In 2020, there are a host of privileged access management (PAM) tools available, each with their own set of cool features. But the success of your PAM solution implementation isn’t solely reliant on the PAM provider you choose, but also on how your organization defines and views PAM. Regardless of which PAM platform(s) your organization chooses to deploy, there are many factors to consider when establishing deployment deadlines. Those factors include:
In this post, we will look at how to define PAM within your business, how to identify and categorize privileged accounts, how to prioritize privileged accounts, and how to build your roadmap to PAM success.
“Managing privileged accounts is an important, yet complicated task…. Allocating the time necessary to defining, identifying, and prioritizing your privileged access will help ensure a successful implementation.”
Don’t assume that the term “privileged accounts” has a consistent, well-understood definition within your organization. Often, privileged accounts are described as the “keys to the kingdom.” While that statement may be true, it may not convey how broadly privileged access is deployed across your enterprise.
Privileged accounts pose significant operational, legal, and reputational risks to your organization if not secured effectively.
While privileged accounts are widely considered to be accounts used to manage servers and workstations, you should also ensure your organization’s definition covers:
As part of building a PAM program, it is necessary to onboard and secure privileged accounts. To do this, the accounts on the network need to be identified. To expedite this process, it is highly recommended that you perform a CyberArk Discovery and Audit (DNA) scan of your environment. This scan will generate detailed reports on the accounts that reside on and have access to each server.
The reports generated provide additional context to each of the accounts, for example:
If CyberArk DNA is not permitted, alternative methods for gaining this information from network scanners (such as ForeScout) should be employed.
Once privileged accounts have been identified, each account will need to be attributed to a specific owner(s) and classified into their respective categories (e.g., Domain Administrator, Local Server Account, Root Account, Database Account, Service Account, etc.).
Please Note: DNA is simply a tool to identify what accounts should be onboarded. It does not offer any direct way of automating or triggering an onboarding process.
After privileged accounts have been identified and categorized, the accounts need to be analyzed against a number of pre-defined risk criteria to determine which are the most important and vulnerable. Examples of these criteria include:
Once potential vulnerabilities are identified in the existing PAM program, a phased approach should be leveraged to address accounts that can be rapidly remedied in the short term and then those that require long-term planning to address.
When building your roadmap, priority should be given to addressing the highest risk accounts first and/or the accounts that, if compromised, could do the most harm to your organization.
Breaking your roadmap into the following eight phases can help bring focus and structure to your roadmap. Please note the amount of time needed to onboard these accounts will depend on the number of accounts and complexity of your environment.
| Phase 1: |
Windows Server Local Admin Accounts AD Domain Admin or Higher Privileged Accounts |
| Phase 2: |
*nix Root Accounts User Privileged AD Accounts |
| Phase 3: |
Windows Workstation Local Admin Accounts Windows Local Service Accounts |
| Phase 4: |
Database: Microsoft SQL, Oracle, and DB2 local admin accounts (built-in) |
| Phase 5: | Network Accounts |
| Phase 6: |
Application Accounts with Hard-Coded Credentials |
| Phase 7: |
Cloud Accounts |
| Phase 8: |
Mainframe Accounts |
When planning your roadmap, also focus on the following:
Managing privileged accounts is an important, yet complicated task. Many organizations operate highly complex infrastructures and disparate systems that run on multiple operating systems. Managing and controlling access to these privileged accounts is further complicated by the pace of the workforce and responsibility changes over time. Allocating the time necessary to defining, identifying, and prioritizing your privileged access will help ensure a successful implementation.
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.