CyberArk
Privileged Account Security Solution
21-Jul-2017
© Atos - For internal use
What is CyberArk?
The Cyber-Ark Enterprise Password Vault provides a ‘Safe
Haven’ within an enterprise, where administrative passwords
can be securely Managed , encrypted and kept safe and
unknown for everyone.
CyberArk focuses on privileged account security.
Enterprise Password Vault protects privileged credentials based
on privileged account security policy and controls for who can
access which passwords, and when it can be accessed
2 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
CyberArk Privileged Account Security Solution
3 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Why using CyberArk?
4 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Privileged Account
Security Solution
Architecture
Cyber-Ark Architecture
6 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Standard Ports and Protocols
Device type protocol port number
Unix/linux SSH 22
Telnet 23
CyberArk Cyberark 1858
windows Rdp 3389
Ldap plain 389
iseries
As400 access 449
HTTP TCP 80
HTTPS TCP 443
FTP TCP 21
7 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
CyberArk Components
8
CyberArk Components
Component Abbreviation
Enterprise Password Vault EPV
Central Policy Manager CPM
Password Vault Web Access PVWA
Privileged Session Manager PSM
Disaster Recovery Vault DR Vault
Privileged threat analytics PTA
9 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Enterprise Password Vault
Centralized secure storage and sharing platform
Securing data from end-to-end using multiple security layers
The Digital Vault include seven layers of security to ensure the highest levels of
protection of your most sensitive credentials, files, and audit logs.
10 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Proactive Protection: How does it work?
11 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
CyberArk Enterprise Password Vault features
▶ Privileged account discovery finds and inventories privileged
accounts throughout the IT environments
▶ Centralized, secure storage protects privileged account
passwords used in on-premises, cloud and OT environments
behind multiple layers of built-in security
▶ Granular privileged access controls prevent unauthorized users
from accessing privileged account credentials
▶ Automated workflows enable users to request access to
accounts with elevated privileges when needed for business
purposes
12 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
CyberArk Enterprise Password Vault features
▶ Detailed audit and reporting provides security and audit teams
with a clear view of which individual users accessed which
privileged or shared accounts.
▶ Technology integrations enable organizations to extend policies
from existing solutions, such as ticketing, strong authentication,
and identity and access management, to their privileged
account security solution, as well as send privileged account
data to SIEM solutions
13 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
CyberArk SSH Key Manager features
▶ Secure storage of private SSH keys in the CyberArk Digital Vault
▶ Proactive rotation of SSH key pairs with automated distribution
of public keys to target systems
▶ Centralized creation and management of all access control
policies for SSH keys across the enterprise
▶ Tamper-proof audit logs enable organizations to report on who
accessed what SSH keys and when
14 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
End to End Security
15 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Authentication Types
16 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Central policy manager-CPM
17 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Important notes for CPM
▶ Central Policy Manager (CPM)
▶ Acts as middleware between Vault and target systems
▶ Manages password change processes -how and when to change
a password
▶ Constantly communicates with the Vault
▶ Talks to all managed systems
▶ Can be a domain member
18 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
CPM-functionality
19 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Architecture-one site
20 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Password vault web access-PVWA
21 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Important notes for PVWA
▶ This scenario describes the first step in managing privileged
accounts in the CPM.
▶ 1. The Security administrator creates a policy for all the
passwords (length, expiration, complexity and so on) using the
PVWA.
▶ 2. The policies are stored in the Vault.
▶ 3. The CPM can access the Vault to view all the policies.
22 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
PVWA Configaration
23 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Privileged Session Manager-PSM
▶ CyberArk Privileged Session Manager, part of the CyberArk
Privileged Account Security Solution, enables organizations to
isolate, monitor, record and control privileged sessions on
critical systems including Unix and Windows-based systems,
databases and virtual machines.
▶ The solution acts as a jump server and single access control
point, prevents malware from jumping to a target system, and
records keystrokes and commands for continuous monitoring.
24 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Privileged session manager-PSM
▶ 1.User logs into PVWA, accesses an account, selects Connection
Component, and presses Connect.
▶ 2.PVWA initiates a connection to the PSM via RDP, logging in as
PSMConnect. PSM retrieves the credentials for the account
selected above from the Vault.
▶ 3.PSM opens the application based on selected connection
component, using the credentials retrieved from the vault.
Application is executed as ‘Run As PSM-<shadow user>.
25 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
PSM-functionality
26 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Transparent connection without PSM
27 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Connecting using with PSM
28 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Secure connect using PSM
29 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Privileged Session Manager features
▶ Real-time monitoring enables security teams to track user activity and
detect suspicious events in real-time.
▶ Remote session termination enables security teams to immediately
terminate suspicious privileged sessions directly from the CyberArk
administrative console.
▶ Searchable detailed session audit logs and video recordingsenable
security teams to pinpoint the moment an incident started, understand
how the incident began, and quickly assess any damage.
▶ Proxy-based, agentless architecture provides a single access control
point and enforces monitoring and recording of all privileged activity.
30 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use
Thanks
For more information please contact:
T+ 7338698221
[email protected]
Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify,
Worldline and Zero Email are registered trademarks of the Atos group. March 2017. © 2017 Atos.
Confidential information owned by Atos, to be used by the recipient only. This document, or any part of
it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written
approval from Atos.