DATA SHEET

Workforce Password Management —

Security Details and Architecture

CyberArk Workforce Password Management is an enterprise-focused password management

solution that helps companies overcome the unique user authentication and auditing challenges
presented by business apps requiring an individual username and password credentials. With
CyberArk Workforce Password Management, users can add applications to a centralized web
portal, access apps with a click of a button and securely share credentials and secured items
with internal teams.
This document provides an overview of security architecture, procedures as well as security principles foundational
to the CyberArk Workforce Password Management solution.

Authenticating to CyberArk Workforce Password Management

• Unlike password managers that require users to remember a master password, CyberArk Workforce Password
Management allows end users to authenticate using their existing enterprise credentials.

• CyberArk Workforce Password Management integrates with CyberArk Identity Cloud Directory or an external
corporate directory service such as Active Directory. This simplifies the end user experience, as users leverage
the same credentials for accessing standards-based enterprise apps, business apps and endpoints.

• Customers can also federate user identities with a third-party identity provider (IdP) if one is already in place.

• When using CyberArk Identity Cloud Directory as an identity repository, login credentials one-way hashed with
HMAC-SHA256 and an additional 64-bit random salt. For successful authentication, the decryption of the
encrypted salted hash and unique salt value are required to check for a match.

• When using corporate directories such as Active Directory or LDAP, CyberArk Workforce Password
Management delegates authentication to the integrated directory without syncing user identities and passwords
to CyberArk.

• When using third-party federated directories or identity providers, CyberArk Workforce Password Management
leverages standards-based SAML and OIDC protocols to establish federation trust between CyberArk Workforce
Password Management and the identity provider.

www.cyberark.com
 • CyberArk supports various authentication mechanisms — including modern passwordless factors such as
FIDO, biometrics or QR codes — to validate the user identity and provide a more secure and frictionless user
experience.

• Users can access stored credentials and secured items only after entering their respective login credentials and
satisfying pre-configured secondary authentication factors.

• The risk of brute force and anomalous login attempts can be reduced with granular password policies, account
lockout settings, security image requirements, CAPTCHA, multi-factor authentication (MFA) fatigue prevention
features, device trust verifications and adaptive authentication policies.

• Adaptive access controls use contextual factors — including geo-velocity, geo-location, device fingerprint and
time of access — to validate user identities.

Securing Data at Rest

• CyberArk Workforce Password Management offers two deployment options to store business app credentials: a
CyberArk Identity Cloud vault or a self-hosted CyberArk Privileged Access Manager (PAM) vault.

• With the cloud vault deployment option, all business app passwords and related data are secured using a multi-
layered hierarchical security architecture. The data is encrypted with AES-256 standard at the disk level using
unique customer tenant keys.

• Tenant keys are stored in a secured Global Pod database encrypted using a Pod Master Key. The Pod Master Key
is encrypted using Amazon Web Services Key Management Service (AWS KMS) and stored in a CyberArk PAM
vault with limited DevOps access, as mandated by our well-defined SOC 2-compliant processes.

• Access to the business app credentials stored in the cloud vault is restricted to logged-in users only. CyberArk
and customers’ cloud administrators have no direct access to the credentials stored in the cloud vault.

• With the self-hosted vault deployment option, all business app passwords and related data are stored in the self-
hosted CyberArk PAM vault. The on-premises vault uses FIPS 140-2 validated cryptography module to encrypt
and store all business credentials using AES-256 encryption.

• CyberArk Workforce Password Management automatically creates and manages unique safes within the self-
hosted CyberArk PAM vault to segregate privileged and workforce credentials.

• Access to business app credentials stored in the self-hosted CyberArk PAM vault is restricted to a
passwordless OAuth client setup between CyberArk Workforce Password Management and the self-hosted
CyberArk PAM vault. Access controls ensure that the self-hosted PAM vault can only obtain tokens from
CyberArk Workforce Password Management. Access tokens cannot be generated by using any other means,
including Postman clients.

• CyberArk does not store business credentials on the client’s local machines, including in the browser cache,
browser password store or mobile app.

www.cyberark.com
Securing Data in Transit
• All communications with the CyberArk Workforce Password Management tenant use Transport Layer Security
(TLS) 1.2 with strong encryption algorithms and keys (2048-bit RSA and AES-256).

• Traffic between microservices within CyberArk Workforce Password Management is also encrypted using TLS
1.2, and each microservice uses mutual TLS authentication.

• In transit, data between the user’s web browser, CyberArk Identity Browser Extension and CyberArk Workforce
Password Manager is protected with TLS 1.2 encryption.

• Connection via CyberArk Identity Browser extension uses HTTP Strict Transport Security (HSTS) to force
all connections to TLS, avoiding the risks of misconfiguration. Injection attacks like cross-site scripting are
prevented using Content Security Policy headers in the TLS communication.

• When customers configure the self-hosted CyberArk PAM vault for credential storage, the CyberArk Identity
Connector hosted in the customer’s on-premises environment brokers all communication using a VPN-less tunnel.

• The CyberArk Identity Connector establishes the secure tunnel using an outbound TCP/443 port. The subsequent
communication between CyberArk Workforce Password Management and the self-hosted CyberArk PAM vault
happens via this TLS-encrypted secure tunnel. This results in a secure data flow from the browser to CyberArk
Identity Cloud to CyberArk Identity Connector and terminating at the self-hosted CyberArk PAM vault.

• Pretty Good Privacy (PGP) end-to-end encryption is applied from the end user’s web browser to the customer’s
self-hosted CyberArk PAM vault, addressing data exfiltration concerns.

• Trust between the vault and the on-premises CyberArk Identity Connector service must be established to use
the self-hosted CyberArk PAM vault for credential storage. Once trust is established, a service user account,
inaccessible to any user, is used to store the data in the self-hosted CyberArk PAM vault.

• The self-hosted CyberArk PAM vault generates a time-based OAuth JSON Web token (JWT) to authenticate the
CyberArk Workforce Password Management service user for every request.

Authorization Controls
• CyberArk Workforce Password Manager supports multiple admin roles to scope and delegate authorization to
different users.

• The Admin Portal allows customers to set up company-wide security policies and configure how they want to
store and manage their user’s business credentials.

• Administrators can block specific applications from being added to user portals. For example, administrators
can only allow business-related apps in CyberArk Workforce Password Management, preventing the addition of
personal apps such as social media and shopping apps.

• Customers can prevent specific usernames from being stored in CyberArk Workforce Password Management.
For example, customers can create a policy to prevent highly privileged accounts, such as those containing
*root*, *admin*, or *dba*, from being added to the solution.

• Comprehensive shared credential controls can be implemented organization-wide or applied to specific end
users or accounts. For example, administrators can allow end users to manage and share business app
credentials with other users or limit credential sharing to a subset of users.

www.cyberark.com
 • Credential owners can prevent users from seeing or editing shared passwords. For example, end users can allow
other users to launch applications without being able to view shared credentials.

• Credentials can be configured to be automatically shared with a designated user when the credential owner
leaves the organization, ensuring business continuity.

• Administrators can restrict or block access to business apps for any user at any time using manual controls or by
setting up automated policies that limit access to users that don’t meet specific criteria.

• Administrators can set up workflows for end users to request access to specific apps. Access to apps is granted
once approval is received from a designated application owner or a user’s manager based on the access policy.
Access can be granted indefinitely or for a predetermined period.

Infrastructure Security
• CyberArk Workforce Password Management is engineered for enhanced data durability, integrity and security
and is SOC 2 Type 2 compliant.

• The service is hosted in premier Tier 4 AWS data center facilities that are highly secure, fully redundant and
certified for additional SOC 2 and ISO 27001 compliance.

• AWS data centers are housed in nondescript facilities where physical access is strictly controlled at the perimeter
and building ingress points are secured by professional security staff utilizing video surveillance, state-of-the-art
intrusion detection systems and other electronic means.

• CyberArk employs strict policy-based access controls to protect the CyberArk Workforce Password Management
cloud infrastructure. CyberArk employees, by default, do not have administrative access to customer tenants. In
addition, since tenant databases are encrypted, by default, CyberArk employees performing authorized support
activities cannot read customer data.

• CyberArk engineering ensures that protections are considered for a wider range of potential attacks, such as
malformed input, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more .

• All CyberArk Workforce Password Management instances are scanned by an enterprise vulnerability
management solution and handled according to CyberArk’s security vulnerability policy. In addition, all security
updates for the operating system and critical applications are applied on a regular basis.

About CyberArk
CyberArk is the global leader in Identity Security. Centered on privileged access management, CyberArk provides the most comprehensive
security offering for any identity — human or machine — across business applications, distributed workforces, hybrid cloud workloads and
throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

©Copyright 2023 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk
Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions.
Any other trade and service names are the property of their respective owners. U.S., 05.23. Doc. TSK-3854

CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject to
change without notice.

www.cyberark.com