Gauging Privileged Account Management progress via CyberArk “DNA”

Christopher Meek, Senior IAM Consultant, SecureITsource, Inc.

For the first six months I worked with CyberArk, I knew that the Discovery & Audit (DNA) tool existed but I had incorrectly assumed it was meant to be a sales tool and never used again. I was supporting a project whose scope, goals and project management style was already defined. The adage “if I only knew then what I know now” comes to mind thinking back to that project. DNA is one of the greatest tools available for measuring progress of a Privileged Identity Management program and I was blissfully unaware.

For those unfamiliar, please take a moment to look over for an overview of what DNA offers. The tool offers tremendous insight into the inner workings of privileged identities on your networks and tends to be shocking even to long time system owners. If your organization hasn’t received a free assessment, there is a form at the bottom of the link I provided that will provide set you up with your first scan. You can also reach out to CyberArk’s 2017 Innovative Partner of the YearSecureITSource to set it up an initial review.

For the rest of you already familiar with the DNA tool, keep reading for a bit of insight into how I’ve been getting added value from the tool.

Using DNA to monitor reduction of the threat surface

There are a few trains of thought for monitoring how well a CyberArk implementation is going. Some teams will simply state “the more accounts we have vaulted in CyberArk…the better”. All too often a Privileged Account Inventory report is used exclusively to show what the initiative has accomplished. Decommissioned servers, accounts in an error state or even non-privileged accounts could to be included; effectively skewing the data and potentially inspiring a false sense of security or accomplishment. The Privileged account inventory report is still a great resource but the true victory can be measured with DNA.

A DNA report for the business units or applications you are targeting should be run prior to any onboarding. This is now your baseline, a moment in time snapshot of the state of every account contained on a server. Scope-restrictions, level of effort, timelines and expectations can now be effectively discussed and a quantifiable finish line can be mapped into project management. Be sure to annotate and archive your baseline with account owner details and scope exception information to refer to in the future.

Process remediation: Stop the bleeding

Even after completing the onboarding of all privileged accounts on a subset of hosts, there is still value to be had from DNA. Successive DNA scans can be used to identify the health of your provisioning processes. Each new privileged account that shows up in a DNA scan and was onboarded into your vault is proof of a successful preventative control or vice-versa.

For those of you pro-active in ensuring your next audit will be passed, DNA scans provide an opportunity to spot check for an approved request. Ensure that each new privileged account is properly accounted for and welcome the opportunity to resolve any issues you find on your terms, before being blindsided by the impending audit report.