Key Outcomes
With the help of this automation solution, clients can:
- Significantly reduce the level of manual effort – Upto 15x times
- Reduce the support on Ops Team
- Achieve license Optimization
- Reduce the scope of manual error
- Get detailed logs of the entire process
- Bulk decommissioning of accounts.
The Use Case
Scenario: Client ABC has a multi-forest environment and each admin user has two privileged accounts. The client uses CyberArk vault to secure and manage these accounts. Following the joiner/mover/leaver process, everytime a user leaves the organization/moves to another department, these accounts also need to be deleted from CyberArk vault. To ensure maximum license utilization, the client also wants to ensure that admin users from the vault are deleted once they no longer have any accounts associated with them. The client is looking to develop an automation solution which can be leveraged to achieve this.
Problem Statement: When accounts are disabled/decommissioned in Active Directory, the accounts need to be separately decommissioned in CyberArk as well. This practice helps follow good security hygiene and also ensures only the required accounts are being managed by CyberArk. We also need to ensure that the license for the user is no longer consumed once all his accounts are deleted for optimal license utilization. Doing this manually is a tedious and time consuming task as the PAM admin would need to keep track of both the account and the user license. This might lead to errors during the process of deletion in large scale environments where multiple admin accounts are vaulted.
Solution: A custom PAM script can help achieve the above use case. CyberArk consultants from SecurDI have built a script leveraging CyberArk REST API which takes a csv file input and deletes the orphan accounts vaulted in CyberArk. Additionally, based on internal logic, it determines whether the user is consuming a CyberArk license and disassociates the license from the user ID as it is no longer in use. Moreover, the script also provides a detailed audit log which keeps track of the changes made within the environment.
Operational Efficiency: This automation solution eliminates the possibility of a manual error and increases the overall efficiency up to 15x times. For environments operating at a larger scale, it becomes a huge administrative challenge to keep track and manually delete the orphan accounts from CyberArk. For eg. previously, deleting accounts and user ID for 300 entries would have taken 5 hours of effort, however by leveraging the automation solution, this can be achieved within 20 mins.
Apart from saving time and effort, it helps the client have a better understanding and view of the accounts vaulted within CyberArk by eliminating junk data. It is crucial that organizations follow proper security standards and leveraging automation solutions can help achieve this. Not only does it provide better security and improve operational efficiency, but it also helps clients have better control and governance over their privileged landscape.
How SecurDI can help
CyberArk delivers the industry’s most complete solution to reduce risk created by privileged credentials and secrets. It provides a fully cloud-based, hybrid, or on-premises environment. At SecurDI, our team of certified CyberArk professionals have immense experience in complex CyberArk implementations. Our homegrown accelerators and toolkits provide our client enormous value to their Cyber Security investments by saving time and effort.