The document provides guidance on using the CyberArk Identity Security Blueprint to map a risk-based approach to identity security. It outlines the stages of the blueprint which include rapid risk mitigation of highest privilege identities, locking down core security platforms, building identity security into enterprise strategy, and maturing existing controls. It also describes understanding the identity attack chain, assessing security posture, identifying gaps, and learning best practices to drive adoption across the workforce. The blueprint toolkit and self-service resources can help design an identity security roadmap.

1. FOR IDENTITY SECURITY SUCCESS

2. Why The
Toolkit?
Help your organization understand the
identity attack chain and map a prioritized
risk-based approach, assess your security
posture, identify security control gaps and
gain insight, and identify best practices to
drive adoption across your workforce.

3. • CyberArk Blueprint Introduction
• CyberArk Blueprint Stages Overview
• Building a Roadmap
• On-Demand Resources
• Next Steps
• Appendix
Table of
Contents

4. cyberark.com
4
WORKPLACES
Office WFH Temporary Location
USERS
3rd Party Vendors
DevOps Workforce
Apps / Robots
Admin
PC
Mac Mobile
WORKSPACES
IaaS / PaaS
Code
Cloud Native
Apps
Containers VM’s &
Storage
Serverless
SaaS
Code
OT/HMI
On-Prem / Hybrid / Cloud
Code
App Server Network Devices
Database
*NIX Server IT Ops Tools
IoT

5. cyberark.com
Simple Prescriptive Guidance
5
Identity Security
Program Framework
Measurably
Reduce Risk
Lessons Learned
in Battle
Full Scope of
Identities

6. cyberark.com
6
Understand the
Attack Chain
Assess Your Security Best Practice
Education
Build Your
Plan
Multi-use, Multi-purpose

7. cyberark.com
7
CREDENTIAL THEFT
Actors use techniques such as social engineering,
keystroke logging, credential repository scraping,
and more to harvest passwords, hashes, SSH
Keys, or hard coded credentials.
LATERAL & VERTICAL MOVEMENT
Actors will leverage that access to navigate across an organization’s
resources, whether it be laterally from within a risk tier (e.g.
workstation to workstation) or crossing vertically into another risk tier
or environment (e.g. workstation to cloud or workstation to DevOps
tool).
PRIVILEGE ESCALATION & ABUSE
Once a bad actor has discovered the access they
desire, they will elevate their privileges to then carry
out malicious actions against the organization.
MALICIOUS ACTORS
Bad actors can exist either internally or externally
to the organization. External actors use a wide
variety of techniques to gain entry, while internal
actors tend to leverage existing knowledge and
access.
ACTIONS ON OBJECTIVES
Those malicious actions are typically predefined
objectives such as data theft, ransomware
distribution, service disruption, supply chain
spread, brand damage and more.

8. cyberark.com
RISK REDUCTION
Critical
Major
Moderate
Prevent
Credential Theft
Stop Lateral &
Vertical Movement
Limit Privilege Escalation
& Abuse
STAGE 2: Core Security
Focus on locking down the most universal
technology platforms.
STAGE 3: Enterprise Program
Build identity security into the fabric of enterprise
strategy and application pipelines
STAGE 4: Mature the Program
Mature existing controls and expand into advanced
identity security.
STAGE 5: Advanced Security
Look for new opportunities to shore up identity security
across the enterprise.
STAGE 1: Rapid Risk Mitigation
Secure highest privilege identities that have the potential to control
an entire environment.

9. cyberark.com

10. cyberark.com
CP12
CP11
CP10
CP9
CP8
Legend
Strategy Refresh
Access Controls
PAM Controls
Least Privilege Controls
Secrets Management Controls
15
CP7 CP6 CP5 CP4
CP3
CP2
ACCESS
Lorem ipsum dolor sit amet, consectetur
adipiscing elit, sed do eiusmod tempor
incididunt ut labore et dolore magna
aliqua
PAM
Duis aute irure dolor in reprehenderit in
voluptate velit esse cillum dolore eu
fugiat nulla pariatur occaecat cupidatat
LEAST PRIVILEGE
Ut enim ad minim veniam, quis nostrud
exercitation ullamco laboris nisi ut aliquip
ex ea commodo consequat
PAM
Nemo enim ipsam voluptatem quia
voluptas sit aspernatur aut odit aut fugit,
sed quia consequuntur magni dolores
eos
SECRETS MANAGEMENT
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
doloremque laudantium, totam rem
aperiam
LEAST PRIVILEGE
Excepteur sint occaecat cupidatat
non proident, sunt in culpa qui
officia deserunt mollit anim id est
laborum
SECRETS MANAGEMENT
Eaque ipsa quae ab illo inventore
veritatis et quasi architecto beatae vitae
dicta sunt explicabo
LEAST PRIVILEGE
Neque porro quisquam est, qui dolorem
ipsum quia dolor sit amet, consectetur,
adipisci velit, sed quia non numquam
PAM
Et harum quidem rerum facilis
est et expedita distinctio. Nam
libero tempore
SECRETS MGMT
Temporibus autem quibusdam et
aut officiis debitis aut rerum
necessitatibus saepe
ACCESS
Ut enim ad minima veniam, quis
nostrum exercitationem ullam
corporis suscipit
ACCESS
At vero eos et accusamus et
iusto odio dignissimos ducimus
qui blanditiis praesentium
voluptatum
CP1

11. cyberark.com
CP8
CP7
CP6
CP5 CP4
Legend
Strategy Refresh
Access Controls
PAM Controls
Least Privilege Controls
Secrets Management Controls
SECRETS MANAGEMENT
Secure non-human application, scripts and processes consuming Amazon Web Services or
Google Cloud Platform entities with administrator or shadow admin permissions with vaulting,
rotation and just-in-time credential retrieval or just-in-time role-assumption
CP3
CP2
CP1
ACCESS
Secure Admins and Shadow Admins on
Amazon Web Services and Google
Cloud Platform with SSO, MFA and SWS
PAM
Discover internal directory admin users in
AWS and GCP and secure with
credential vaulting, rotation and isolation
controls
PAM
Secure OS level admin access to Windows and *NIX virtual machines (EC2/Compute
Engine) with dynamic, just-in-time access policies, session isolation and audit controls
PAM
Secure built-in Local Administrator accounts for Windows Server OS (SID-
500) and *NIX Server OS (UID0) virtual machines with credential vaulting
and rotation, and session isolation and audit controls
LEAST PRIVILEGE
Implement Least Privilege for AWS and GCP
non-admin entities with excessive risky
permissions to ensure entities have just-enough-
access
SECRETS MANAGEMENT
Secure non-human application, scripts and processes AWS or
GCP entities with risky permissions with vaulting, rotation and
just-in-time credential retrieval or just-in-time role-assumption
LEAST PRIVILEGE
Implement Least Privilege for AWS and
GCP entities with admin permissions to
ensure entities have just-enough-access

12. cyberark.com
19
CyberArk Blueprint
Whitepapers
& eBooks
CyberArk Success
Blog Articles
(Technical Community)
CyberArk Blueprint
Self-Service
Toolkit
Getting The Most Out of Blueprint

13. cyberark.com
20
Visit the CyberArk.com/Blueprint webpage
Ask yourself, what am I looking to do?
Download our Blueprint Toolkit to begin designing your Identity Security Roadmap
Review our Success Blog for more people, process and technology guidance
Use the Blueprint Self-Assessment to assess your security posture
Learn more about how identities can be compromised
Use the appropriate resources that align to your needs
Explore self-service resources (examples below)
Understand the Attack Chain
Assess Your Security
Learn Best Practices
Build Your Plan