SPHERE Insights is an ongoing column written by various members of the SPHERE team, highlighting unique viewpoints and expertise. This article comes to us from our fearless leader, Rita Gurevich.
Outside of being large and complex, one of the major obstacles IAM and vaulting solutions have is the quality of the data they rely on to be effective. It’s very simple and a basic tenet of IT security: Bad data in equals bad data out. Understanding the effective permissions and access of the users is critical and, by no means, a simple task. Another important consideration, outside of relevant data, is accurate reporting that provides the necessary details to confirm that the proper accounts and permissions are being on-boarded or secured, as intended. SPHEREboard provides the functionality to address these types of project obstacles head-on.
The challenges are real and should not be ignored. Large IT organizations have many data repositories across a variety of platforms and it is extremely difficult to identify or get an accurate picture of the immediate risks and how to properly eliminate them. This information includes feeds from HR, Active Directory, CMDBs and other books of record, along with the source platform as well. (i.e. Windows).
Based on 10 years of professional services experience, SPHEREboard is a purposely-built collection of host connectors that pull relevant user permissions data from across the environment, adding referential and contextual data for advanced analytics that produces an organized and actionable data-set. Reports include extensive visibility into all privileged accounts as well as those accounts in the local administrators group that aren’t yet vaulted and are actively being used. This approach is ideal when transitioning privileged accounts from having zero visibility to being fully managed within CyberArk.
In terms of Privileged Access, SPHEREboard provides the visibility into the 3 types of CyberArk Privileged Account Instances that are being managed on a server.
- Managed: Account is managed in CyberArk. Password is either rotated or never revealed to the end-user.
- Vaulted: Account is stored in CyberArk; password is not rotated and is revealed upon check-out.
- Unmanaged: Account is not in CyberArk.
Once the risks have been identified and formalized, educated recommendations can be offered to IT management to prioritize what items or potential risks should be addressed first.
Step 1: Ownership Confirmation & Entitlement Review across applications, servers & vaults automate the process of having owners attest to accounts and application access.
Step 2: Review & Update Policies. Review proposed privileged access policies with key stakeholders.
Step 3: Communicate changes to business. Engage in communications and formalized training to make privileged users aware of changes.
Step 4: Remove Human Accounts- Have human accounts re-certified, given access to a vault, and removed from the server.
Step 5: Perform ongoing reporting & entitlement review. Ensure there is regular reporting on gaps in operational compliance and application owners are certifying access.
Some of the immediate benefits to SPHEREboard’s analysis and reporting:
- All Accounts that should be on-boarded into CyberArk are, in fact, on-boarded
- Number of Local Administrators are significantly reduced
- Ongoing reporting and visibility into privileged access
- Ongoing certifications of those individuals that require privileged access