Throughout the course of my six years in helping KPMG clients with their Privileged Access Management programs, there has rarely been a simple answer to the critical questions of exactly which privileged accounts in an environment should be integrated first (e.g., application/infrastructure/personal accounts), and exactly how we should control each type of privileged account. The ways an organization can control privileged accounts using a solution like CyberArk can vary greatly (e.g. vaulting, password rotation, brokering, etc.).
A common approach to password management includes treating all vaulted credentials with the same level control measures; this is typically a symptom that indicates a lack of a risk-based approach to assigning criticality to accounts. Alternatively, we also see cases of wild inconsistencies in the way passwords are managed, typically leaving it up to the individual platform owners to pick and choose the right security controls for them. This typically an indication of a lack of defined PAM standards that can be applied enterprise-wide. When developing strategies and roadmaps for KPMG clients, our teams apply an “Account Criticality Matrix” to help answer these questions. This matrix is designed to help standardize the way we rate and weigh the criticality of a given account. It includes a set of predefined criteria that we tailor to meet the unique needs of each organization. Example criteria in the Account Criticality Matrix include:
* Number of individuals that have access to a given privileged credential
* Frequency of account usage
* Potential to access sensitive data
* Scope of privilege across single/multiple systems or platforms
* Control level granted
Based on the numerical scoring derived from the Account Criticality Matrix, we then begin to build a profile of what an organization would consider a “high-risk” account versus a “low-risk” account. This profile helps on numerous fronts. First, it allows for consideration of account types that typically would not be considered as true “privileged” accounts. For example, many application or service accounts are inadvertently excluded from management in organizations due to a lack of understanding of enterprise privileged account definitions by the application owner. In the absence of pre-defined account prioritization criteria, those owners are left to decide what constitutes a “privileged” account or not. Many will opt for the latter without prescribed guidance. The matrix will allow an organization to take any account type and provide a standardized metric to determine whether it meets the criteria to be integrated into CyberArk.
The second benefit is the standardization of account controls across the organization based on the calculated account criticality. Depending on licensing and hardware limitations, recording all privileged accounts may not be feasible. Based on a pre-defined policy, an organization could mandate that only “high” rated accounts require dual control and PSM recording, but periodic password rotations of “medium” rated credentials are sufficient.
Thirdly, combining knowledge of “high” severity accounts and implementation effort can provide a window to prioritization of the path of integration. When various stakeholders ask why the decision was made to start with default local accounts first and not their specialized application, you can point them not only to the fact that those accounts rated as high based on the user base, scope of privilege, and access granted, but also because the implementation effort was lowest for those accounts.
Art Chaisiriwatanasai is a Director within KPMG’s Chicago office and is a member of their IT Advisory – Cyber practice. Art has in-depth experience in information security focusing on privileged access management, security operation center implementations, vulnerability management, risk assessment, and incident response initiatives.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. [Printed in the US].The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.