Safaricom Ethiopia

CyberArk PAM User Guide

Doing what’s right

Objective/Risk
Solution David
CyberArk Privileged Access Management (PAM) is a
solution that helps organizations to control, monitor,
Owner Muliro

secure and audit all human and non-human privileged

identities and activities across an enterprise IT
environment. Cyber
Champion
PAM strengthen an organization’s security posture by Security
• Eliminate irreversible network takeover attacks.
Isolate all privileged access to domain controllers
and other Tier0 and Tier1 assets and require multi-
factor authentication.
• Control and secure infrastructure accounts. Place
all well-known infrastructure accounts in a centrally
managed, digital vault. Regularly and
automatically rotate passwords after every use.
• Limit lateral movement. Completely remove all
end point users from the local admins group on IT
Windows workstations to stop credential theft.
• Protect credentials for third-party applications.
Vault all privileged accounts used by third party
applications and eliminate hardcoded credentials STEP-TECH-
for commercial off-the-shelf applications. Version/Dat GUI05 /
• Manage *NIX SSH keys. Vault all SSH key-pairs on e November-
2022
Linux and Unix production servers and rotate them
on a routine basis.
• Defend DevOps secrets in the cloud and on
premise. Secure all Public Cloud privileged
accounts, keys, and API keys. Place all credentials
and secrets used by CI/CD tools such as Ansible,
Jenkins and Docker in a secure vault, enabling
them to be retrieved on the fly, automatically
rotated and managed.
• Secure SaaS admins and privileged business users.
Isolate all access to shared IDs and require multi-
factor authentication.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 1 of 17

C2 - Restricted Information
 • Invest in periodic Red Team exercises to test
defenses. Validate and improve effectiveness
against real world attacks.

The purpose of this document is to guide privileged users

on how to use CyberArk PAM to access the target
servers/network element

Scope and Compliance

In Scope:
This Guide applies to all Safaricom employees, contractors and suppliers who have
access to PAM.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 2 of 17

C2 - Restricted Information
Contents
1 Standard Content .......................................................................................................... 4
1.1 What is CyberArk PAM and Alero ........................................................................ 4
1.2 What is required of you for PAM ? ....................................................................... 4
1.3 What is required of you for CyberArk Alero? ................................................... 8
1.4 Sign in with the CyberArk Mobile app ............................................................. 15
1.5 Frequently Asked Questions ................................................................................. 15
2 User Duties and Responsibilities .............................................................................. 16
3 Document History........................................................................................................ 17
4 Document Approval................................................................................................... 17

Definitions
PAM Privileged Access Management (PAM) refers to a comprehensive
cybersecurity strategy – comprising people, processes, and
technology – to control, monitor, secure and audit all human and
non-human privileged identities and activities across an
enterprise IT environment.

Privileged Privileged access refers to accounts with elevated capabilities

access beyond regular users. For example, in a Linux environment, the
root user can add, amend, or delete users; install and uninstall
software and access restricted parts of operating systems that
are off-limits to a standard user.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 3 of 17

C2 - Restricted Information
 1 Standard Content

1.1 What is CyberArk PAM and Alero

1.1.1 CyberArk Privileged Access Management (PAM) is a solution that
helps organizations to control, monitor, secure and audit all human
and non-human privileged identities and activities across an
enterprise IT environment.
1.1.2 CyberArk Alero is a new software-as-a-service (SaaS)-based
solution specifically designed to provide fast, easy and
secure privileged access for remote vendors. The solution eliminates
VPN client hassles, combining Zero Trust access with multifactor
biometric authentication for strong security.

1.2 What is required of you for PAM ?

1.2.1 Put the URL: https://pam.safaricomet.net/PasswordVault or
https://10.3.74.111/passwordvault on your browser address bar

STEP-TECH-GUI05 CyberArk PAM User Guide Page 4 of 17

C2 - Restricted Information
 1.2.2 Enter your SFC domain credentials and then click on the “Sign In”
button

1.2.3 Then you will see the list of devices you are entitled to access
a) Make sure you click the “Accounts” icon on left side as highlighted
by red color

STEP-TECH-GUI05 CyberArk PAM User Guide Page 5 of 17

C2 - Restricted Information
 1.2.4 You can enter the FQDN/IP of the server/device to Filter it out
a) Make sure you type the correct FQDN/IP Address
b) Click the “Connect” button on the right side

c) For file transfer click “WinSCP” from drop-down option on “Connect”

button.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 6 of 17

C2 - Restricted Information
 1.2.5 After you click the “Connect” or” WinSCP” button, please fill the login
reason, it could be “Maintenance/ Admin/ Test or other”

a) Click the “Open file” from the Downloads. Avoid clicking on the RDP file
more than once.
b) By default, it opens with new tab if you want to open it with new window
off “Remote Access” button.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 7 of 17

C2 - Restricted Information
 1.2.6 Once you done, please make sure you close your session

1.3 What is required of you for CyberArk Alero?

1.3.1 User registration
a) Download the CyberArk Mobile app from Play store or Appstore, then
open it and register. The Register page opens, and you can begin your
registration.

b) The CyberArk Mobile app now prompts you for biometric

authentication. This is either Face ID or Touch ID, depending on your
mobile phone settings. The CyberArk Mobile app prompts you for this
authentication each time you open the app.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 8 of 17

C2 - Restricted Information
 c) Select the Tenant's data center where Remote Access will create your
user. If you were invited to join a Remote Access tenant, this information
will be specified in the invitation email (Please select Europe).

d) Enter your phone number, including a + sign and the country code.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 9 of 17

C2 - Restricted Information
 e) Press SEND CODE, then enter that code and verify it

f) Enter your first and last name, then click NEXT.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 10 of 17

C2 - Restricted Information
 g) (Optional) Add your photo. Either take a new photo or use an existing
one on your phone

h) Set the PIN code that CyberArk Mobile uses to restore your settings, when
relevant.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 11 of 17

C2 - Restricted Information
 i) Confirm your PIN code, then click FINISH to register your user.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 12 of 17

C2 - Restricted Information
 j) When you receive the invitation mail from Remote Access, open the mail
on your computer.

k) Click the invitation link to display a QR code.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 13 of 17

C2 - Restricted Information
 l) Using the CyberArk Mobile app on your mobile phone, scan the QR
code and join the Remote Access tenant.

m) If an administrator is required to activate your account, you will see the

following message.

n) When you have successfully joined the tenant, the following message
appears on the Remote Access portal.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 14 of 17

C2 - Restricted Information
 1.4 Sign in with the CyberArk Mobile app
a) Open the CyberArk Mobile app and authenticate with the biometric
challenge.
b) In the Remote Access portal(https://portal.alero.eu/), scan the QR code
with your mobile phone.

c) Remote Access authenticates your user and displays the Applications

page.

1.5 Frequently Asked Questions

a) Command line option to access the target network element
Ans: Yes
• For VMs (10.3.174.152, ….)

STEP-TECH-GUI05 CyberArk PAM User Guide Page 15 of 17

C2 - Restricted Information
 ▪ <Ad_Username>@pamrw@<VMs_IP>@10.3.74.114
▪ E.g. yared.kebede@[email protected]@10.3.74.114

• For Containerize environment

▪ First login to the jump-box using PAM

▪ <Ad_Username>@[email protected]@10.3.74.114
▪ E.g., yared.kebede@[email protected]@10.3.74.114

• After you login to the Jump-box you can user your AD credentials.

2 User Duties and Responsibilities

The following procedures and requirements shall be followed by all users of
Safaricom:
• Protecting their AD credentials and regularly changing it.
• Never leave an active session unattended. Once you are done, please
make sure you close your session.
• Users are responsible for any activity done using their credentials and
must immediately report for any unusual behavior.

STEP-TECH-GUI05 CyberArk PAM User Guide Page 16 of 17

C2 - Restricted Information
 Supporting Documents

3 Document History
The document Owner and Champion are responsible for reviewing this
document every 1 years or when relevant information to include.

The primary version of this policy document shall be stored within the Safaricom
Ethiopia portal. Any other versions outside of that library location will be of an
uncontrolled status.

Version Date Changes Author

1.0 14/11/2022 First Version Yared Hawulte

4 Document Approval
Versi Name Position Signature Date
on

Yared Senior Specialist: Network

Hawulte Security

1.0 David Muliro EHOD: Cyber Security

Christopher EHOD: IT Infrastructure and

Mwanzia Operations

STEP-TECH-GUI05 CyberArk PAM User Guide Page 17 of 17

C2 - Restricted Information