CyberArk Enterprise Vault – The only Enterprise Vault tutorial you need
CyberArk Enterprise Vault
CyberArk uses “safe “architecture to enable the granular access control. Safes and vault are protected with seven layers of security
Enterprise Vault Server lockdown – only allows RDP from preconfigured IP’s. Any external components to be used should be manually allowed in the vault. Vault administration activities can be done through – PrivateArk Client, or Remote-Control Agent.
- Vault Configuration options are setup in some critical files on vault.
- Operator keys are required for vault to start/restart.
- Master keys are required for vault to be restored.
- Vault can provide transparent user management through several options:
- RADIUS: (IAS, Vasco, Mideye, etc)
- PKI Authentication: (uses certificate)
- LDAP Authentication (AD)
- RSA Secure ID
- External Directory: (AD, Novell, Sun, etc, ones that use LDAP protocol)
Identity management – SAFE’s
In the Identity Management safe’s Password & Other object are stored within SAFE’s. And the Safe sets & restricts are accessed to objects in CyberArk – with fine grained access options. Objects and related metadata are stored in the same Safe.
- Internal safes exist for access to objects for CyberArk functionality: vault administrators have access for these safes.
- User created Safes give only default users access as defined in the vault (for Backup, DR, etc)
- Other access setup is done either from PVWA or PrivateArk Client.
SAFE’s Access Control
- Access setup on each SAFE as access list.
- Fine Grained Access Control Options
- Setup users in Vault or in External Directory (AD)
- Object Level Access Control – optional
CyberArk Basic Component – CPM
The Central Policy Manager
- Breakthrough in password management automatically enforcing password policy
- Installed on a Windows 2008/2012 R2 machine and runs as a Windows service, .Net framework required
- Password management functions (automatic/manual) are carried out by Password Manager user
- Connects to devices and changes passwords on remote machines (before storing password in vault)
- Enforces all policy rules setup per platform
- Verify, Change, Reconcile of passwords automatically
CPM – Devices & Platforms supported
- Platforms specified during Password addition controls: Password change frequency, notification settings, etc.
- Platform settings should be set to match rules on the remote machine for password complexity.
- Predefined platform settings are available for accounts types to be managed and can be edited.
- Platform Settings can be customized for Workflows & Automatic Account management rules.
- Multiple Supported platform for different device types (Operating System, Databases, Network Devices, Security Appliances, Applications, Directory Services)
- More can be added through support packages made available by CyberArk.
CPM – Policy’s
- Contains the password management rules (Password Criteria, Rules, Frequency)
- Policy is defined configured from PVWA and stored in Vault.
- Master Policy is created for managing accounts to meet enterprise password rules.
- Policy has basic rules (account management, session monitoring, auditing and access workflow).
- Some basic rules have associated advanced options.
- Specific Platform related rules are set through exceptions to customize how to manage a password based on environment.
CyberArk Basic Component – PVWA
Password Vault Web Access
- Password Vault Web Access provides a web interface.
- Provides single console for accessing, managing, and administrating accounts
- Enables users to easily perform: privileged passwords addition, setup access, perform audit, extract reports, vault admin, configuration functions.
- Powerful search mechanism enables to find privileged passwords and sensitive files easily.
- Dashboard provides an overview of privileged account security solution and statistics.
- PVWA supports various authentication mechanisms (LDAP, NT, RADIUS, RSA Secure ID, Oracle, CyberArk)