Organizations need to closely control the privileged accounts. Tracking all activities of these types of accounts will minimize security risks and provide regulations that oblige the system to comply to ensure continuous operation of the organization. After part 1, part 2 of the article will go into architecture, requirements, proposals…for the privileged account security solution.

1. Distributed Architecture

Enterprise networks rarely consist of a single all-connected network. On the contrary, many sub-networks are remote and connectivity between them is protected by firewalls. CyberArk’s unique architecture provides a central account management solution with distributed reach that does not require network security to be compromised.

While alternative solutions require native protocols (i.e. Telnet, RDP, ODBC, SSH, etc.) to be allowed by firewalls in order to manage remote devices, each CPM may be installed on a different segment of your enterprise’s distributed network in order to manage the systems within it, while utilizing a single Vault as a central repository and only requiring the CyberArk protocol as the communication port.

This provides critical benefits such as a single point of management, monitoring, policy enforcement and auditing. In addition, this architecture enables the password management process to be load-balanced between several CPM machines.

PIM Suite Distributed Architecture

The diagram below shows a typical PIM Suite environment, with different access to account privileges.

Diagram of PIM Suite
  • The first step in managing privileged accounts is that the user’s account has permission to create accounts in Vault and determines which users can access and access with which privileges.
  • Once user defined and user authorized, such as information system personnel, are available, they can access their passwords and use their privileges on multiple platforms and devices. Passwords can be received and used in the following jobs:
    • PVWA – Users directly get password and use it from Vault Server.
    • PSM – Users can connect transparently to a target system or device through the PSM without passwords of target devices.
    • OPM – enables organizations to secure, control and monitor privileged access to UNIX commands.
  • At any time, the auditor can view the activities taking place in Vault by creating reports or through records.

2. The operating principle

The operating principle of the system is described in the following 5 processes:

  • Define password policies for devices throughout the system
    • Administrator of IT systems log on to PVWA to define password policies for devices throughout the system.
    • O The password policy will be stored in the Vault Server and pushed down to the CPM.
  • The process of initializing and resetting passwords for devices in the system
    • When devices in an organization’s information technology system are managed by a privileged password management system, the CPM module generates new passwords (based on the password policy defined by the Administrator). And push these passwords to devices, and these passwords are also pushed to the Vault Server by the CPM to save them.
  • Process requires password from IT staff to use (Dual Control)
    • IT staff who want to log in to the device in the system will have to log into PVWA to obtain a password corresponding to the device they manage.
    • In case they want to manage another device, they will have to write a message sent to the PIM system administrator (An email will be automatically sent to the PIM system administrator).
    • Once the PIM system administrator has accepted the new IT staff is allowed to get the password to access the device (This is the dual control process). This process will be recorded by the ticketing system, which will be used for tracking purposes later.
    • Once the IT staff has used the password, the CPM module will automatically change the password of that.
  • Access to the device via SSO (single sign on)
    • This is an advantage of the solution, which increases the security of the whole system. IT staffs still have access to the devices they manage, but they do not need to know the password to log on to that device.
    • They will log into PVWA, and then connect directly to the device via remote access protocol such as SSH, RDP with simple click.
    • After successfully logging in, all IT staff actions on that device will be recorded as a video that allows senior administrators to review in case of need to monitor and monitor IT staff behavior. What did you do on the device?
  • Statistics, reports
    • CyberArk provides full reporting functionality.
    • Auditor can view, set statistics on the number of devices managed password…

3. Requirements and design

  • The system consists of DC and DR.
  • Data in DC and DR are the same: account data and log record data.
  • Capacity requirements.
  • Manage unlimited number of accounts, IT equipment.
  • Meet at least 25 system administrators.
Deployment Model
  • Vault, Vault DR: This is the center of both privileged account management systems. A place to store privileges of most devices such as network devices, security devices, databases, operating systems, etc. The data in the CyberArk system are encrypted including the secret of Devices that the CyberArk system manages.
  • CPM: The component has the function to automatically change the password of the devices in the system and save the new password changes to the Vault Server.
  • PVWA, PVWA DR: Provides a Web interface for administering and using a privileged password management system.
  • PSM HA, PSM DR: The component has the ability to record admin actions when logging into PSM managed devices such as Window OSs, Unix OSs, Network devices, and video files stored in the Vault Server.
  • PSM HA: Active-Passive on Windows Clustering.

4. Connection solution

Before the PIM System

  • Enterprise’s system administrators use passwords to make direct connections to the system through tools such as:
    • For Windows: RDP (remote desktop);
    • For Linux: Putty (SSH);
    • For Database: Toad for Oracle, SQL Plus, MySQL Query Brower, MS SQL Management;
    • For Network (Routers và Switchs): Putty SSH, Telnet, ASDM, HTTPS.
  • Uncontrolled leads to insecurity of the system password and does not identify or monitor who has made the connection to the system, especially system administrators who share the same account as sysdba, Administrator, root, sa …

With PIM

User connects via PIM to systems via protocols
  • Administrators are not connected directly to the target system, but through the PIM web application interface installed on the PVWA server (Web). Through the protocol or tool as when connected directly.
    • IT Specialist access to PIM system through PVWA interface (Web).
    • IT Expert select system and protocol or connection tool and press (Connect).
    • CyberArk will send IT personnel a RDP file via PVWA (Web).
    • An IT professional opens the RDP file, to connect to the system on the authentication or the selected tool before.
    • All actions of IT staff on the system will be recorded, after the session ends, will be pushed to the Vault Server for archiving.
    • Logs will be pushed to real-time security information and event management (SIEM).
  • IT specialists do not know the password of the system can still access the operation. All behaviors are recorded in video format, log.

5. Proposals for managing privileged accounts

  • Policy Configuration (Master Policy)
  • PIM access management process:
    • Require dual control password access approval. Use when approval is required by the supervisor.
    • Enforce check-in check-out exclusive access: use when required to check-in check-out when working with the system.
    • Enforce one-time password access: Enables one-time password access.
    • Allow EPV transparent connections: The feature connects directly to the target system without a PSM server.
    • Require users to specify reason for access: Use when reason is required when accessing the system.
  • Password management policy
    • Require password change every X days: request to change the password of the system administrator.
    • Require password verification every X days: requires checking the password of the system administrator.
  • Session Management Policy
    • Require priviledge session monitoring and isolation: When selected active, the system will download a RDP file to the administrator to open the session to the target system.
    • Record and save session activity: allows to record and save session sessions.
  • Control
    • Activities and retention period: the number of days the Vault recorded video files.

6. Set up periodic reports

  • Privileged Accounts Inventory: Provides information on all privileged accounts in the system.
  • Applications report: Provides information on application IDs in the system.
  • Privileged Accounts Compliance Status: Provides information about the status of accounts. For example, the account time is not ChangePassword, Is it true that the policy is set in Master Policy?
  • Entitlement report: Contains information related to User, Safe, Active platform, target machine, target account.
  • Activities log report: Provides information about activities that occur in safe. This report is filtered by User, target system, time specified.
  • Select Schedule to create a recurring report and when the system will automatically generate a report. Then Finish, the time information, the report schedule will be created as shown in the picture.

7. Rights on the CyberArk system

  • Permissions on “safe”
    • Safe contains one or more groups of accounts sharing the same policy, on a privileged account management system.
    • On the PIM, system accounts are put into Safe such as Safe Database, OS, Network, App,…
    • IT Professionals will be placed in the safe and set permissions on that safe.

  • Some key rights in the “safe area”
    • Use accounts: Use the account in safe.
    • Retrieve accounts: show password.
    • List accounts: see the list of accounts in safe.
    • Add accounts: Add account to safe.
    • Update password value: The right to update password of account in safe.
    • Update password properties: The right to change account information such as password, username, address, databasename…
    • Initially CPM password Management operations: Permission to use CPM features.
    • Specify next password value: The next password change permission.
    • Rename accounts: Right to change the name of Accounts in safe.
    • Delete accounts: Safe to delete accounts.
    • Unlock accounts: The right to unlock accounts in safe.
    • Manage Safe: right to edit, delete safe.
    • Manage Safe members: Manage members in safe.
    • Monitor: Monitor member in safe. The actions of the member.
    • View audit log: Review the actions of the members in safe.
    • View Safe Members: View the members in safe.
    • Authorize password request: The person who will receive the account access request of the member.
    • Authorize password request: The user will have direct access to safe without dual-control.

Song Phuong – FPT IS

Related posts: