Stada Arzneimittel AG
Challenge
- Manage workstations of the customer’s employees to reduce information security issues
- Unify antivirus solution across infrastructure landscape
- Provide access control and standardized password complexity
- Connect different CDS software types to the centralized global LIMS
- Centralize Monitoring solution and alerting model
- Improve Security posture score for Azure Subscriptions
Solution
The work started with development of Global MECM task sequence and Security / migration to MS Defender ATP in parallel and was separated by GDC Services experts into six blocks.
In order to manage workstations, the development of standardized computer image (operating system and application pack) in close coordination with customers security and compliance departments was implemented.
GDC Services team used white glove approach with fully unattended deployments using MECM or Autopilot for internet only connected workstations. We provided software lifecycle management (automation and deployment), as well as embodied Intune / MDM knowledge transfer sessions for local ITs for basic troubleshooting and developed the end user manuals and knowledge transfer to L1 support.
We also provided Migration support of devices from existing MDM systems to Intune MDM.
SecurityFirst, the team engaged in discovery process with all Customers business owners and global security team to create tailored solution with minimal business impact during migration.
Then, the migration of current Antivirus solutions (Sophos, Kaspersky and Trend Micro) to Microsoft Defender with onboarding to Advanced Threat Protection was implemented. We controlled deployments in waves using Microsoft MECM and Intune with daily status reporting and troubleshooting
Password managementFirst and furthermost, GDC Services experts reviewed and set infrastructure to meet all prerequisites. Then Microsoft LAPS, server and client components were implemented. The onboarding to LAPS for every current, reinstalled or planned device was fully controlled.
The following works were done:
- Optimization of the virtual environment so it is globally available with high availability
- Implementation of the solutions that can be used globally with the localization needs in mind
- Disaster recovery scenarios according to the regulations
- Creation of custom solution for interface with for every kind of CDS software and lab equipment where there was no vendor support
Monitoring and alerting
We designed a centralized monitoring solution based on webhook and log digestion under central Log analytics workspace, and then implemented Logic app as a central processing resource and new alerting system.
While executing the task, the team provided the set of URL availability tests (external - internal) and connections monitoring between systems.
Also, we:
- Developed live dashboards for 20+ Subscriptions
- Developed maintenance mode procedure to suppress monitoring alerts during maintenance windows
- Monitored the solution independently to have insights of integration health
- Made a knowledge transfer for monitoring, on-boarding process and support.
Security posture score improvement
GDC Services team developed an approach and divided recommendations in separated groups:
- Azure Disk Encryption
- Enabled enhanced security features
- Restricted unauthorized network access, Implemented security best practices
- Enabled auditing and logging).
After that, we identified with stakeholders' possible problems and document all the exemptions, and initiate resources remediation in waves as per group and possible windows.
And the last but not least, GDC team developed new Azure policies and initiatives to deny provision of new non-compliant resources.
Results
We:
- Implemented centralized workstations (5000+) management with standardized image with rapid change ability, which lead in substantial cost savings
- Enhanced security with compliant mobile devices (3000+ devices)
- Reached rapid response to current and future security threats and vulnerabilities for 5000+ workstations and 600+ servers
- Provided centralized management for all local administrator's passwords for 3000+ workstations and 350+ servers
- Enabled the system to be GxP validated for 900+ users and 190+ servers
- Provided an easy scale-out of monitoring solution to multiple other Azure regions and improved Secure score and reduce active recommendations leads to overall security improvement (60+ Subscriptions, IaaS and PaaS resources)