INSTRUCTIONS

Watch the DIY Blueprint Training Video Bonus Collateral

1 It will provide you with an overview of how to use this document and make
technical decisions regarding your roadmap.  Blueprint Website
 Blueprint Whitepaper
Examine the Sample Roadmap
2 Slide 3 shows you what a completed roadmap might look like and maps the use cases
back to Blueprint, showing you how you don’t have to explicitly follow the stages exactly.
Appendix

The appendix is designed to

Review the Blueprint Stage Overview give you additional slides that
3 Slide 4 lists target systems/accounts to be secured. Each column represents the type
of control to be applied. The rows represent the recommended sequence of events.
can help you present and sell
your roadmap to internal
stakeholders and leadership.

Customize Your Roadmap

4 Use what you learned in the training video, example roadmap, stage overview, and
bonus collateral to customize slide 2 to match your Identity Security Vision
 IDENTITY SECURITY ROADMAP TEMPLATE Legend
Strategy Refresh

Phase 1 Phase 2 Phase 4 Phase 7

• Domain Admins • Local Admins
• Cloud Admins • Server Admins
• Workstation Admins
• 3 Party Vendor Access
rd • Core Web Applications
• Apps Stage 1: Dynamic • Business Applications
• Cloud VM Instances
• PaaS Admins

CP1* CP2 CP3 CP4 CP1 CP2 CP3 CP4 CP1 CP2 CP3 CP4 ...

Milestone 1 Milestone 2 Milestone 3 M4

*CP = Checkpoint

Phase 3 Phase 5 Phase 6 Phase 8

• Root (including SSH Keys) • Built-in DBA Accounts • Least Privilege for • Apps Stage 2: Static Applications
• CI/CD Consoles • Personal DBA Accounts Workstations • Advanced Authentication for Static
• Mission Critical Web Apps • Least Privilege for Servers • Windows Services

Instructions: Update phase definitions and timing per your requirements. Define appropriate checkpoints & milestones.
 EXAMPLE IDENTITY SECURITY PROGRAM ROADMAP

Legend
Blueprint Stages 1, 2, 3 Blueprint Stages 2 & 3 Blueprint Stages 1, 3, 4
Access & PAM
Phase 1 Phase 2 Phase 4 Phase 6
• Cloud Admins • Local Admins • Cloud VM Instances • VMWare/Virtualization Least Privilege
• Domain Admins • Server Admins • PaaS Admins • Network Devices
• WKS Admins • Remote Access ilO/DRAC Secrets Management
• Vuln. Scanner • Apps Stage 1: DevOps
Strategy Refresh

CP1* CP2 CP3 CP4 CP1 CP2 CP3 CP4 CP1 CP2 CP3 CP4 ...

Milestone 1 Milestone 2 Milestone 3 M4

Phase A Phase 3 Phase B Phase 5 Phase 7

• LP for IaaS Platform • Root (inc. SSH Keys) Expand Least Privilege to • Built-In DB Accounts Apps Stage 2: Homegrown
• LP for IT Workstations • Other *NIX remainder of workstations • Personal DBA Accounts Applications & Service Accounts
• Mission Critical Web Apps • Oracle, MSSQL

Blueprint Stages 1 & 3 Blueprint Stages 2 & 3 Blueprint Stage 4 Blueprint Stages 3 & 4 Blueprint Stages 4 & 5

Organization has audit

finding around least privilege

The Blueprint is NOT a roadmap. It is a series of recommendations which GUIDE roadmap design.
 CYBERARK BLUEPRINT STAGES OVERVIEW
GOAL
Secure highest privilege
STAGE 1 identities that have the
potential to control an
entire environment
Focus on locking down
STAGE 2 the most universal Cloud Privileged Entities
technology platforms & CI/CD Console Admins
Build identity security
into the fabric of
STAGE 3 enterprise strategy and
application pipelines
Mature existing controls
and expand into
STAGE 4 advanced identity
security controls
Look for new
opportunities to shore up
STAGE 5 identity security across
the enterprise
IDENTITY SECURITY CONTROL FAMILIES & TECHNOLOGIES
Access Least Privilege Privileged Access Secrets Management
Cloud Admins,
3rd Party Security Tools
Adaptive MFA & Cloud Admins Domain Admins,
(via C3 Alliance) &
Cloud Admins & Shadow Admins Hypervisor Admin &
Domain Admin Services
Windows Local Admins
PaaS Admins, Workstation Local Admins, 3rd Party Business Tools &
Cloud Privileged Entities Privileged AD Users & Application Servers
*NIX Root + SSH Keys (via C3 Alliance)
*NIX Root (Similar), CI/CD Toolchain Pipeline &
Web Applications
(Mission Critical)
IT Admin Workstations Out of Band Access & Dynamic Applications
Database Built-In Admins (Containers & Microservices)
Network & Infra. Admins,
Static Applications
Web Applications Workforce Workstations Database Named Admins,
(Core) & Windows Servers Client-Based Apps
(Homegrown Legacy
& OS-based)
(Mission Critical)
Web Applications Mainframe Administrators Windows Services
(All)
*NIX Servers
& Client-Based Apps (All) (Embedded Usages)
APPENDIX
PRIVILEGE IS EVERYWHERE — IDENTITY IS THE NEW PERIMETER
On-Prem / Hybrid / Cloud SaaS IaaS / PaaS

*nix Server IoT IT Ops Tools

Cloud Native Containers VM’s & Serverless

App Server Database Network Devices Apps Storage

Code Code Code

Admin DevOps Apps / Robots 3rd Party Vendors Workforce

USERS

Office WFH Temporary Location Mac PC Mobile

WORKPLACES WORKSPACES
THE CYBERARK BLUEPRINT
is a framework of SIMPLE PRESCRIPTIVE GUIDANCE
designed to measurably REDUCE RISKS
and DEFEND AGAINST ATTACKS

WHICH IS BUILT ON

ENTERPRISE POST-BREACH, IDENTITY SECURITY

BEST PRACTICES RISK-BASED ADVICE
LEADERSHIP
6,000+ Global Customers Remediated >40% of Largest Breaches Creator of PAM Market
>50% of Fortune 500 Red Team and Security Researchers #1 PAM Vendor & Market Share
 CYBERARK BLUEPRINT: 3 GUIDING PRINCIPLES

LIMIT PRIVILEGE ESCALATION & ABUSE

STOP LATERAL & VERTICAL MOVEMENT

PREVENT CREDENTIAL THEFT

Remote Vendor
Internal
Attacker
IT Admin

Business
User

External
Attacker Developer

Robot

Internal Application
Attacker
 BUILDING OUR ROADMAP

Current StateBlueprint
CyberArk Assessment
Identity Security Roadmap
Internal Priorities
Business Outcomes