CyberArk

Privileged Account Security Solution

21-Jul-2017

© Atos - For internal use

 What is CyberArk?

 The Cyber-Ark Enterprise Password Vault provides a ‘Safe

Haven’ within an enterprise, where administrative passwords
can be securely Managed , encrypted and kept safe and
unknown for everyone.
 CyberArk focuses on privileged account security.
 Enterprise Password Vault protects privileged credentials based
on privileged account security policy and controls for who can
access which passwords, and when it can be accessed

2 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

CyberArk Privileged Account Security Solution

3 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Why using CyberArk?

4 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

Privileged Account
Security Solution
Architecture
 Cyber-Ark Architecture

6 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Standard Ports and Protocols

Device type protocol port number

Unix/linux SSH 22
Telnet 23
CyberArk Cyberark 1858
windows Rdp 3389
Ldap plain 389
iseries
As400 access 449
HTTP TCP 80
HTTPS TCP 443
FTP TCP 21

7 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 CyberArk Components

8
 CyberArk Components

Component Abbreviation
Enterprise Password Vault EPV
Central Policy Manager CPM
Password Vault Web Access PVWA
Privileged Session Manager PSM
Disaster Recovery Vault DR Vault
Privileged threat analytics PTA

9 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Enterprise Password Vault

 Centralized secure storage and sharing platform

 Securing data from end-to-end using multiple security layers
 The Digital Vault include seven layers of security to ensure the highest levels of
protection of your most sensitive credentials, files, and audit logs.

10 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Proactive Protection: How does it work?

11 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

CyberArk Enterprise Password Vault features

▶ Privileged account discovery finds and inventories privileged

accounts throughout the IT environments
▶ Centralized, secure storage protects privileged account
passwords used in on-premises, cloud and OT environments
behind multiple layers of built-in security
▶ Granular privileged access controls prevent unauthorized users
from accessing privileged account credentials
▶ Automated workflows enable users to request access to
accounts with elevated privileges when needed for business
purposes

12 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

CyberArk Enterprise Password Vault features

▶ Detailed audit and reporting provides security and audit teams

with a clear view of which individual users accessed which
privileged or shared accounts.
▶ Technology integrations enable organizations to extend policies
from existing solutions, such as ticketing, strong authentication,
and identity and access management, to their privileged
account security solution, as well as send privileged account
data to SIEM solutions

13 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 CyberArk SSH Key Manager features

▶ Secure storage of private SSH keys in the CyberArk Digital Vault

▶ Proactive rotation of SSH key pairs with automated distribution
of public keys to target systems
▶ Centralized creation and management of all access control
policies for SSH keys across the enterprise
▶ Tamper-proof audit logs enable organizations to report on who
accessed what SSH keys and when

14 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 End to End Security

15 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Authentication Types

16 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Central policy manager-CPM

17 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Important notes for CPM

▶ Central Policy Manager (CPM)

▶ Acts as middleware between Vault and target systems
▶ Manages password change processes -how and when to change
a password
▶ Constantly communicates with the Vault
▶ Talks to all managed systems
▶ Can be a domain member

18 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 CPM-functionality

19 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Architecture-one site

20 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Password vault web access-PVWA

21 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Important notes for PVWA

▶ This scenario describes the first step in managing privileged

accounts in the CPM.
▶ 1. The Security administrator creates a policy for all the
passwords (length, expiration, complexity and so on) using the
PVWA.
▶ 2. The policies are stored in the Vault.
▶ 3. The CPM can access the Vault to view all the policies.

22 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 PVWA Configaration

23 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Privileged Session Manager-PSM

▶ CyberArk Privileged Session Manager, part of the CyberArk

Privileged Account Security Solution, enables organizations to
isolate, monitor, record and control privileged sessions on
critical systems including Unix and Windows-based systems,
databases and virtual machines.
▶ The solution acts as a jump server and single access control
point, prevents malware from jumping to a target system, and
records keystrokes and commands for continuous monitoring.

24 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Privileged session manager-PSM

▶ 1.User logs into PVWA, accesses an account, selects Connection

Component, and presses Connect.
▶ 2.PVWA initiates a connection to the PSM via RDP, logging in as
PSMConnect. PSM retrieves the credentials for the account
selected above from the Vault.
▶ 3.PSM opens the application based on selected connection
component, using the credentials retrieved from the vault.
Application is executed as ‘Run As PSM-<shadow user>.

25 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 PSM-functionality

26 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Transparent connection without PSM

27 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Connecting using with PSM

28 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Secure connect using PSM

29 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

 Privileged Session Manager features

▶ Real-time monitoring enables security teams to track user activity and

detect suspicious events in real-time.
▶ Remote session termination enables security teams to immediately
terminate suspicious privileged sessions directly from the CyberArk
administrative console.
▶ Searchable detailed session audit logs and video recordingsenable
security teams to pinpoint the moment an incident started, understand
how the incident began, and quickly assess any damage.
▶ Proxy-based, agentless architecture provides a single access control
point and enforces monitoring and recording of all privileged activity.

30 | 21-Jul-2017 | Author: Velpula, Hanumeswara | © Atos - For internal use

Thanks
For more information please contact:
T+ 7338698221

[email protected]

Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify,
Worldline and Zero Email are registered trademarks of the Atos group. March 2017. © 2017 Atos.
Confidential information owned by Atos, to be used by the recipient only. This document, or any part of
it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written
approval from Atos.