Phase 2 – Definition and planning

The second phase of a privileged account security program is to define the scope of the project. CyberArk recommends starting with a narrow scope as trying to do too much will put the overall project success at risk. The key is to build a repeatable process using the privileged account SPRINT Framework, starting with the most critical privileged credentials, and use it iteratively. By mapping out use cases for each critical control, organizations can visualize how execution will occur.

Step 1: Engage leadership and technology teams for managing rapid organizational changes

By setting the right tone from the top, organizations can help ensure that they can quickly and successfully deploy a new set of security controls across the enterprise. Adopting a “SPRINT mindset” is one of the most important factors in being able to achieve rapid risk reduction. Organizations should try to achieve the same sense of urgency and progress as is often done in the wake of actual breaches— without the overarching pressure of resolving a breach. Direction from leadership is crucial to move ahead rapidly.

Although security will drive the project, the affected systems are owned by the business. A successful project will require cross-functional support. Before beginning a CyberArk Privileged Access Security Solution implementation, it’s important to consider other teams and technologies within your organization that may be impacted by this new solution. The earlier you communicate with cross-functional team members, agree upon organizational policies, and plan for integrations, the more likely you are to experience a smooth and successful implementation.

Once the devices and accounts are defined, it’s critical to engage with the technology teams who own these devices as early as possible. These teams need to be aware of what the CyberArk Privileged Access Security Solution does and how it will change their day-to-day lives. During early conversations, consider how you can bring as many existing workflows into the Master Policy as possible and identify what integrations may need to occur so that these workflows function properly.

The recommended approach is to conduct workshops with each team, learn how they interact with their respective technology today and understand how these interactions may change after CyberArk solutions have been implemented. Correlate information from workshops and verify platform and application requirements.

Step 2: Scope definition

  • Based upon the defined critical controls and timelines, organizations can define the product breakdown structure of the CyberArk Privileged Access Security Solution components. Organizations should review and understand the features set, target use cases and licensing requirements for each relevant product.

Task

Details

Supported devices

CyberArk has a finite list of devices that are supported out-of-the-box. “General availability device support” indicates that the device has been tested by both CyberArk and the respective partner vendor. The ability to manage accounts on these devices is certified to work out-of-the-box. It’s important to verify version numbers to ensure that the version running is supported.

Reference the Privileged Access Security System Requirements and CPM Supported Devices documents for lists of the latest platforms that are supported out-of-the-box.

C3 Alliance Program

To make these integrations as seamless as possible, CyberArk has established the C3 Alliance Program, which brings together a variety of complementary vendors to deliver certified out-of-the-box integrations for joint customers. Learn more about CyberArk’s C3 partners and certified integrations here: http://www.cyberark.com/partners/technology-partners/

Custom plug-ins

“Controlled Availability (CA) device support” indicates that device support was developed for a specific customer with specific requirements and may not translate to guaranteed compatibility outside of those requirements. Organizations should test all devices before moving the device accounts into production. For devices not on the supported devices list, a CyberArk representative can begin the process for requesting a Central Policy Manager custom plugin.

Custom connection components

For automatically connecting to other enterprise platforms using CyberArk Privileged Session Manager, it may be necessary to create custom connection components (if they are not supported out-of-the-box). This can be done either in-house, or by contacting a CyberArk representative who can begin the process for requesting a custom connection component.

Step 3: Define roles and responsibilities

A small team can put controls around the most important privileged accounts quite quickly. In one case, in the aftermath of a breach, a team of just eight members working with a security consultant vaulted the administrator accounts for 20 domains and 6,500 servers in four weeks. Compared with implementing controls in a hostile, post-breach environment, doing the work proactively is likely to proceed relatively smoothly.

Identify core team members in deploying and managing CyberArk solution.

As CyberArk Privileged Access Security Solution deployments expand, it is important to build a team around the product with a ‘program’ as opposed to ‘project’ mentality. This means that privileged account security should be seen as a continually evolving and persistent presence within an organization. To efficiently support the program, the CyberArk team needs to be structured with long-term growth in mind. Creating different roles as outlined in this document allows organizations to have highly specialized groups responsible for certain elements of the program. This also allows greater focus and a reduction in what can traditionally be a bottleneck in many deployments (i.e., Vault Administrators being tasked with everything thereby slowing down implementation).

Dedicated CyberArk internal resources

Dedicated CyberArk internal resources can be the organization’s champions for the privileged account security program, managing organizational changes, and engaging with technology teams who need to be aware of what CyberArk solution does and how it will change their daily lives.

The CyberArk SME is responsible for helping to scope, design, architect, and deliver all aspects and phases of the CyberArk Privileged Access Security Solution rollout. Whenever new projects arise in the organization, the SME can help suggest how CyberArk can be leveraged and map out the required steps. These SMEs can interact with internal stakeholders as they look to get on board with the organization’s privileged account security management initiative. CyberArk SMEs can be thought of as in-house consultants which can be utilized in many situations, including the following:

  • Initial project planning;

  • Solution design and architecture;

  • Security process design and development;

  • Capacity planning;

  • Solution configuration and customization

    • User authentication and provisioning;

    • Safe structure, naming convention, and permissions design;

    • Master Policy;

    • Integrations with enterprise-wide technologies;

  • Installation, upgrade, and migration;

  • Onboarding of new platforms and devices;

  • Deployment expansion for additional CyberArk modules and components (e.g., CyberArk Privileged Session Manager, CyberArk Application Access Manager (AAM), etc.);

  • Post-implementation analysis and health checks.

CyberArk SMEs may be trusted experts from the CyberArk Security Services team, CyberArk Certified Channel Partners, or CyberArk Certified in-house resources, depending on the level of activities in your organization. By working with CyberArk SMEs, organizations will be able to gain knowledge and hands-on experience through the integrated knowledge transfer process. CyberArk Security Services experts expedite privileged account security programs by providing the expertise to identify and prioritize the most important privileged accounts. In conjunction with clients, our technical experts then design, implement and project-manage the optimum privileged account protection program. In short, CyberArk Security Services help organizations maximize real value sooner.

The CyberArk Vault Administrators (Technical Leads) are responsible for maintaining the application layer of the CyberArk Privileged Access Security Solution. They are typically individuals who have security and operational backgrounds. It is recommended that those in this role complete CyberArk’s product training and earn CyberArk Certification to raise support cases and maintain the CyberArk Digital Vault and other components. The CyberArk Vault Administrator’s activities will typically include:

  • Ensuring full operability, health, fault tolerance, and performance of the application;

  • Ensuring installed components and integrated technologies, such as CPM and LDAP-S, are functioning as designed;

  • User and group provisioning management;

  • Creation of policies and reports as defined by Risk/Audit/IT Security;

  • Execution of project tasks defined by the CyberArk SME in the design/architecture phase;

  • Expand onboarding of privileged account credentials via Accounts Feed or Bulk Upload.

CyberArk Vault Administrators are the executors of an organization’s CyberArk support team and work closely with CyberArk SMEs to understand and carry out any activities that arise as part of new organizational initiatives or onboarding of new CyberArk modules. CyberArk Vault Administrators can be part-time or full-time employees, depending on the scale of the environment. Typically, most organizations will have two such administrators serving in primary/backup roles.

The IT Operations Team is responsible for the underlying OS and infrastructure that is supporting CyberArk software. This team ensures the infrastructure platform and OS are operating within specifications, monitor services, verify systems availability, perform backup procedures, and help troubleshoot any infrastructure issues. This team is also involved in any upgrades/migrations as well as any OS patching required throughout the lifespan of CyberArk software. This role is typically part of existing IT operation and IT Infrastructure teams in your organization and likely does not require full time dedicated resources.

For a large enterprise environment, the CyberArk Data Administrator role performs the more repetitive and day-to-day tasks involved in administering the CyberArk Privileged Access Security Solution. Common tasks may include:

  • Safe creation;

  • Account/Password/Credential uploads;

  • Application definition (CyberArk Application Access Manager (AAM)).

This role operates in an inbox/outbox fashion where internal clients will submit requests to have activities to be performed (e.g. “I need a new safe for the Unix PCI Root accounts”) and this team will fulfill those requests. Leveraging an existing team such as an Access Control Administrators group is usually a preferred method of implementing this role. This role can also be consolidated with CyberArk Vault Administrator depending on the environment.

Every successful CyberArk program starts with a successful project. To supply, in a timely manner, all resources (personnel, systems, information and software) necessary for a CyberArk project, a Project Manager will be designated to lead:

Management

Scope

Integration

  • Define the project charter;

  • Define the project management plan;

  • Conduct project closure and in-support transition.

Scope

  • Validate and refine the project scope;

  • Manage scope changes (change requests);

Time

  • Prepare project schedule;

  • Coordinate all CyberArk-internal, organization-internal and 3rd party dependencies and resolve scheduling conflicts;

  • Adjust and reevaluate any changes to the project timeline as needed.

Cost

  • Manage and track costs;

  • Validate procurements as needed.

Quality

  • Modify and control project dependencies to ensure proper quality;

  • Define and monitor the project KPIs and implement any needed actions to ensure high quality delivery.

Human Resources

  • Plan resources allocation;

  • Provide solution for resources allocation changes and needs.

Communications

  • Serve as the primary point of contact (Project Owner);

  • Provide the project communication plan;

  • Conduct kick-off, pre-engagement, weekly and ad-hoc meetings;

  • Ensure all parties are aligned on expectations and progress at all times.

Risk

  • Recognize risks in advance; provide mitigation plans as needed;

  • Provide Risk Register updates regularly.

Stakeholder

  • Identify project stakeholders and assigned duties;

  • Ensure stakeholders’ project buy-in and drive mutual progress.

Stakeholders

Identify internal stakeholders of the CyberArk solution. It is important to identify the consumers and stakeholders of the CyberArk solution. It’s recommended that organizations agree upon which users will fall into what roles prior to an implementation. Organizations should also consider establishing a process for how new users can be added to each of these respective roles following the initial rollout.

End users are consumers of the CyberArk Privileged Access Security Solution. These individuals use CyberArk solutions to access privileged accounts using credentials secured in the CyberArk Digital Vault.

Auditors are users with the ability to view recordings and audit log data, as well as run reports on this information. Auditors have higher permissions than end users, and in large implementations, auditor rights are typically given on a safe-by-safe basis.

Safe owners are traditionally the owners of the technology that the safe is securing. These users are responsible for validating who has access to their safe and approving access requests to target devices.

Trusted experts

Once an organization has considered the product breakdown structure and roles and responsibilities, the next step is to engage CyberArk-certified experts and SMEs to define scope from a CyberArk Security Services perspective. This step ensures that expectations are set between organizations and CyberArk-certified experts in the scope of work involved. They help expedite the development of a best practices privileged account security program by providing the expertise and experience where and when needed – to ensure the maximum ROI from CyberArk solutions. At the same time, CyberArk-certified experts provide frameworks and help build the in- house expertise necessary to move forward toward a mature privileged account security program. Consider CyberArk services in the areas of Consulting, Implementation, Onboarding, Project Management, Extensions Development, Red Team, Training /Certification and Customer Support. CyberArk helps organizations focus on target credentials for project scope, identify credential types and rough quantities and understand how the project scope will achieve the use cases defined for the products breakdown structure.

 
TruePrivileged Access Security11.4