You’ve done some of the hard work already. Your organization is onboard with ramping up cybersecurity efforts – and you’ve even acquired CyberArk to help support your Privileged Account Management (PAM) efforts.
Now it’s time to implement your PAM solution.
As you know, a PAM system helps prevent the theft of highly privileged credentials – and better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
But implementing a PAM solution can seem like a daunting task – and you don’t want a breach at your organization to be your incentive to move forward. How do you get started and make sure your PAM solution doesn’t become shelfware?
Gain traction of your PAM project with a phased approach.
At CyberSheath, we have seen many organizations in various levels of PAM maturity. In our experience, a phased approach is the best way to deploy a PAM solution. This method enables you to tackle finite pieces of the project quickly – and helps you make a positive impact on your organization’s security in as few as 30-days. We recommend running each phase as a sprint (usually targeted to take 30 days). Keep in mind that sometimes a phase will need to be divided into mini-sprints.
Here are the top-level phases to help you craft your PAM approach. While you may shift the order of phases to fit your organizational priorities and infrastructure complexity, we have found this hierarchy of action to be effective at rapidly identifying and remediating key security gaps.
| Phase | Area of focus | What it is | Why it is a priority | What you need to do |
| 1 | Built-in Local Accounts | For Windows, a built-in account is a type of user account that is created during installation. | These accounts have passwords that are known to multiple people – some of whom have probably left your organization. Often the same password is used across multiple systems enabling lateral Pass-the-Hash attacks to gain access to much of your infrastructure. These accounts are homogeneous and tend to be the easiest to onboard as a first step in your PAM initiative. |
|
| 2 | Domain Admin | A built-in group on Microsoft Active Directory, the Domain Admin is typically assigned to administer all domain servers. Members of this group have full administrative rights to many components of the corporate infrastructure. | These few accounts are a master key, having access to everything. Securing this small group is a fast way to help safeguard your systems. |
|
| 3 | Database, Exchange, and Application Admins | Database, Exchange, and application administrators manage and maintain database management systems and application software. | This is where the data is. These accounts control access to all the intellectual property at your company. |
|
| 4 | Network Devices | Network devices are components used to connect computers or other electronic devices together so that they can share files or resources. | Access to your network can be an entry point to any other systems at your organization. |
|
| 5 | Service Accounts | A service account is a user account created explicitly to provide a security context for services running on various a operating systems and applications. | Often these accounts have high-level access – and passwords compromised on one of these accounts provides a foothold for access across your network. Passwords on these accounts often have not been changed in years – so security is suspect. |
|
| 6 | Corporate Accounts | External accounts are created in your company’s name and provide third-party services not available internally. Examples include Twitter, Facebook, and credit and bank accounts. | Unauthorized access to these accounts can adversely impact your brand and your bottomline. |
|
| 7 | Desktop Computers | These are assets given to employees to support their work and productivity including desktop and laptop computers. | Individual desktops can provide an entrance point for hackers to infiltrate corporate systems as passwords tend to never change and often passwords are the same across all devices. |
|
Here’s a useful graphic to help with planning the phased approach for your PAM solution. Download it for your reference.
Stay tuned for more information coming soon on how to prepare for and scope an individual sprint to tackle one or more of these areas.
If you would like experienced help identifying or implementing PAM phases for your organization, you can rely on CyberSheath’s skilled SMEs. Contact us to learn more and to get started.