What to expect from your annual CyberArk health assessment

Christopher Meek, IAM Consultant, SecureITsource, Inc.

Yearly health assessments for CyberArk deployments are invaluable, and there is no better time than the present to begin planning yours. The daily obligations of the deployment teams are often so broad that documenting and optimizing the environment takes a back seat to more important tasks. After all, progress is typically measured by the percentage of CyberArk managed accounts.

Health checks act as both a preventative and corrective control for any project. In CyberArk’s case, I like to provide an overview of the entire deployment and ensure the project is making meaningful strides towards organizational objectives. They are a great way to stay current with vendor best practices, visualize the state of the environment, and ensure that any opportunities for improvement are realized early, when modifications are less complex and costly to implement.

Below are five minimum requirements that should be contained within every CyberArk health check.

Master policy report- This is a simple but effective way to begin understanding the state of your CyberArk deployment. The master policy is a baseline for all accounts living in CyberArk. It typically represents the most common settings for CyberArk managed accounts. Review your master policy settings and document each platform’s exceptions. Master policy settings and exceptions provide a verifiable sanity check that everything is working as intended.

Platform analysis– Platform analysis is one of the most time-consuming portions of a health check. A standard platform contains over a hundred separate parameters that directly impact every account associated with it. Each platform will also need to be cross referenced with the Master Policy so that exceptions can be mapped. Unfortunately, it is very common to find platform settings that do not align with the platform’s purpose. The platform analysis is a great opportunity for validation and optimization.

License utilization check- A standard license report is easy to generate. However, the features that accompany each license are not as obvious. I recently spoke with an engineer utilizing CyberArk’s Privilege Session Manager. End users were still required to utilize the CyberArk web portal (PVWA) for PSM transparent connections. The integration team was not aware that CyberArk recently began offering connection options via native tools like PuTTy and RDC. After a quick proof of concept and implementation, his administrators championed the use of CyberArk and consequently accelerated product adoption.

Your license report should highlight any components that are underutilized while referencing recent patch notes for any expanded functionality.

Account object health report- Accounts with errors or accounts that are no-longer automatically managed are a common occurrence in nearly every CyberArk deployment. They could be in a failed state for any number of reasons, but without someone actively cleaning up these accounts, they begin to take the form of a measurable attack vector. This report should highlight your most prevalent errors, potential business process improvements, and can then be used to initiate a cleanup operation.

Permissions overview- Whether safe permissions are set for groups, roles or otherwise… it is imperative to routinely validate that access controls are implemented correctly. This is especially important for CyberArk administrative clients. This report should contain the members of each safe and the rights that have been granted to them. An experienced CyberArk engineer will be able to use this report to implement least privilege best practices at the safe level.

Health-checks, much like annual physicals, should be a routine event to ensure that your environment is optimized for efficiency and security. And while it is something that you can do yourself (assuming you have the depth and in-house expertise), having a third party involved adds much needed perspective and breadth of experience.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of consultants help our clients to reach their IAM goals by providing strategy, design, and engineering expertise.

Visit our website at www.secureitsource.com