Scribd
Upload
220 views33 pages

02-PAS-Fundamentals-The Vault

This document discusses cybersecurity for the CyberArk Vault. It describes the seven layers of security that protect vault data, including session encryption, firewalls, authentication, access controls, auditing, file encryption, and key management. The objectives are to describe these security layers and the vault server environment.

Uploaded by

Oliver Quiambao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
220 views33 pages

02-PAS-Fundamentals-The Vault

This document discusses cybersecurity for the CyberArk Vault. It describes the seven layers of security that protect vault data, including session encryption, firewalls, authentication, access controls, auditing, file encryption, and key management. The objectives are to describe these security layers and the vault server environment.

Uploaded by

Oliver Quiambao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

CyberArk University

The Vault
Objectives

By the end of this lesson you will be able to:


▪ Describe the different Layers of Security that protect the Vault Data
▪ Describe the vault server environment

2
Seven Layers of Security
Layers of Security in the Digital Vault

Hierarchical
Encryption

Tamper-Proof
Auditability

Comprehensive
Monitoring

Segregation of Session
Duties Encryption

Firewall 4 Authentication
End to End Security
Vault User
• Proprietary Protocol
• OpenSSL Encryption
Session Encryption
• Hardened built-in Windows Firewall

Firewall
• Single or Dual Factor Authentication (recommended)
Authentication
• Granular Permissions
• Role Based Access Control
Discretionary Access
Control • Subnet Based Access Control
• Time Limits and Delays
Mandatory Access
Control • Tamperproof Audit Trail
• Event Based Alerts
Auditing • Hierarchical Encryption Model
• Every object has unique key
File Encryption

Stored Credential

5
1. Session Encryption

▪ The CyberArk Proprietary Protocol uses TCP/1858.


▪ Forces users to use the CyberArk interfaces to access the vault.
▪ Users can be restricted to specific interfaces such as PVWA or PACLI.
▪ Encryption/Decryption on client side - no bottle neck on server side

End Users:
IT Staff, Auditor, etc.
And
Vault Vault Administrators

6
2. Firewall

▪ After installation the Vault takes control over the Windows firewall.
▪ By default only the CyberArk Proprietary Protocol port (TCP/1858) and
several other ports for administration are open for communication.
▪ Firewall should be managed through CyberArk configuration files and not
through the Windows OS tools
▪ If the firewall is down no external communication is allowed

Vault
7
3. Authentication

 CyberArk (Vault Authentication


 LDAP Authentication
 Radius
 Windows Authentication
 User certificate (PKI)
 RSA SecurID
 OracleSSO
 SAML

8
4. Discretionary Access Control

Vault level permissions Safe level permissions

11
5. Mandatory Access Control

 Geographical Control (Network Area)


 Time Limitations

10
6. Auditing

▪ ALL Vault activity is logged in a tamperproof audit trail.


▪ Event based notification allows alerting on specific vault actions.
▪ The Audit database is protected and is not accessible.

11
7. File Encryption

 Modular structure – Encryption, Hashing and Authentication modules can be


replaced by the customer
 Supported Encryption and Hash Algorithms – AES-256 / AES-128, RSA-
2048 / RSA-1024, 3DES, SHA1
 Every object has a unique encryption key
 When a user is removed from the system he holds no encryption key
 Secure recovery mechanism for encryption keys
 Backups are always encrypted and always recoverable

12
Encryption Keys
Encryption Hierarchy
RecPub RecPrv

Server Key
Vault
AES-256

Safes Safe Key


RSA
2048
AES-256

***** Passwords
Object Key

14
How Encryption Keys are Distributed

▪ Every new system is shipped with two CDs:


▪ Operator CD
■ Operator CD contains:
• Server Key
• Recovery Public Key
■ Operator CD keys are required to install and start the vault server.
▪ Master CD
■ The Master CD contains:
• Server Key
• Recovery Public Key
• Recovery Private Key
• Used in emergency situations
■ Master CD keys are required for emergencies.
(login as Master, recover the Vault, or re-key the Vault).

15
Master Key Storage Strategies

Always store the Master CD in a


secure location (physical safe).

16
Operator Key Storage Strategies

Strong
• Store the Operator CD in a secure location and mount the
CD whenever starting/restarting the vault.

Convenient
• Copy the contents of the Operator CD to the Direct Attached
Storage of the vault server(s) and secure with NTFS
Permissions

Strong & Convenient


• Copy only the Recovery Public Key to the server and store
the Server Key in a Hardware Security Module.

17
Vault Hardening
An Island of Security

▪ Isolating the Server


■ No domain membership or trusts.
■ Only TCP/IP v4.
■ No DNS or WINS.
• Uses a manually configured Host file

▪ Hardening the Server


■ Remove unnecessary services.
■ Safe configuration for remaining services.
■ Only Vault Server and PrivateArk Client are installed
■ No additional applications.

19
Hardening: Windows Services

Services before Vault installation

Services post Hardening

20
Hardening: Firewall
Firewall before Vault installation

Firewall post hardening

21
Administration Tools
Central Administration Station

▪ Some of the operations the Server Interface allows are:


■ Starting the Server, which then begins operating as a Windows service.
■ Stopping the Server.
■ Displaying the Server log.

▪ The Server interface can only be installed on the Server host

stop/start

ITALOG.LOG

23
PrivateArk Client

▪ The PrivateArk Client is the administrative interface to the Vault.


▪ The PrivateArk Client can be installed on any station with access to the Vault.

24
Remote Control Agent

▪ The Remote Control Agent allows you to preform several Vault admin tasks
(without restarting the Vault) and view machine statistics
▪ Executed from a remote machine (no need to open RDP Port)
▪ Communicates through the CyberArk protocol
Note: The Remote Control Agent is also required to send out SNMP traps

Monitoring the Vault status using the Remote Client:

25
Configuration and Log Files
Vault Configuration Files

▪ dbparm.ini
■ Main Configuration file of the Vault
■ Any change requires a restart of the Vault service.

▪ Passparm.ini
■ Configure password policy of the Vault

▪ PARagent.ini
■ Configure Remote Control Agent in the Vault
■ SNMP Configuration

27
dbparm.ini

▪ dbparm.ini: Log Level, Server Key, Syslog, Timeouts, Recovery Key.


▪ dbparm.sample.ini: contains all the possible configuration options.
▪ dbparm.ini.good: contains the last known good configuration of the
dbparm.ini file. created automatically when the Vault server comes up.

28
Vault Log Files

▪ Italog.log
■ Main log file of the vault server.

▪ Trace.d0
■ Trace file of the Vault.
■ It is detailed according to the debug level
configured in the dbparm.ini.

29
Vault Configuration Files and Logs (File System)

▪ The Vault configuration and log files can found in the Server folder.

30
Vault Configuration Files and Logs (PrivateArk)

▪ The Vault’s main configuration files and logs can also be accessed from
remote stations using the PrivateArk Client (under the system safe)

31
Summary
Summary

 This session covered:


 Hardened Vault Server is an Island of Security
 Seven Layers of Security Controls

33

You might also like