Acknowledge today that you cannot protect everything in the enterprise at the same level. To that end, the idea that cyber security teams might focus on a subset of user accounts in an enterprise, namely the privileged accounts, is perfectly reasonable. And if the selected platform solution for protecting privileged accounts can scale up to all user accounts – well, that would just be icing on the cake.
I recently sat down with a group of experts from CyberArk to discuss the state-of-the-art in privilege management. The time was well-spent for me, because they explained privileged account management in the context of four basic step-by-step tasks, none simple, but all essential to controlling the most important accesses to enterprise crown jewels, including on endpoints and in cloud. Here is what I learned:
Task 1: Inventory Privileged Accounts. The initial step involves defining what constitutes a privileged account. CyberArk supports this task through automated discovery, but the enterprise team must sit down and orchestrate development of a local inventory. This task is complicated by mergers, shadow IT, and other issues in the modern enterprise, so many CISO teams often decide to punt. Bad idea.
Task 2: Lock Down Accounts. The next step involves functionally locking down all identified privileged accounts. This is usually done in conjunction with a carefully protected vault capability, such as is found in the CyberArk platform. The lockdown process is usually done in a phased, stepwise manner through the inventoried accounts. Automation certainly helps thing move along more quickly.
Task 3: Control Administrative Sessions. The next task involves isolation and control of privileged administrative sessions. The goal is to reduce the risk of an insider or malware laterally traversing an enterprise as would be found in an APT. It is no longer acceptable to trust an access simply because it originates inside the company firewall. CyberArk enforces this isolation using tools called jump servers.
Task 4: Continually Monitor Activity. The remaining task involves threat analytic-based monitoring of account provisioning and maintenance. Such analytics must be tuned to the specifics of the local applications and environment, and connectors are required to integrate this monitoring with similar activity such as log management and security information event management (SIEM) infrastructure.
Some might argue that centralizing privileged account management to a common platform, such as from CyberArk, creates a single-point-of-attack. Certainly, CISO teams would be wise to ensure world-class disaster recovery, logical distribution, and resiliency methods in their deployment. But the benefits of centrally managing privileged accounts are significant, especially if hybrid cloud is on the horizon.
To sum up: Every enterprise security team today will acknowledge that enormous cyber risk lies with privileged access to their most sensitive and critical resources. It therefore makes perfect sense to tighten things up with a world class privilege management solution. My advice is to have a closer look at the CyberArk solution – as I have – and see if you can tighten up your enterprise protections.
Keep us posted on your progress.