Overview

Today, organizations are interested in building security systems for IT infrastructure for business and administration purposes. A basic IT infrastructure consists of various components such as servers, firewalls, databases, network devices, etc. All of these components are controlled using a variety of components. Privileged account (root account of UNIX server, DBA of Oracle database system, MS SQL, administrator account of Windows server,…)

These privileged accounts have full access to the resources of their respective systems. There are usually hundreds or even thousands of these accounts that exist in the enterprise. Managing all of these accounts is complex and difficult for the organization

But the paradox is that nowadays in enterprises, organizations are privileged accounts and passwords are often unmanaged and rarely changed. There is also no close supervision from the competent management level.

In some cases, these accounts are held not only by internal IT staff but also by third parties, such as service providers or third party administrators. IT system of the business. Or these accounts/passwords also exist in self-developed applications, either in scripts or .ini files, etc. These accounts do not change passwords frequently.

It can be said that privileged accounts are the key to operating the entire information system of the organization. Therefore, poor management of these privileged accounts will lead to the following risks:

  • No security controls: Passwords are not changed and are not controlled to comply with security regulations (eg PCI DSS, Basel II, ISO 27001 …)
  • Security Threats: One of the most pressing concerns today is the internal IT threats that IT employees can cause to the organization where they work when they have their passwords. Privileged account of the host system.
  • Reduce synchronization/work smoothly: A password when set up manually by an IT staff, notified in accordance with the normal administrative procedures can cause inefficiencies as well as causing Delay in accessing information for business administration in the organization. For large organizations, there are hundreds of network devices and servers that will take a long time to update information.

Organizations need to closely control these privileged accounts. Tracking all activities of these types of accounts will minimize security risks and provide regulations that oblige the system to comply to ensure continuous operation of the organization.

CyberArk’s privileged password management system

Architecture of Privileged Identity Management – PIM

The CyberArk Privileged Account Security (PAS) Suite will provide a ‘Safe Haven’ within the enterprise, where all customer privileged credentials can be securely vaulted, automatically managed, and shared. In addition to authorized human users (internal or external), such as IT staff, on-call administrators, DBAs, and local administrators in remote locations, the managed accounts can also be used by unattended services such as business/IT applications, scripts, jobs and more. The PAS Suite basic infrastructure is comprised of the following components and entities:

Components of CyberArk Solution
Master Policy

Module Secure Digital Vault

The solution is based on CyberArk’s patented Digital Vault technology, which includes a FIPS 140-2 validated cryptography module (with AES-256 encryption), and is proven to meet security and industry regulations such as PCI, NERC, FERC, SOX, HIPAA, GLB, etc. The multiple and tightly coupled security layers (including Firewall, VPN, Authentication, Access Control, Encryption, and more) that are at the core of the PAS/PSM Suites provide customer with a proven, highly secure solution for storing, sharing, controlling and monitoring credentials and access in an enterprise environment.

Module Master Policy (Central Policy Manager – CPM)

  • CPM Module begins with the Master Policy which provides the organization a means of defining standards for password and session management at a global level. This offers a centralized overview of the security and compliance policy of privileged accounts in your organization while allowing you to configure granular policy settings for specific departments or platforms.
  • The Master Policy groups together sets of rules and offers better visibility and control over policy configurations and enforcement. Each policy rule has basic settings and, sometimes, advanced settings that are displayed when you select the rule, as well as context-sensitive help that explain each rule and its interdependency on other rules.
  • The CPM is also the component that changes passwords automatically on target machines and store the new passwords in the Digital Vault, with no human intervention, according to the organizational policy. It also enables organizations to verify passwords on remote machines, and reconcile them when necessary.
  • During the password change process the CPM generates new random passwords and replaces the current password on remote machines. The new passwords are then stored in the Digital Vault where they benefit from all accessibility and security features PAS Suite. All of this is done remotely, so no agent is needed on the target platform.
  • The PAS Suite supports as many policies as necessary to meet organizational requirements. A policy might apply to individual accounts or to a group of accounts. Furthermore, policies can be managed by the security or risk teams separately from the daily management of privileged accounts which can be delegated to the teams who own them

Module Management Portal (Password Vault Web Access)

  • The Password Vault Web Access (PVWA) is a fully featured pure Web Portal that provides a single console for requesting, accessing, and managing privileged accounts as well as transparently connecting to managed devices throughout the enterprise by both end users, administrators, and auditors with almost no training.
PVWA viewing allows integrating with different authentication methods
  • Viewing accounts is very user-friendly, where the Accounts Page provides a quick way to display, sort and access accounts. Predefined and dynamic views enable you to display accounts according to predetermined criteria,  g. Account and operation status, as well as define new views based on common search operations.
  • Just like the CPM, multiple PVWAs can be implemented. Each PVWA can authenticate users via different methods allowing you to implement multiple authentication methods simultaneously if Both of these components   (CPM/PVWA) can be implemented on shared infrastructure or scaled out across different systems.

Module Privileged Session Manager (PSM)

PSM Workflow
  • The PSM Suite architecture is proxy based. The PSM Server proxies the connection to target systems and therefore isolates them from the end user desktops. It extends the common shared platform to monitor, record, isolate and control secure sessions to target operating systems, databases, applications, etc The solution requires no agents on the target systems and therefore has zero footprints on the customer infrastructure.
  • PSM Module with ability to view live sessions as they are occurring in Real time. Administrators and Auditors will get notifications when events are taking place such as a session connection has started and they can stop the session if necessary.
  • The PSM SSH Proxy also provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password.

Module SSH Key Manager (SSHKM)

  • The legitimate SSH Keys which are required can then be stored and protected in the Vault under strict policy and access control, similar to that of passwords.
  • Users can establish sessions with SSH Keys that will be fully monitored. This is facilitated by the PSMP. In addition all activities are fully monitored and meet strict auditing standards.
  • SSH Key Manager enables organizations to secure, rotate and control access to SSH Keys in accordance with organizational policies. The solution also offers strong access controls to ensure that only authorized users are able to access private keys, as well as reporting capabilities to audit the use of keys

Module Application Identity Manager (AIM)

  • Application Identity Management provides a method of being able to completely remove hard-coded passwords from Applications or scripts.
  • Supports many types of programming languages: C, JAVA, CLI, .NET
  • Authenticates applications requesting credentials based on its physical properties such as path or application signature

Module On-Demand Privileged Manager (OPM)

  • Platform-based granular access – Access to each privileged command on the UNIX host systems is permitted according to an extremely granular set of permissions that are defined in the highly secured Vault server. This facilitates a least privileges scenario and limits root account use to very specific tasks.
  • Centralized management – All management tasks for users and accounts are centralized and streamlined in the PVWA, including account definitions and policies. Audits can also be accessed and managed in the PVWA, as well as privileged session recordings.
  • Automatic User Provisioning – The OPM can be configured to integrate with Microsoft‘s Active Directory (AD) to provision users transparently on UNIX systems, streamlining user management and reducing administrative overhead (AD Bridge capability).

Song Phuong – FPT IS

Related posts: