Last updated on Nov 07, 2023
CyberArk has made significant investments in designing and incorporating security features directly into our products. Furthermore, CyberArk has published a Digital Vault Security Standard that defines policies and configurations to assist customers in reducing attack surfaces.CyberArk customers can greatly boost the safety of ones Privileged Account Security Solution by utilizing built-in network security and complying to the CyberArk Digital Vault Security Standard. This workable alternative brief focuses on the security features and functionality placed directly into the CyberArk Privileged Account Security Solution.
Data at Rest Encryption in a Hierarchical Structure:
The CyberArk Digital Vault, which contains a highly secure database that stores privileged account credentials, access control policies, credential management policies, and audit information, is at the heart of the CyberArk Privileged Account Security Solution.CyberArk has engineered a multi-layered encryption hierarchy which uses FIPS 140-2 compliant encryption to protect both the Digital Vault database and the data stored within it. AES-256 keys are used for symmetric encryption, and an RSA-2048 key pair is used for asymmetric encryption.
Become a CyberArk Certified professional by learning this HKR CyberArk Training!
Each file and safe in the Digital Vault database is encrypted uniquely with a truly random encryption key. CyberArk uses a unique server key and a unique recovery key at the top of the key hierarchy. The server key is needed to initiate the Digital Vault, so this encryption key must be saved inside a hardware security module in full compliance with CyberArk Digital Vault Security Standard (HSM).The recovery best approach is a one-of-a-kind private key that is only needed in the event of a system recovery. This key must be kept in a physical safe.
Any PKCS #11-compliant HSM, such as Thales nShield, SafeNet Hardware Security Modules, and Utimaco CryptoServer, can be integrated with CyberArk solutions.
Data in Transit Session Encryption:
When sensitive data is transmitted between systems, it may be exposed to attackers eavesdropping on the network.CyberArk ensures that all data to and from the Digital Vault is encrypted in transit to prevent these attackers from capturing privileged account credentials from intercepted traffic.To implement security privileged account information because it is communicated among CyberArk components, Digital Vault employs a proprietary protocol. The proprietary session encryption mechanism is FIPS 140-2 compliant and uses a unique AES-256 session key.With such a level of encryption, intruders within the network could be allowed to see traffic moving between CyberArk elements, but the traffic will be unintelligible and therefore meaningless to the attacker.
[ Related Article: cyberark training in Hyderabad ]
Hardening the Digital Vault Server:
To reduce the attack surface of the server on which the Digital Vault software will run, it must be hardened as much as possible. CyberArk has conducted extensive security research and testing on the potential attack vectors of the Digital Vault, as well as the potential functionality implications associated with hardening the Digital Vault server.
Based on this research, CyberArk has created a set of configurations that harden the Digital Vault server in such a way that the attack surface is reduced while the software's functionality is not jeopardized. The Digital Vault software is designed to automatically harden its host server to CyberArk to ensure that all customers apply these configurations correctly and eliminate the risk of human error.The Digital Vault software installation program contains tightening processes for the operating system (OS) that are based on Microsoft Security Compliance Manager (SCM) server hardening recommendations. The Digital Vault software then applies extra system configurations which further thicken the operating system in order to meet the CyberArk Digital Vault Server Security Standard.
These settings deactivate all unneeded facilities, limit server access, and limit access to the Digital Vault operating system. These OS hardfacing procedures and system setups, when combined, help decrease the security risks of the Digital Vault server, which serves to preserve the extremely sensitive privileged account details hidden on this machine.
In addition to a Digital Vault server tightening setups, CyberArk offers hardening configurations for Privileged Account Security Solutions other less major elements. These configurations aid in reducing the attack surface of CyberArk elements which have established mutual trust with Digital Vault. These element processes contribute to further lowering the attack of the surfaces.
Along with securing the server OS, it is critical to limit traffic from and to the Digital Vault server. Malicious actors frequently look for any probable way to gain access to a target site and exfiltrate information, and unneeded open ports just boost the Digital Vault server's security risks.To deal with this problem, the Digital Vault technology allows use of the sponsor machine's designed Security Settings and preconfigure its initiatives instantly.
The Digital Vault software manually configures the Windows Firewall on it's own host to confirm and allow only traffic sent for Digital Vault service, that also pays attention to TCP port 1858 (by default), and to restrict all the other traffic. All traffic to / from this provider is encoded using just an open source CyberArk protocol, maintaining the security of all authorized traffic.
This firewall policy is purposefully constrictive, decreases the Digital Vault server's security risks, and has been shown to remove numerous attack vectors. Particularly, the CyberArk research & design teams constantly watch Microsoft Security Press releases to keep informed on potential new threats and vulnerabilities, and they routinely evaluate the Digital Vault server against such new threats.Most dangers revealed in the monthly Microsoft Security Bulletin boards have no effect on the Digital Vault server, owing in major measure to the stringent firewall configurations, as the current firewall setups now also prevent several of the security holes.
Want to know more about CyberArk , visit here CyberArk Tutorial.
Mechanisms of Access Control
Some clients tend to completely separate duties among those responsible for keeping the Digital Vault server and those accountable for the processes for whom the bank details are protected inside the Digital Vault for security reasons.Customers are advised by CyberArk to separate administrative tasks. Customers, on the other hand, have the authority to determine whether these stringent policies are ideal and reasonable for their specific organizations.
During the implementation of the Privileged Account Security Solution, administrators can install their user access model that meets the security and/or security requirements of their company.
Whenever the solution is installed to purely isolate administrative tasks, vault administrators that handle the Digital Vault server do not have direct exposure to the vault safes' credentials or system logs. Extra configurable access control systems inside the vault itself assist vault administrators in segregating duties among safe proprietors and application developers, reducing the possibility of illegal users.
One of the most significant advantages of safeguarding and tracking privileged accounts was its willingness to see who accessed how these accounts and what has been done mostly during privileged sessions. However, this data is only useful if companies can guarantee the audit trail's integrity.
Privileged account audit logs and session recordings are stored in the built-in database of the Digital Vault, which is designed with strict controls in place to limit both access and actions. Information stored in the Digital Vault's database can only be accessed by specific, authorized users, and it cannot be changed or deleted, even by a CyberArk administrator.For these control system, when an IT admin removes or interferes with just an audit trail on the a target network, the CyberArk solution can keep a correct and comprehensive record of events.
Authentication Technology Support:
When storing the keys to the IT kingdom in a single central repository, access to that repository must be tightly controlled. Each Digital Vault user must be authenticated, and CyberArk strongly advises that all access to the Digital Vault be protected by multi-factor authentication.The CyberArk Privileged Account Security Plan is intended to work with a range of security features out of the box, such as LDAP, RADIUS, PKI, RSA SecurID, Duo Security 2FA, and SecureAuth IdP.
By securing the CyberArk solution to multi-factor authentication, companies can not only safeguard access to classified information contained inside the Digital Vault, but also efficiently broaden authentication methods to all account holders for whom the credentials were also stored inside the Digital Vault – on-premises, in the cloud, or in DevOps ecosystems.
Server Monitoring for Digital Vaults:
Like with any mission-critical facilities, companies must check the situation for overall health as well as suspicious behaviour. CyberArk advised clients not to use third-party tracking software on the Digital Vault server in conformance with the Digital Vault Server Security Standard.Third-party software installation frequently necessitates loosening security policies on the Digital Vault server, and loosening security policies can increase the system's attack surface.
To empower monitoring without modifying the Digital Vault server's security measures, CyberArk offers its very own robust monitoring system based on SNMP alerts, and a command prompt utility which allows users to ask the Digital Vault server to find the information necessary to measure the system.
The Digital Vault is proposed to facilitate security incident tracking by allowing the production of audit logs via the syslog procedure and integrating out of the box with largest SIEM solutions such as HPE ArcSight SIEM Platform, RSA Security Analytics, and Splunk.
Furthermore, CyberArk's privileged data analysis and vulnerability management skills could be used to measure access to sensitive accounts on the Digital Vault server, such as organisational OS accounts and vault administrator account holders, in order to identify and alert to possible threats rapidly.
Prepare for CyberArk Interview? Here Are Top CyberArk Interview Questions and Answers!
As a security firm first and probably most important, CyberArk designs its products with a “security-first” mentality. The Digital Vault software is specifically engineered with a number of business characteristics and setups which help to reduce the security risks of its server computer, thereby enhancing the safety of privileged account information.
CyberArk has indeed generated the Digital Vault server Provides Security document to serve consumers in keeping a large overall security continuing to follow setup, that also describes what regulations and setups are necessary to keep a tiny attack surface.
In addition to current verification and evaluating, CyberArk publishes its goods to autonomous testing and safety verification institutions. As a consequence the CyberArk Privileged Account Security System has received ISO 9001, Common Criteria, and United States Department of Defense UC APL certifications as well.
A technical lead content writer in HKR Trainings with an expertise in delivering content on the market demanding technologies like Networking, Storage & Virtualization,Cyber Security & SIEM Tools, Server Administration, Operating System & Administration, IAM Tools, Cloud Computing, etc. She does a great job in creating wonderful content for the users and always keeps updated with the latest trends in the market. To know more information connect her on Linkedin, Twitter, and Facebook.
|Batch starts on 1st Mar 2024
|Batch starts on 5th Mar 2024
|Batch starts on 9th Mar 2024