Organizations face the critical challenge of managing privileged accounts, which, if compromised, can lead to significant security breaches. CyberArk Privilege Cloud offers a robust solution with its Cyberark Identity Scan Tool, a powerful feature designed to discover and manage these high-risk accounts effectively. This article delves into the capabilities of the CyberArk Identity Scan Tool, explaining how it helps organizations enhance their security posture by identifying and onboarding privileged accounts within their environment.
Understanding CyberArk Identity Scan Tool
The CyberArk Identity Scan Tool, also known as Account Discovery within CyberArk Privilege Cloud, is designed to automatically scan your domain machines to identify privileged accounts and their associated dependencies. This proactive approach provides a comprehensive view of your organization’s privileged access landscape. By discovering these accounts, the CyberArk Identity Scan Tool enables you to bring them under secure management within Privilege Cloud, a process known as onboarding. This ensures that critical accounts are continuously monitored and protected, mitigating the risk of unauthorized access and potential cyberattacks.
The CyberArk Identity Scan Tool is capable of discovering various types of accounts across different platforms, including:
- Windows Domain and Local Accounts: Identifies both domain-level administrator accounts and local accounts with elevated privileges on Windows systems.
- Unix Local Accounts and SSH Keys: Detects local accounts on Unix-based systems and also scans for SSH keys that might grant privileged access.
- MacOS Accounts: Discovers accounts within the Administrators or root groups on macOS systems, ensuring comprehensive coverage across your Apple devices.
These discovered accounts are categorized to provide deeper insights:
-
Account Dependencies: This crucial feature goes beyond simply listing accounts. It identifies dependencies associated with discovered accounts, such as Windows services or scheduled tasks that rely on these accounts. Understanding dependencies is vital for successful onboarding, as it ensures that all locations where an account’s credentials are used are properly managed and updated.
Account dependencies are particularly important in two scenarios:
- Pending Accounts: For newly discovered accounts listed in the Pending Accounts queue, the CyberArk Identity Scan Tool highlights the number of dependencies, providing a clear picture of the account’s scope.
- Existing Accounts: If the CyberArk Identity Scan Tool identifies new dependencies for accounts already managed within Privilege Cloud, it automatically adds these dependencies. To maintain security, these newly discovered dependencies are initially disabled, requiring administrators to review and approve them before they are actively managed by CyberArk’s CPM (Central Policy Manager). This precautionary measure safeguards against the risk of malicious dependencies being automatically incorporated.
How the CyberArk Identity Scan Tool Works
The CyberArk Identity Scan Tool leverages the CPM Scanner service to perform its discovery operations. This service scans machines based on defined sources, such as your organization’s Active Directory or information from a CSV file, looking for new accounts, modifications to existing accounts, and their dependencies. The results are then presented in the Pending Accounts feed within the Privilege Cloud Portal, ready for administrator review and action.
Key aspects of the CyberArk Identity Scan Tool’s operation include:
-
Scanned Machines: The scope of the scan is determined by configured sources. You can target your entire Active Directory domain or specify machines via a CSV file, offering flexibility in defining the scan perimeter.
-
Default Component: CPM Scanner: The CPM Scanner service is automatically installed as part of the Connector installation in CyberArk Privilege Cloud, simplifying deployment and ensuring the necessary components are in place.
-
Required Permissions: Running account discovery scans requires specific permissions to access and query target systems. Detailed information on these permissions can be found in the CyberArk documentation on Permissions required for running an Account Discovery scan.
-
Setup and Configuration: Configuring the CPM Scanner involves defining scan sources and schedules. For detailed guidance on setup and configuration, refer to the CyberArk documentation on Configure the CPM Scanner.
-
Performing Account Discovery and Onboarding: The process of running scans and onboarding discovered accounts is well-documented in the CyberArk documentation on Discover accounts using the CPM Scanner.
The Account Discovery and Onboarding Process: A Step-by-Step Guide
Onboarding privileged accounts using the CyberArk Identity Scan Tool is a cyclical process, ensuring continuous security and management. This process is typically broken down into three key steps:
Step 1: Run Discovery
The initial step involves launching the CyberArk Identity Scan Tool to identify privileged accounts within your environment.
- Manual vs. Scheduled Scans: You have the flexibility to run scans on demand for immediate discovery or schedule recurring scans to maintain an up-to-date inventory of privileged accounts. Scheduled scans are crucial for continuously monitoring your environment for new or modified accounts and dependencies.
- Automatic Update of Dependencies: The CyberArk Identity Scan Tool automatically detects and updates account dependencies. When a new dependency is found, it is added to the pending account. For already onboarded accounts, new dependencies are also automatically identified and added, though they are initially disabled for security review as mentioned earlier.
- Running Account Discovery on Remote Unix Machines: In environments where direct privileged access to remote Unix machines is restricted, the CyberArk Identity Scan Tool can still function effectively. This requires configuring a dedicated logon account with remote logon permissions. This logon account authenticates to the remote machine, allowing the CyberArk Identity Scan Tool to then perform discovery operations. For more information on setting up logon accounts for remote Unix discovery, consult the CyberArk documentation on Create linked accounts.
Step 2: Analyze
After running a scan, the results are compiled in the Pending Accounts list within the Privilege Cloud Portal. This queue requires careful review and analysis.
- Pending Accounts List Review: Administrators need to examine the Pending Accounts list to assess the risk associated with each discovered account. This involves understanding the account’s privileges and potential impact if compromised.
- Decision Making: Based on the risk assessment, decisions are made for each account:
- Onboard: Accounts deemed necessary and posing a security risk should be onboarded for management within Privilege Cloud.
- Disregard: Some discovered accounts might be service accounts with minimal risk or accounts that are not considered privileged. These can be disregarded.
- Delete: In certain cases, accounts might be obsolete or unauthorized. The CyberArk Identity Scan Tool allows for the deletion of these accounts, helping to clean up and secure the environment.
Step 3: Onboard
The final step is to onboard the selected privileged accounts into CyberArk Privilege Cloud management.
- Account Assignment: During onboarding, accounts are assigned to appropriate Safes (secure storage locations) and platforms (defining management policies).
- Onboarding Rules (Automation): To streamline the onboarding process, CyberArk Privilege Cloud supports onboarding rules. These rules can automate the assignment of accounts to specific Safes and platforms as soon as they are discovered, significantly improving efficiency and reducing manual effort.
Benefits of Utilizing the CyberArk Identity Scan Tool
Implementing the CyberArk Identity Scan Tool offers numerous advantages for organizations seeking to strengthen their privileged access security:
- Enhanced Security Posture: By proactively discovering and managing privileged accounts, the tool significantly reduces the attack surface and minimizes the risk of privileged access abuse.
- Improved Visibility: Gain a comprehensive understanding of all privileged accounts within your environment, including those that might have been previously unknown or unmanaged.
- Automated Discovery: Automate the time-consuming and error-prone manual process of identifying privileged accounts, ensuring continuous and accurate discovery.
- Streamlined Onboarding: Simplify and accelerate the onboarding of privileged accounts into CyberArk Privilege Cloud, reducing administrative overhead and improving efficiency.
- Dependency Awareness: Identify and manage account dependencies, ensuring complete control over privileged access and preventing misconfigurations.
- Continuous Monitoring: Scheduled scans provide ongoing monitoring for new accounts and changes, maintaining a consistently secure privileged access environment.
- Compliance Support: Helps organizations meet compliance requirements related to privileged access management by providing a robust and auditable solution for discovering and controlling privileged accounts.
In conclusion, the CyberArk Identity Scan Tool is an indispensable component of a comprehensive privileged access management strategy. By leveraging its automated discovery capabilities and seamless integration with CyberArk Privilege Cloud, organizations can effectively identify, manage, and secure their privileged accounts, significantly reducing their risk of security breaches and enhancing their overall security posture.
