This post is to summarize a PAM project’s designing process from Blueprint to a roadmap then to stages, phases, until to solid steps for each phases.
Table of Contents
Example based on template:
A roadmap is typically broken down into phases of work, and can stem from multiple technologies and security controls. Phases can partially overlap as well. The example below illustrates an organization that has an audit finding around least privilege on workstation computers, which has been prioritized over other use cases. From there, this roadmap leverages the CyberArk Blueprint’s rapid risk mitigation approach and prioritizes securing the most risky credentials before expanding to other technology platforms in later phases.
Project Stages / Phases
PAM Blueprint five stages overview:
Five PAM Blueprint Stages
This section provides a high-level roadmap for deploying the CyberArk Privileged Access Security Solution in organizations, based on the extensive implementation experience of CyberArk Security Services. The five-phase overview discusses recommendations for risk assessment, identification of critical controls, program and scope planning, rapid risk mitigation, program execution, and program development.
Following these guidelines, organizations can build a successful and, ultimately, mature privileged account security program.
The first phase of the program is to discover business and security requirements, analyze the risks, define critical controls and map out the high- level timelines. It is generally challenging to define what the “keys to the kingdom” in an organization are; organizations typically say “we want to secure everything.” By engaging with the trusted experts in CyberArk Security Services or CyberArk certified service partners, organizations draw from the experiences of security professionals and technical specialists who have been on the front lines of breach remediation efforts.
The second phase of a privileged account security program is to define the scope of the project. CyberArk recommends starting with a narrow scope as trying to do too much will put the overall project success at risk. The key is to build a repeatable process using the privileged account SPRINT Framework, starting with the most critical privileged credentials, and use it iteratively. By mapping out use cases for each critical control, organizations can visualize how execution will occur.
In the fourth phase, organizations develop a roll-out plan, identify a small group of accounts that will be used as a “pilot,” identify (or create) a group of test accounts for each group and identify issues and update the roll-out plan as needed.
What are business drivers for the project? To start, consider security goals in the areas of audit (SOX, PCI, etc.), compliance, breach, best practices or other drivers for the project. Consider initial use cases, objectives, and timelines that will drive the priority and order of privileged credentials to be managed, as well as control goals and audit requirements, including retention, credential rotation frequency, etc. Senior management should be included in defining the goals and objectives of the company with the tone and direction of the security program.
CyberArk Discovery & Audit (CyberArk DNA®) is a simple executable that can scan systems based on either Active Directory or an input file. Following the scan, CyberArk DNA delivers a comprehensive report that shows the number of systems scanned and the percentage of systems that do not comply with your password policy, which can be defined in CyberArk DNA prior to scan. The management summary will give you an overview of your environment, including maps of Pass-the-Hash vulnerabilities in Windows environments and SSH key trusts in Unix environments. Details of the discovered accounts and credentials are provided in tables that contain all available information for each account.
Step 4: Identify and prioritize privileged accounts to be secured
There are multiple approaches to assessing risk and setting priorities using the CyberArk DNA report and map. Organizations can see which machines and accounts create the highest risk and which machines are exposed to the greatest lateral movement risks. Based on this Pass-the- Hash map, organizations can prioritize the security and management of privileged accounts on the most at-risk systems.
Once the privileged account security risks are assessed, the next step is to define the critical controls and high-level timeline. As described in the Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials White Paper, attackers frequently exploit vulnerabilities with Windows Administrator credentials and use a privileged pathway to get to critical assets.
A small team can put controls around the most important privileged accounts quite quickly. In one case, in the aftermath of a breach, a team of just eight members working with a security consultant vaulted the administrator accounts for 20 domains and 6,500 servers in four weeks. Compared with implementing controls in a hostile, post-breach environment, doing the work proactively is likely to proceed relatively smoothly.
Dedicated CyberArk internal resources can be the organization’s champions for the privileged account security program, managing organizational changes, and engaging with technology teams who need to be aware of what CyberArk solution does and how it will change their daily lives.
Identify internal stakeholders of the CyberArk solution. It is important to identify the consumers and stakeholders of the CyberArk solution. It’s recommended that organizations agree upon which users will fall into what roles prior to an implementation. Organizations should also consider establishing a process for how new users can be added to each of these respective roles following the initial rollout.
Once the team, scope, project goals, product breakdown structure, use cases, high level schedule, and budget are prepared, a kick-off meeting should be scheduled to ensure all the stakeholders are informed and prepared to engage. This will set the expectations for all parties involved and define accountabilities for driving progress.
Step 2: Architecture design
The CyberArk Digital Vault will house the organization’s most sensitive credentials which provide access to the most sensitive data and business critical systems. The CyberArk Privileged Access Security Solution will sit between your privileged users and your highly sensitive systems, and it will enable users to securely carry out extremely important tasks. As such, the security of the CyberArk solution Privileged Access Security Solution and the stability of the platform are paramount.
CyberArk Security Services will provide organizations with a pre-requisites checklist so that they can be prepared for your deployment. With the guidance of certified CyberArk experts/SMEs, the Technical Leads will be ready to proceed with the installation, configuration, and/or upgrade of the CyberArk Privileged Access Security Solution.
This should be done in conjunction with Step 2a. The Rotate Credentials process is not dependent on the Isolation & Monitor process, since they are separate modules. While accounts are being managed, organizations can include high value asset credentials that will benefit from CyberArk Privileged Session Manager and CyberArk Privileged Threat Analytics, further expanding the credential boundary.
During this phase, additional primary groups will be rolled out per the updated roll-out plan. Management functionality, workflows, and permissions should be confirmed along with the solution design—and analysis performed on the use cases/requirements for the next phases based on organization’s roadmap. Organizations will receive review and advice on resolving gaps in the architectural design, solution design, and implementation phases of the project.
Step 1: Going “wide” with basic controls and “deep” with advanced controls
After the initial implementation of the CyberArk Privileged Access Security Solution, organizations will continue their privileged account security program throughout the enterprise using the same processes – moving to functional accounts, onboarding the new accounts created, vaulting the built-in accounts, rotating them, and then using CyberArk Privileged Session Manager and CyberArk Privileged Threat Analytics for isolation and monitoring.
Expand session isolation to Tier 1 Assets;
Monitor Tier 1 Assets;
Establish additional credential boundaries to restrict lateral movement.
Manage further devices: network devices, web applications, out of band access, etc.;
As mentioned above – this may include custom CPM plugins and CyberArk Privileged Session Manager custom connection components;
Begin management of service accounts and application IDs;
Remove of hard coded credentials;
Explore least privilege and application whitelisting.
Step 2: Formalizing the program with metrics for success
By locking down the credentials, isolating and controlling sessions, and then monitoring behavior, the security posture of an organization is increased in an efficient, and controlled manner, with limited impact to production processes.