedicated cyber team, it is the infrastructure engineers and network teams who take on the cybersecurity engineer role on top of their daily tasks. We could not afford to add extra constraints," he explains. Beyond simplified administration, the solution also needed to be easy to access for the third-party providers required to use it to reach their administration tools.

From that point on, "3 keywords guided the choice of solution: firstly, PROVE IT by Rubycat appeared to us as the simplest of all the solutions we evaluated. The simplest in terms of day-to-day operation and use. On the effectiveness side, we have major security needs, but it is worth noting that in many cases of compromise, the attacker got through because the bastion was insufficiently hardened, insufficiently secured, and access accounts were not secure enough."

On this front, the renewal of the solution's CSPN visa by ANSSI in 2023 reassured the CISO. But that did not prevent the IT team from thoroughly assessing the solution's security level : "I am fortunate to have in my team an infrastructure engineer who is highly skilled in Linux. He produces custom Linux master builds following ANSSI recommendations. Unfortunately, when you integrate an application on Linux, you are often forced to deconstruct those recommendations to make the applications work. I asked our expert to audit the PROVE IT solution, and his verdict was that all of the Agency's recommendations were properly respected by the solution."

A deployment completed in half a day

Rubycat's PAM is coupled with the existing VPN, and all third-party providers must go through it to access the bastion and unlock their access. This VPN supports multi-factor authentication (MFA), which validates the Grand Nancy Metropolis's architecture choice, as with NIS2, multi-factor authentication will become mandatory for all third-party provider access.

Likewise, the self-service password management feature was retained: "The providers were already used to it and we did not need to make any changes at that level," adds the CISO. Another technical point that tipped the scales in favour of the Rennes-based vendor's solution was PROVE IT's ability to integrate the web consoles of the many network solutions deployed within the IS: "Many network infrastructures and VMware platforms are now administered via web consoles. The goal was not to deploy a bastion and then have to add a remote maintenance gateway behind it every time, but to genuinely use the bastion for its web consoles. Few solutions actually do this."

To ensure the solution was fully compatible with the existing infrastructure, and to avoid having to redo the deployment in the event of success, a proof of concept was launched under real conditions. PROVE IT was deployed in just half a day: "We were in a very complex period with a datacenter migration and a storage system replacement. We could not afford to do the work twice. We needed a clean PoC that met ANSSI criteria."

For the CISO, the objectives of this rapid deployment were fully achieved: "In half a day, we improved our security, simplified life for our teams and our providers, we could not have hoped for better !"

The solution has been in place since September 2023, and the CISO has since tackled the most complex part of such a project: migrating all third-party provider access to the bastion. "The most complex part is not technical,  it lies in the contractual process with providers, given that they must go through a bastion. Even if you haven't deployed one yet, this is something to think about in advance," he explains. For him, the positive outcome of this deployment is that administrators feel reassured: the PAM will not weigh down their daily work. Once all providers have been migrated, it will be the turn of internal administrators.

Statements collected at the Forum inCyber 2024 by Le MagIT