Phase 5 – Mature the Privileged Access Security program

Step 1: Going “wide” with basic controls and “deep” with advanced controls

After the initial implementation of the CyberArk Privileged Access Security Solution, organizations will continue their privileged account security program throughout the enterprise using the same processes – moving to functional accounts, onboarding the new accounts created, vaulting the built-in accounts, rotating them, and then using CyberArk Privileged Session Manager and CyberArk Privileged Threat Analytics for isolation and monitoring.



Go “wide”

  • Expand session isolation to Tier 1 Assets;

  • Monitor Tier 1 Assets;

  • Establish additional credential boundaries to restrict lateral movement.

Go “deep”

  • Manage further devices: network devices, web applications, out of band access, etc.;

  • As mentioned above – this may include custom CPM plugins and CyberArk Privileged Session Manager custom connection components;

  • Begin management of service accounts and application IDs;

  • Remove of hard coded credentials;

  • Explore least privilege and application whitelisting.

Step 2: Formalizing the program with metrics for success

By locking down the credentials, isolating and controlling sessions, and then monitoring behavior, the security posture of an organization is increased in an efficient, and controlled manner, with limited impact to production processes.

TruePrivileged Access Security11.4