Where Cybersecurity Meets Career Success – SecApps Learning

CyberArk Fundamentals: Essential Concepts and Terminology to Get Started

  • Home
  • Blog
  • CyberArk Fundamentals: Essential Concepts and Terminology to Get Started
Image
  • October 07 2024

CyberArk Fundamentals: Essential Concepts and Terminology to Get Started

CyberArk is an established leader in the cybersecurity space across the world, offering solutions that drive operational efficiencies of cybersecurity teams across sectors and industries. The CyberArk Identity Security Platform uses the latest technology to cover and secure identities from end-to-end. Today, the company provides multifarious tools and strategies with the latest security best practices.

CyberArk Core Concepts

In this blog, we will discuss some CyberArk core concepts that include security best practices through Access and Identity Management, Identity Security Platform Shared Services (ISPSS), Privileged Access Management, Endpoint Privilege Security, Secrets Management, and Cloud Security.

Privileged Access Management (PAM)

Privileged Access Management solutions help secure your privileged credentials and secrets just about anywhere, whether on premises, on the cloud, or a combination of the two. CyberArk offers you a choice of four options to enable this, as under –

  1. PAM - Self- Hosted
     
  2. CyberArk Privilege Cloud
     
  3. Remote Access
     
  4. Dynamic Privileged Access

In today’s modern business scenario, Identity Security is far more critical than it has ever been before. However, how does a security team fix on the right solution for its organization? This question assumes huge importance because each business is different with different needs and requirements. Cybersecurity decision-makers need to weigh in several considerations before they finalize their choice of solution(s). Privileged Access Management (PAM) is a method that ensures that your business and most-valuable assets remain secure at all times. It prevents any malicious attack on your credentials and accounts. CyberArk with its Privileged Access Manager guides organizations on how they can mitigate risks and maximize productivity by defending against attacks, satisfying audit and compliance, and securely enabling digital business.

Also read: Difference Between CyberArk Privilege Cloud and CyberArk PAM Self-Host

Privileged Account Security (PAS)

Privileged Account Security (PAS) is a cybersecurity strategy developed to protect privileged accounts and identities from theft and abuse. CyberArk has developed its CyberArk Privileged Access Security (PAS) solution that is a complete life-cycle solution for managing the most-privileged accounts and SSH Keys in any business. It enables organizations to secure, provision, manage, control and monitor the entire range of activities associated with all types of privileged identities. These include:

  1. Administrator on a Windows server
     
  2. Root on UNIX server
     
  3. Cisco Enable on Cisco device
     
  4. Embedded passwords to be found in applications and scripts

Privileged Session Management (PSM)

Privileged Session Management (PSM) is an IT security practice that controls and monitors access to critical systems of the organization and grants access to privileged users. Quite obviously, Privileged Session Management helps ensure that only authorized users can gain access to sensitive data and systems. Such privileged access is used safely and responsibly, and in compliance with the established policies of the company. The Privileged Session Manager (PSM) is a solution created by CyberArk that enables you to initiate, monitor, and record the privileged sessions and usage of administrative and privileged accounts. This CyberArk component does not require a dedicated machine, instead, it must be installed on a machine that is accessible to the network. However, to achieve optimal concurrency, it is recommended by CyberArk to install PSM on a dedicated machine (as per a recent note posted on the company’s official website).

Identity Governance and Administration (IGA)

Identity Governance and Administration, also known as Identity Security, is a set of policies designed to improve manageability and transparency, and mitigate cyber risk while allowing firms to comply with government regulations in order to protect sensitive data. IGA policies are designed to help protect breach of sensitive data by permitting only the right/concerned employees to access data strictly as per requirement.  Identity Governance and Administration is made up of role management, analytics, logging and reporting, segregation of duties, as well as tools to detect any suspicious activity.  Basically, this strategy was developed as technology progressed and an increased number of employees joined the organization, with more and more users needing access to organizational resources from multiple locations and devices.  CyberArk’s IGA solutions are designed to help businesses improve oversight, eliminate human error and latency, and bring down risk considerably by automating routine digital identity and access rights management functions. CyberArk offers Identity Security Platform solutions for Identity Governance and Administration (IGA) that help businesses manage digital identities and access rights across systems.  The solutions may be broadly classified according to the following functions -

  1. For Security: IGA solutions can help strengthen security by reducing the risk of insider threats and external breaches.
     
  2. For Compliance: IGA solutions can help businesses comply with government rules and regulations, industry standards, and corporate policies.
     
  3. For Onboarding: IGA solutions can help streamline the onboarding process for new users.
     
  4. For Access management: IGA solutions can help businesses manage access of employees to applications and systems, and determine which roles require which level of access.

Related article: The Career Scope of Learning CyberArk in 2024

CyberArk Architecture

This topic deals with how you may connect to target systems using CyberArk Privileged Manager. Users can connect through the PVWA portal, or alternatively through PSM for Windows, that is, directly from their desktops using any standard RDP client application, such as MSTSC, different Connection Managers or an RDP file.
By default, the user connects to the PSM machine through port 3389, using the RDP protocol. This is required to facilitate remote access, although this port is not usually opened in the corporate firewall, and in some cases, it is not permitted.

You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway when connecting with the PVWA portal. The HTML5 gateway tunnels the session between the end user and the PSM machine using a secure WebSocket protocol (port 443). This eliminates the requirements to open an RDP connection from the end-user's machine. Instead, the end user only requires a web browser to establish a connection to a remote machine through PSM.

Alternatively, PSM can be configured to work with the Microsoft Remote Desktop Gateway (RD Gateway) which tunnels the RDP session between the user and the PSM machine using the HTTPS protocol (port 443). This provides a secure connection without needing to open the firewall. All information transferred between the user and the PSM machine is encrypted and protected by the HTTPS protocol, enabling secure cross-network and remote access.

For additional information on Microsoft Remote Desktop Gateway, you may refer to Microsoft’s official document on the subject. For details, you may also refer to the links hereunder -

  1. Secure RDP Connections with SSL
     
  2. Secure Access with an HTML5 Gateway
     
  3. Secure Remote Access using a Remote Desktop Gateway
     
  4. SSH Commands Access Control

As mentioned before, you may connect through the Web Portal (PVWA) or connect through PSM for Windows.

Access Control

Access Control is what essentially determines which employee(s) get permission to access which information or resource and from which location. This has been further subdivided into various methods of controlling access to resources as –

Role-based Access Control (RBAC)

RBAC, often used by small to mid-sized organizations, assigns access based on a user's role. This can be defined by an administrator based on factors like seniority, department, and geographical location.

Attribute-based access control (ABAC)

ABAC enables access based on attributes like the user characteristics, environment, and the type of resource being accessed. ABAC offers more granularity and is more dynamic than RBAC.

Context-based access control (CBAC)

CBAC if focussed on the user's actions and when they take them. CBAC uses information about the user and resource to gauge what the user is doing and what they've done previously.

Safe Design Principles

An important part of the process is the designing and implementation of CyberArk Safes. Broadly, it should make use of the following steps -

Naming Convention

A good naming convention that should be clear, concise, and consistent. It should be manageable, while allowing space for incorporating new technologies, targets, and organizational structures. Naming convention best practices include:

  1. Start broad, then get granular: Start with broad categories, and then add more specific categories.
     
  2. Use of abbreviations: Use abbreviations to represent organizational factors, like geographical region, asset type, platform, or environment.
     
  3. Limit the characters of the name: The name should be limited to 28 characters.
     
  4. Document the convention: Document the naming convention process internally.

Least Privilege

The convention should enforce least privilege and ensure that users only have access to accounts they need.

  1. Separation of duties: Separation of duties (SOD) in CyberArk Safe is a security control that ensures users only have the authorizations they need and nothing beyond that. This is a best practice that helps prevent security and privacy breach incidents.
     
  2. Principle of Least Astonishment: In user interface design and software design, the Principle of Least Astonishment (POLA) is also known as the Principle of Least Surprise. It proposes that a component of a system should behave in the manner that most users would expect it to behave, and therefore not cause any considerable astonishment or surprise users.
     
  3. Defence in depth:  Defense in depth (DiD) is a cybersecurity strategy. This uses multiple security measures to protect any company or organization's systems, networks, and resources. The aim of DiD is to arrest cyber threats even before they actually happen and to prevent further damage if an attack has already taken place and is ongoing.
     
  4. Single-project Safe: When possible, aim for a single-project safe.
     
  5. CPM assignments: CPM assignments should be implied, not explicit.

CyberArk Blueprint

The CyberArk Blueprint is a tool to guide organizations through their identity security journey by providing assistance in understanding and protecting themselves from cyberattacks through recommended steps. The CyberArk Blueprint helps in recognizing the identity attack chain, assessing the organization’s security posture, building a customized roadmap and updating on the latest best practices.

Comments ()

Leave a reply

Your email address will not be published. Required fields are marked*

Recent Post

Copyright 2022 SecApps Learning. All Right Reserved