Phase 2 – Definition and planning
The second phase of a privileged account security program is to define the scope of the project. CyberArk recommends starting with a narrow scope as trying to do too much will put the overall project success at risk. The key is to build a repeatable process using the privileged account SPRINT Framework, starting with the most critical privileged credentials, and use it iteratively. By mapping out use cases for each critical control, organizations can visualize how execution will occur.
Step 1: Engage leadership and technology teams for managing rapid organizational changes
By setting the right tone from the top, organizations can help ensure that they can quickly and successfully deploy a new set of security controls across the enterprise. Adopting a “SPRINT mindset” is one of the most important factors in being able to achieve rapid risk reduction. Organizations should try to achieve the same sense of urgency and progress as is often done in the wake of actual breaches— without the overarching pressure of resolving a breach. Direction from leadership is crucial to move ahead rapidly.
Although security will drive the project, the affected systems are owned by the business. A successful project will require cross-functional support. Before beginning a Privilege Cloud implementation, it’s important to consider other teams and technologies within your organization that may be impacted by this new solution. The earlier you communicate with cross-functional team members, agree upon organizational policies, and plan for integrations, the more likely you are to experience a smooth and successful implementation.
Once the devices and accounts are defined, it’s critical to engage with the technology teams who own these devices as early as possible. These teams need to be aware of what Privilege Cloud does and how it will change their day-to-day lives. During early conversations, consider how you can bring as many existing workflows into the Master Policy as possible and identify what integrations may need to occur so that these workflows function properly.
The recommended approach is to conduct workshops with each team, learn how they interact with their respective technology today and understand how these interactions may change after CyberArk solutions have been implemented. Correlate information from workshops and verify platform and application requirements.
Step 2: Scope definition
-
Based upon the defined critical controls and timelines, organizations can define the product breakdown structure of the Privilege Cloud components. Organizations should review and understand the features set, target use cases and licensing requirements for each relevant product.
|
Task |
Details |
|---|---|
|
Supported devices |
CyberArk has a finite list of devices that are supported out-of-the-box. “General availability device support” indicates that the device has been tested by both CyberArk and the respective partner vendor. The ability to manage accounts on these devices is certified to work out-of-the-box. It’s important to verify version numbers to ensure that the version running is supported. Reference Privilege Cloud documentation for lists of the latest platforms that are supported out-of-the-box. |
|
Custom plug-ins |
“Controlled Availability (CA) device support” indicates that device support was developed for a specific customer with specific requirements and may not translate to guaranteed compatibility outside of those requirements. Organizations should test all devices before moving the device accounts into production. For devices not on the supported devices list, a CyberArk representative can begin the process for requesting aCPM custom plug-in. |
|
Custom connection components |
For automatically connecting to other enterprise platforms, it may be necessary to create custom connection components (if they are not supported out-of-the-box). This can be done either in-house, or by contacting a CyberArk representative who can begin the process for requesting a custom connection component. |
Step 3: Define roles and responsibilities
A small team can put controls around the most important privileged accounts quite quickly. In one case, in the aftermath of a breach, a team of just eight members working with a security consultant vaulted the administrator accounts for 20 domains and 6,500 servers in four weeks. Compared with implementing controls in a hostile, post-breach environment, doing the work proactively is likely to proceed relatively smoothly.
Identify core team members in deploying and managing CyberArk solution.
As deployments expand, it is important to build a team around the product with a ‘program’ as opposed to ‘project’ mentality. This means that privileged account security should be seen as a continually evolving and persistent presence within an organization. To efficiently support the program, the CyberArk team needs to be structured with long-term growth in mind. Creating different roles as outlined in this document allows organizations to have highly specialized groups responsible for certain elements of the program. This also allows greater focus and a reduction in what can traditionally be a bottleneck in many deployments (i.e., Vault Administrators being tasked with everything thereby slowing down implementation).
Stakeholders
Identify internal stakeholders of the CyberArk solution. It is important to identify the consumers and stakeholders of the CyberArk solution. It’s recommended that organizations agree upon which users will fall into what roles prior to an implementation. Organizations should also consider establishing a process for how new users can be added to each of these respective roles following the initial rollout.
End users are consumers of Privilege Cloud. These individuals use CyberArk solutions to access privileged accounts using credentials secured in the CyberArk Digital Vault.
Auditors are users with the ability to view recordings and audit log data, as well as run reports on this information. Auditors have higher permissions than end users, and in large implementations, auditor rights are typically given on a safe-by-safe basis.
Safe owners are traditionally the owners of the technology that the safe is securing. These users are responsible for validating who has access to their safe and approving access requests to target devices.
Trusted experts
Once an organization has considered the product breakdown structure and roles and responsibilities, the next step is to engage CyberArk-certified experts and SMEs to define scope from a CyberArk Security Services perspective. This step ensures that expectations are set between organizations and CyberArk-certified experts in the scope of work involved. They help expedite the development of a best practices privileged account security program by providing the expertise and experience where and when needed – to ensure the maximum ROI from CyberArk solutions. At the same time, CyberArk-certified experts provide frameworks and help build the in- house expertise necessary to move forward toward a mature privileged account security program. Consider CyberArk services in the areas of Consulting, Implementation, Onboarding, Project Management, Extensions Development, Red Team, Training /Certification and Customer Support. CyberArk helps organizations focus on target credentials for project scope, identify credential types and rough quantities and understand how the project scope will achieve the use cases defined for the products breakdown structure.
Next step: Phase 3 – Launch and execution
