CyberArk is an established leader in the cybersecurity space across the world, offering solutions that drive operational efficiencies of cybersecurity teams across sectors and industries. The CyberArk Identity Security Platform uses the latest technology to cover and secure identities from end-to-end. Today, the company provides multifarious tools and strategies with the latest security best practices.
In this blog, we will discuss some CyberArk core concepts that include security best practices through Access and Identity Management, Identity Security Platform Shared Services (ISPSS), Privileged Access Management, Endpoint Privilege Security, Secrets Management, and Cloud Security.
Privileged Access Management solutions help secure your privileged credentials and secrets just about anywhere, whether on premises, on the cloud, or a combination of the two. CyberArk offers you a choice of four options to enable this, as under –
In today’s modern business scenario, Identity Security is far more critical than it has ever been before. However, how does a security team fix on the right solution for its organization? This question assumes huge importance because each business is different with different needs and requirements. Cybersecurity decision-makers need to weigh in several considerations before they finalize their choice of solution(s). Privileged Access Management (PAM) is a method that ensures that your business and most-valuable assets remain secure at all times. It prevents any malicious attack on your credentials and accounts. CyberArk with its Privileged Access Manager guides organizations on how they can mitigate risks and maximize productivity by defending against attacks, satisfying audit and compliance, and securely enabling digital business.
Also read: Difference Between CyberArk Privilege Cloud and CyberArk PAM Self-Host
Privileged Account Security (PAS) is a cybersecurity strategy developed to protect privileged accounts and identities from theft and abuse. CyberArk has developed its CyberArk Privileged Access Security (PAS) solution that is a complete life-cycle solution for managing the most-privileged accounts and SSH Keys in any business. It enables organizations to secure, provision, manage, control and monitor the entire range of activities associated with all types of privileged identities. These include:
Privileged Session Management (PSM) is an IT security practice that controls and monitors access to critical systems of the organization and grants access to privileged users. Quite obviously, Privileged Session Management helps ensure that only authorized users can gain access to sensitive data and systems. Such privileged access is used safely and responsibly, and in compliance with the established policies of the company. The Privileged Session Manager (PSM) is a solution created by CyberArk that enables you to initiate, monitor, and record the privileged sessions and usage of administrative and privileged accounts. This CyberArk component does not require a dedicated machine, instead, it must be installed on a machine that is accessible to the network. However, to achieve optimal concurrency, it is recommended by CyberArk to install PSM on a dedicated machine (as per a recent note posted on the company’s official website).
Identity Governance and Administration, also known as Identity Security, is a set of policies designed to improve manageability and transparency, and mitigate cyber risk while allowing firms to comply with government regulations in order to protect sensitive data. IGA policies are designed to help protect breach of sensitive data by permitting only the right/concerned employees to access data strictly as per requirement. Identity Governance and Administration is made up of role management, analytics, logging and reporting, segregation of duties, as well as tools to detect any suspicious activity. Basically, this strategy was developed as technology progressed and an increased number of employees joined the organization, with more and more users needing access to organizational resources from multiple locations and devices. CyberArk’s IGA solutions are designed to help businesses improve oversight, eliminate human error and latency, and bring down risk considerably by automating routine digital identity and access rights management functions. CyberArk offers Identity Security Platform solutions for Identity Governance and Administration (IGA) that help businesses manage digital identities and access rights across systems. The solutions may be broadly classified according to the following functions -
Related article: The Career Scope of Learning CyberArk in 2024
This topic deals with how you may connect to target systems using CyberArk Privileged Manager. Users can connect through the PVWA portal, or alternatively through PSM for Windows, that is, directly from their desktops using any standard RDP client application, such as MSTSC, different Connection Managers or an RDP file.
By default, the user connects to the PSM machine through port 3389, using the RDP protocol. This is required to facilitate remote access, although this port is not usually opened in the corporate firewall, and in some cases, it is not permitted.
You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway when connecting with the PVWA portal. The HTML5 gateway tunnels the session between the end user and the PSM machine using a secure WebSocket protocol (port 443). This eliminates the requirements to open an RDP connection from the end-user's machine. Instead, the end user only requires a web browser to establish a connection to a remote machine through PSM.
Alternatively, PSM can be configured to work with the Microsoft Remote Desktop Gateway (RD Gateway) which tunnels the RDP session between the user and the PSM machine using the HTTPS protocol (port 443). This provides a secure connection without needing to open the firewall. All information transferred between the user and the PSM machine is encrypted and protected by the HTTPS protocol, enabling secure cross-network and remote access.
For additional information on Microsoft Remote Desktop Gateway, you may refer to Microsoft’s official document on the subject. For details, you may also refer to the links hereunder -
As mentioned before, you may connect through the Web Portal (PVWA) or connect through PSM for Windows.
Access Control is what essentially determines which employee(s) get permission to access which information or resource and from which location. This has been further subdivided into various methods of controlling access to resources as –
RBAC, often used by small to mid-sized organizations, assigns access based on a user's role. This can be defined by an administrator based on factors like seniority, department, and geographical location.
Attribute-based access control (ABAC)
ABAC enables access based on attributes like the user characteristics, environment, and the type of resource being accessed. ABAC offers more granularity and is more dynamic than RBAC.
Context-based access control (CBAC)
CBAC if focussed on the user's actions and when they take them. CBAC uses information about the user and resource to gauge what the user is doing and what they've done previously.
An important part of the process is the designing and implementation of CyberArk Safes. Broadly, it should make use of the following steps -
A good naming convention that should be clear, concise, and consistent. It should be manageable, while allowing space for incorporating new technologies, targets, and organizational structures. Naming convention best practices include:
Least Privilege
The convention should enforce least privilege and ensure that users only have access to accounts they need.
The CyberArk Blueprint is a tool to guide organizations through their identity security journey by providing assistance in understanding and protecting themselves from cyberattacks through recommended steps. The CyberArk Blueprint helps in recognizing the identity attack chain, assessing the organization’s security posture, building a customized roadmap and updating on the latest best practices.
Your email address will not be published. Required fields are marked*
Copyright 2022 SecApps Learning. All Right Reserved
Comments ()