You’ve done some of the hard work already. Your organization is onboard with ramping up cybersecurity efforts – and you’ve even acquired CyberArk to help support your Privileged Account Management (PAM) efforts.

Now it’s time to implement your PAM solution.

As you know, a PAM system helps prevent the theft of highly privileged credentials – and better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.

But implementing a PAM solution can seem like a daunting task – and you don’t want a breach at your organization to be your incentive to move forward. How do you get started and make sure your PAM solution doesn’t become shelfware?

Gain traction of your PAM project with a phased approach.

At CyberSheath, we have seen many organizations in various levels of PAM maturity. In our experience, a phased approach is the best way to deploy a PAM solution. This method enables you to tackle finite pieces of the project quickly – and helps you make a positive impact on your organization’s security in as few as 30-days. We recommend running each phase as a sprint (usually targeted to take 30 days). Keep in mind that sometimes a phase will need to be divided into mini-sprints.

Here are the top-level phases to help you craft your PAM approach. While you may shift the order of phases to fit your organizational priorities and infrastructure complexity, we have found this hierarchy of action to be effective at rapidly identifying and remediating key security gaps.

PhaseArea of focusWhat it isWhy it is a priorityWhat you need to do
1Built-in Local AccountsFor Windows, a built-in account is a type of user account that is created during installation.These accounts have passwords that are known to multiple people – some of whom have probably left your organization. Often the same password is used across multiple systems enabling lateral Pass-the-Hash attacks to gain access to much of your infrastructure. These accounts are homogeneous and tend to be the easiest to onboard as a first step in your PAM initiative.
  • Identify and onboard buy-in accounts for Windows (Administrator) on servers and desktops, Unix (root).
  • Enable password rotation on all accounts.
2Domain AdminA built-in group on Microsoft Active Directory, the Domain Admin is typically assigned to administer all domain servers. Members of this group have full administrative rights to many components of the corporate infrastructure.These few accounts are a master key, having access to everything. Securing this small group is a fast way to help safeguard your systems.
  • Onboard Domain Admin accounts into CyberArk.
  • Switch to the ‘shared privileged account model’ and revoke individual domain-admin permissions.
3Database, Exchange, and Application AdminsDatabase, Exchange, and application administrators manage and maintain database management systems and application software.This is where the data is. These accounts control access to all the intellectual property at your company.
  • Isolate and monitor Tier 1 assets.
  • Onboard any privileged database and Exchange admin accounts.
4Network DevicesNetwork devices are components used to connect computers or other electronic devices together so that they can share files or resources.Access to your network can be an entry point to any other systems at your organization.
  • Identify any onboard network devices, business apps, and security appliances.
5Service AccountsA service account is a user account created explicitly to provide a security context for services running on various a operating systems and applications.Often these accounts have high-level access – and passwords compromised on one of these accounts provides a foothold for access across your network. Passwords on these accounts often have not been changed in years – so security is suspect.
  • Identify and begin addressing the management of service and App IDs.
  • Purchase additional licensing as required.
6Corporate AccountsExternal accounts are created in your company’s name and provide third-party services not available internally. Examples include Twitter, Facebook, and credit and bank accounts.Unauthorized access to these accounts can adversely impact your brand and your bottomline.
  • Protect corporate communications and external financial systems accounts.
7Desktop ComputersThese are assets given to employees to support their work and productivity including desktop and laptop computers.Individual desktops can provide an entrance point for hackers to infiltrate corporate systems as passwords tend to never change and often passwords are the same across all devices.
  • Enable only specific users to elevate their permissions.
  • Limit which apps and commands can be run by which users.

Here’s a useful graphic to help with planning the phased approach for your PAM solution. Download it for your reference.

 

cta image

Phased PAM Approach

Make sure your PAM solution doesn't become shelfware

Download Now

 

Stay tuned for more information coming soon on how to prepare for and scope an individual sprint to tackle one or more of these areas.

If you would like experienced help identifying or implementing PAM phases for your organization, you can rely on CyberSheath’s skilled SMEs. Contact us to learn more and to get started.

Contact Cybersheath

By completing this form, I consent to receiving calls, texts and/or emails from Cybersheath regarding services and programs.