Privileged accounts represent a significant attack vector that organizations have to address as part of a proactive cyber security program. With tens or hundreds of thousands of privileged accounts across a typical enterprise organization, IT security teams have to consider a number of factors as they improve privileged access controls – including complexity, legacy access and the unknown impact of change.
Though some CISOs set a goal from the start of deploying a comprehensive privileged account security program, many others take a phased, step-by-step approach based on an enterprise-wide, long-term strategy. To start, they often identify a small set of accounts using classification and risk-rating mechanisms to pinpoint the highest risk. These accounts are moved to a centralized and automated system. Then gradually, over time, the organization expands coverage to new phases.
The way an organization defines each “phase” will differ from company to company, but following are some examples of typical phases:
- By platform/technology: Organizations can create phases for administrative accounts in Windows, Linux, mainframes, databases and so on. In some cases, they address all of the machines on a particular platform first, then another platform, for example, addressing all Unix servers and then all Windows servers, can help to reduce the risk of intruders being able to move laterally between machines.
- By region or by business unit: This approach is often used by global organizations in which each region has its own IT group and infrastructure. Similarly, if a company has separate IT groups for each business unit, it may choose to address each one as a phase.
- By application team: If an organization has multiple application development teams, it may choose to work with each team in phases.
When determining which phased approach will work best for your organization, consider what would cause the least disruption while adding the most value. After you have success in one phase or area, you are in a position to scale up the program. Look for ways to standardize your approach across the organization. For instance, if a pilot project has applied a new approach to managing Unix accounts, use that process and strategy as a blueprint for managing accounts in other platforms.
As one CISO noted in the CyberArk-sponsored CISO View report, “Don’t bite off too much initially. Phase it in, manage the effort piece-by-piece in an incremental approach. Use a scoreboard to track your progress as things move into your privileged ID process so you can see month over month what it looks like as you continue to drive the advancement.”
In this short video, I share the three primary phases our customer success team often recommends for improving privileged account security using the CyberArk Privileged Account Security Solution. To learn more, please visit here.