Introduction
This topic introduces you to CyberArk Remote Access, a SaaS based service that combines Zero Trust access, biometric authentication and seamless just-in-time provisioning for remote vendors connecting to the Privileged Access Manager - Self-Hosted solution and CyberArk Identity web apps.
What is Remote Access?
CyberArk Remote Access is a SaaS based service that integrates with PAM - Self-Hosted and CyberArk Identity web apps for complete visibility and control of remote privileged activities without the need for VPNs, agents or passwords.
Remote Access is specifically designed to provide fast, easy and secure privileged access for remote vendors that need to access critical internal systems that are managed by CyberArk. The cloud-based, multi-factor authentication provided with Remote Access leverages the biometric capabilities from smartphones, which in turn allows authorized remote vendors just-in-time secure privileged access with a simple glance or tap of a finger.
Remote Access eliminates the need for VPN clients, security agents or passwords that can frustrate users, add risk, and create administrative headaches. Instead, remote vendors authenticate using native smartphone facial or fingerprint recognition functionality and are provisioned and authenticated for secure access to PAM - Self-Hosted or CyberArk Identity web apps via Remote Access. Remote Access integrates zero trust access, biometric multi-factor authentication, just-in-time provisioning and full integration with PAM - Self-Hosted and CyberArk Identity web apps for full visibility and audit for administrators, into one single SaaS solution.
How does it work?
When a remote user attempts to log in to the CyberArk web portal, Remote Access displays a one-time, short-lived QR code on the users's workstation. Using the CyberArk Mobile app, the user scans the QR code and simultaneously authenticates their identity by means of facial or fingerprint recognition. If both the QR code and the biometric data are approved, the remote user is granted secure access to the CyberArk web portal and authorized to access privileged accounts from their workstation. The web browser session is isolated, and credentials are never shared to the end user’s workstation when they enter into critical IT systems for regular work, maintenance, or otherwise. The session is encrypted end-to-end.
Integration with Privileged Access Manager - Self-Hosted
The Privileged Access Manager - Self-Hosted solution mitigates risks by helping enterprises to efficiently manage privileged account access rights, proactively monitor and control privileged account activity, intelligently identify suspicious activity, and quickly and automatically respond to threats. Remote Access integrates seamlessly with the PAM - Self-Hosted solution, providing just-in-time user provisioning and access for remote vendors to ensure that critical assets are only accessed when necessary. The integration also provides enterprise operations and security teams full visibility and control over remote vendors’ privileged access activities.
Depending on organizational requirements, customers can either provision access to remote vendors directly, or delegate responsibility to a Vendor Manager or external vendor manager. Once the remote vendor authenticates via Remote Access, they can connect to PAM - Self-Hosted using the hosted cloud service, Remote Access connector and HTML5 Gateway.
Integration with CyberArk Identity web apps
Remote Access integrates with CyberArk Identity, providing vendors with just-in-time access to web application protected by CyberArk Identity.
Depending on your organizational requirements, vendor users can be created and managed by Remote Access, or the administrator creates and manages the vendor user in CyberArk Identity.
Vendors are assigned in Remote Access with their respective Role in CyberArk Identity, which determines the relevant access to specific applications in your organization.
Benefits
Implement zero trust access for remote vendors connecting to PAM - Self-Hosted. Improve security posture with just-in-time provisioning to privileged accounts while avoiding passwords, tokens and network-based access controls, which can introduce vulnerabilities and expand attack surfaces.
The SaaS solution streamlines operations by eliminating VPNs, agents, and required credentials for remote vendor access. Temporarily authorize remote users in real time without administrator intervention and delete users by policy when access is no longer required.
Let authorized vendors securely authenticate to access privileged enterprise accounts with a simple glance or the tap of a finger. Maintain biometric data on the mobile device separate from internal systems, for ultimate privacy and security.
Full integration with PAM - Self-Hosted lets you monitor privileged access activity in realtime via isolated browser sessions. Detect in-progress and potential attacks before perpetrators gain access to critical systems and do irreversible harm. Produce historical reports to support compliance audits.
Onboarding
The CyberArk Mobile app runs on iOS and Android phones. Once the app is downloaded, the user receives an email sent from the organization to access the Remote Access portal. Users confirm their identify by verifying the email address and registered phone by entering a passcode received through SMS.
Biometric authorization is also used to verify and authenticate the user identification and can be mandated during the onboarding process to ensure a successful first-time logon. Biometric data is securely stored natively on the user’s mobile device. The client uses the hosted Remote Access portal to manage external user accounts and audit activity.