Click to add text

PRIVILEGE CLOUD JUMPSTART

PAM Program Workshop

1
 • Introductions
• Jumpstart Package Overview
• Jumpstart Phases
• Cancellation Policy
• Engagement Sequence
AGENDA
• Overcoming User Objections
• CyberArk Blueprint Overview
• Phased Approach to Risk Reduction
 2022 JUMPSTART PACKAGE OVERVIEW

JUMPSTART PACKAGE TIER

SCOPED WORK Tier 1 Tier 2 Tier 3

Privilege Cloud 2 2 6
IMPLEMENTATION

Identity 1 1 1

# of Account Platform
ONBOARDING types 3 Platforms 4 Platforms 6 Platforms
(up to 5 accounts)

Use Case Workshops

EXPAND & 4 Additional Meetings 4 Additional Meetings 6 Additional Meetings
SECURE
(post install meetings)

Training Credits 6 6 12

5
 2023 JUMPSTART PACKAGE OVERVIEW

JUMPSTART PACKAGE TIER

SCOPED WORK Tier 1 Tier 2 Tier 3

Privilege Cloud 2 2 6
IMPLEMENTATION

PSMP 2 2 2

Identity 1 1 1

DPA 2 2 3
ONBOARDING

# of Account Platform
types 3 Platforms 4 Platforms 6 Platforms
(up to 5 accounts)

EXPAND &
SECURE
4 Additional Meetings
Use Case Workshops 4 Additional Meetings 6 Additional Meetings
(post install meetings) (3 Usecases) (6 Usecases)
(3 Usecases)

Training Credits 6 6 12

6
Three Phases of the Privilege Cloud Jumpstart
PHASE 1
PAM Program and
Architecture
Workshops
• Team introduction and role
definitions
• Use case analysis
• Architecture considerations
• Authentication Methods
• Goal setting for deployment
phase
PHASE 2
Deployment
• Deployment of the Privilege Cloud
Connectors
• Common workflow demonstrations and
core use case testing
• Assist with configuration of resiliency
• Assist with baseline Access control
model
PHASE 3
Expand and
Secure
• Consisting of a set of bi-weekly Use Case
Workshops for securing additional assets
• Provide strategic advisement for securing
critical assets
• Develop recommendations and best
practices specific to customer environment
• Define an approach that helps you reach
your overall PAM goals
 • For All Professional Services Packages and Add-Ons
• Customer shall confirm each Professional Services engagement in writing at least
two (2) weeks in advance. Any rescheduling of services will be by mutual
agreement and availability. If an onsite engagement is rescheduled or
canceled less than two (2) weeks prior to the scheduled start date, then
CANCELLATION Customer/Partner shall compensate CyberArk for non-refundable travel expenses
or rebooking fees incurred by CyberArk due to the rescheduling or cancellation. If
POLICY an onsite or remote engagement is rescheduled or cancelled less than one (1)
week prior to the scheduled start date, then Customer/Partner will forfeit that
rescheduled or cancelled engagement time.
• Excerpt text quoted from the full CyberArk Professional Services Schedule Terms
document: https://www.cyberark.com/lgl/CyberArk-Professional-Services-Schedule.pd

NOTE: Significant delay to the project completion date may occur if

rescheduling previously confirmed dates. The rescheduled session(s) will be based
on resource’s availability at the time of cancellation/reschedule request, which can
be several weeks out.
 Category Key to Success
Project We have found most success with Customers who are
Momentum able to keep to Timelines and Cadence.

We have spaced the engagement out in a way that

minimizes the gaps between objectives but allows for
KEYS TO sufficient time to understand all requirements for each
step.
PROJECT
SUCCESS
Pre-Requisite After our Discovery and Planning Engagement you will
Readiness have a few weeks to get the pre-requisites ready.
Use case We want you to leave the Discovery and Planning
Configuration meetings with a full understanding of everything needed
Readiness for your first 2 use cases.

10
Engagement Sequence
Infrastructure Build and Internal Testing and Preparations Remaining Use Cases
Preparation Internal Testing and Preparations
PAS Program Workshop • Testing End User Access to • Remaining use cases in the
• Setup of servers Solution • Collection of account details scope are collected and
• Project Requirements • GPO exceptions • Collection of account details of 2nd use case onboarded
• Expansion Goals • Domain user & group of 1st use case • Sourced by use case • Automation planning
• Plan of action creation • Sourced by use case owners • Additional feature
• Information Gathering • Software staging owners deployment

Infra Build Base solution

Infra Build begins 1st use case tested 2nd use case tested
Completed installed

CyberArk Solution First Use Case Second Use Case

Architecture Workshop Implementation
• Architecture Deep Dive • Connector Servers
• System Requirements • Integrations
• Expansion Goals • LDAP
• Prerequisites • RADIUS
• SAML
• SIEM
• Ticketing System
• Onboarding first use case
• Testing of password
management
• Testing
• End user access to
accounts
• Password management
• Session Isolation
• Onboarding first use case
• Testing of password
management
• Testing
• End user access to
accounts
• Password management
• Session Isolation

cyberark.com
 CyberArk identifies six recommendations
Keyways for KEEP for overcoming Business User objections to

6 Overcoming User
Objections to PAS
IT
SIMPLE
PAS, rooted in the philosophy, simplify the
end-user experience. The easier you
make their experience, the more likely they
are to adopt and buy-into the program.

1 2 3 4 5 6
Provide Publish Implement Automate Allow Define Clear
Training for Instructions Single Request Onboarding Scheduled Escalation
Onboarding for Onboarding System Delivery Changes Process
Providing mandatory Having a published When possible, use a Leveraging automation App Teams can be Problems themselves
onboarding training reference document for single request system for for onboarding delivery hesitant toward PAM, don’t mean a negative
means less time and onboarding matters as all PAS related activities (Credentials, help them by allowing perception, but the lack
cycles wasted on trying much as training. (access, onboarding, Applications, Providers) scheduled password of escalation and
onboarding Credentials, Maintain a reference that etc). More request helps streamline and changes for their apps resolution can be. Make
Applications and include customer systems equals more expedite the delivery using Platform driven it easy for end-users to
Providers. Confusion expectations (SLAs, confusion. mechanism for end- timeframes, human escalate and get
leads to frustration and workflow, etc) for self- users. triggers or REST API assistance when
dissatisfaction. paced guidance. triggers. needed.
12
 CYBERARK BLUEPRINT STAGES OVERVIEW
GOAL
Secure highest privilege
STAGE 1 identities that have the
potential to control an
entire environment
Focus on locking down
STAGE 2 the most universal Cloud Privileged Entities
technology platforms & CI/CD Console Admins
Build identity security
into the fabric of
STAGE 3 enterprise strategy and
application pipelines
Mature existing controls
and expand into
STAGE 4 advanced identity
security controls
Look for new
opportunities to shore
STAGE 5 up identity security
across the enterprise
IDENTITY SECURITY CONTROL FAMILIES & TECHNOLOGIES
Access Least Privilege Privileged Access Secrets Management
Cloud Admins,
3rd Party Security Tools
Adaptive MFA & Cloud Admins Domain Admins,
(via C3 Alliance) &
Cloud Admins & Shadow Admins Hypervisor Admin &
Domain Admin Services
Windows Local Admins
PaaS Admins, Workstation Local Admins, 3rd Party Business Tools &
Cloud Privileged Entities Privileged AD Users & Application Servers
*NIX Root + SSH Keys (via C3 Alliance)
*NIX Root (Similar), CI/CD Toolchain Pipeline &
Web Applications
(Mission Critical)
IT Admin Workstations Out of Band Access & Dynamic Applications
Database Built-In Admins (Containers & Microservices)
Network & Infra. Admins,
Static Applications
Web Applications Workforce Workstations Database Named Admins,
(Core) & Windows Servers Client-Based Apps
(Homegrown Legacy
& OS-based)
(Mission Critical)
Web Applications Mainframe Administrators Windows Services
(All)
*NIX Servers
& Client-Based Apps (All) (Embedded Usages)
13
RECOMMENDED INITIAL USECASES

• Windows Domain Administrators

• Windows Server Administrators. These could be domain accounts or local server accounts.

• Unix/Linux Root Accounts.

14
 VISIBILITY OF JUMPSTART ACTIVITIES AND PROGRESS
CyberArk uses a tool called Gainsight that gives us the ability to share, collaborate and interact with our
customers. Helping us manage the various objectives and tasks that go into a Privilege Cloud JumpStart
Services Delivery.

You will be invited to access this tool as well has have ownership on various customer specific objectives
& tasks such as training completion, providing IP Addresses to be whitelisted and prerequisites
completion for deployment.

Information on using Gainsight can be found here: https://cyberark-customers.force.com/s/article/How-

to-Use-Gainsight-to-View-and-Collaborate-on-My-JumpStart

15
ARCHITECTURE

CONFIDENTIAL INFORMATION
 Site 1 Site 2

Target Devices Target Devices

Load Balancer

REFERENCE Cloud Conn A

PSM
Cloud Conn B
PSM Cloud Conn C
PSM
Unix
Connector

ARCHITECTURE
CPM PSMP
Secure Tunnel CPM
CPM Scanner
Secure Tunnel

Vault Protocol, TCP 1858 Privilege Cloud

Web Traffic, TCP 443
CPM Traffic
SIEM/Syslog Traffic RD Gateway
Vault Web
Portal
LDAP Traffic, TCP 636
PSM Traffic Secure Tunnel Identity
Backend
CPM Service

PSM Service

Identity Directory
Service

25
 Target Systems

Privilege Cloud

Active
Directory
RDP, SSH, JDBC, HTTPS RDP

Connector
HTTPS 443
Server A
Windows /
*nix

PSM RDP, SSH, JDBC, HTTPS RDP

RDP

Service HA Connector
Load Balancer Users

Databases Server B

Legend

RDP/ UDP 3389

RDP, SSH, JDBC, HTTPS
RDP
HTTPS/ TCP 443
Network
Remote Ports
Devices
22, 3389, etc.
Connector
Server C

Firewall

26
 Connector
On-Premise Integrations
Server A
Privilege Cloud
Secure Tunnel
SIEM, RDP

Secure LDAP
Secure

Tunnel HA SIEM
Servers
SIEM, RDP
Vault Tunnel
Backend

Servers

Connector Legend
RADIUS Server B SIEM, RDP
Server
HTTPS/ TCP 443
Active
Standby

27
 Target Systems

Remote Remote
Employee Vendor
Active
Direcotry

Privilege Cloud

Secure Tunnel

Remote Windows /
*nix RDP, SSH, JDBC, HTTPS

Access
Remote Access
Secure Tunnel HTML5G Portal
W for Privilege Cloud
Backend Web Portal
Connector Server A Remote
PSM Access
CPM
Databases CPM Scanner
Secure Tunnel

Legend

Network RDP/ UDP 3389

Devices HTTPS/ TCP 443
Management Ports
445,22,443, 135,ect

Firewall

28