Introduction
CyberArk's Privileged Access Manager - Self-Hosted is a full life-cycle solution for managing the most privileged accounts and SSH Keys in the enterprise. It enables organizations to secure, provision, manage, control and monitor all activities associated with all types of privileged identities, such as:
- Administrator on a Windows server
- Root on a UNIX server
- Cisco Enable on a Cisco device
- Embedded passwords found in applications and scripts
Products
PAM - Self-Hosted includes the following products:
|
Product name |
Description |
|---|---|
|
Enterprise Password Vault (EPV) |
Enables organizations to secure, manage, automatically change and log all activities associated with all types of Privileged Passwords and SSH Keys. |
|
Privileged Session Manager (PSM) |
Enables organizations to control and monitor privileged accesses to sensitive systems and devices. PSM provides privileged session recording with DVR-like playback and text recording, as well as secure remote access to sensitive systems using privileged single sign-on, and without divulging the used credentials to the end users. All users can connect securely via PSM to all types of systems and applications through the unified PVWA web portal user interface, in addition to the native methods described below. Privileged Session Manager for Windows (PSM for Windows) enables users to securely connect through PSM to any remote target with a standard remote desktop client application like mstsc or a connection manager. Privileged Session Manager for SSH (PSM for SSH) preserves the benefits of PSM, such as isolation, control and monitoring, whilst enabling users to connect transparently to target UNIX systems from their own workstation without interrupting their native workflow. PSM for SSH records all activities that occur during privileged sessions in a compact format in the Vault server, where they can be accessed by authorized auditors. PSM for SSH also provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password. |
|
Secrets Manager Credential Providers |
Provides an Secrets Manager Credential Providers solution that fully addresses the challenges of hard-coded App2App credentials and encryption keys. The solution eliminates the need to store App2App credentials in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, audited and managed within CyberArk’s patented Digital Vault. |
|
On-Demand Privileges Manager (OPM) |
Provides a comprehensive solution that empowers IT and enables complete visibility and control of super users and privileged accounts across the enterprise. Using the OPM, the complete PAM - Self-Hosted solution enables centralized management and auditing from a unified product to all aspects of privileged account management. |
|
Privileged Threat Analytics (PTA) |
Since privileged accounts are most often compromised as part of an attack, CyberArk Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts that are managed in the PAM - Self-Hosted platform, as well as accounts that are not yet managed by CyberArk, and looks for indications of abuse or misuse of the CyberArk platform. PTA also looks for attackers who compromise privileged accounts by running sophisticated attacks, such as Golden Ticket. |
|
SSH Key Manager |
Addresses the challenges that arise during authentication to target machines with SSH Keys, and helps organizations meet audit requirements by simplifying and automating SSH Keys management. SSH Keys are stored and protected in the Vault under strict policy and access control, similar to that of passwords, and you can determine how users access and use them, by defining access workflows. The SSH Key Manager can periodically rotate the SSH Keys that are stored in the Vault, and make sure the private key protected in the Vault is always synchronized with the public keys spread over target systems. |
Solution Benefits
With CyberArk’s PAM - Self-Hosted solution, you can:
Set the main policy rules that define how you manage accounts in your organization using the Master Policy.
The Master Policy offers a centralized overview of the security and compliance policy of privileged accounts and SSH Keys in your organization while allowing you to configure compliance driven rules that you define as the baseline for your enterprise.
Utilize a secure Digital Vault to store, protect, manage and control access to Privileged Accounts and SSH Keys at a centralized point using a robust policy management engine. CyberArk’s patented Vaulting Technology® software utilizes a fully integrated model of critical security layers, interwoven to meet the highest security needs.
The PAM - Self-Hosted solution offers a simple access control interface that easily pinpoints who is entitled to use privileged accounts and SSH Keys and initiate a privileged session, when and why.
As a central control point, the PAM - Self-Hosted solution also provides privileged single sign-on for initiating privileged sessions, as well as recording any activities that occurred during these sessions. The PAM - Self-Hosted solution utilizes the Digital Vault as a tamper-proof secure storage for these session recordings.
The PAM - Self-Hosted solution provides sophisticated and transparent solutions for securing and managing critical applications as well as Application Server accounts, and eliminating the use of hard-coded and embedded passwords, making them invisible to developers and support staff.
The PAM - Self-Hosted solution provides an easy way to create audit reports required by Sarbanes-Oxley, PCI and more. It allows enterprises to enforce corporate security policies to ensure compliance with regulatory needs and security best practices related to access and usage of privileged accounts and SSH Keys for both human and application (unattended) access.
The PAM - Self-Hosted solution eliminates manual administration and overhead by providing instant and automatic changing of passwords for thousands of network devices and applications, including scripts and parameter files. Its high level of automation ensures highly reliable and uninterrupted service with minimal administrator overhead and increased productivity.
With an industry leading performance, scalability and robustness, the PAM - Self-Hosted solution can protect and manage up to hundreds of thousands of passwords and SSH Keys across a highly heterogeneous IT environment, with complex and distributed network architectures. The PAM - Self-Hosted solution can leverage existing enterprise infrastructure and integrate with corporate core systems
The PAM - Self-Hosted solution ensures quick deployment and implementation proven in over 400 enterprise customers, providing immediate ROI by improving IT productivity.
Vaulting Technology®
The PAM - Self-Hosted solution architecture is based on CyberArk’s Vaulting Technology® software. CyberArk discovered that by splitting the server interfaces from the storage engine, it can remove many of today’s technology barriers associated with network security. The Vaulting Technology® software creates a Single Data Access Channel, which significantly improves security and makes it possible to build 10 layers of security in a unified solution.
Security Layers
The PAM - Self-Hosted solution ensures the security of your organization's sensitive data using multiple security concepts, some of which are detailed briefly below:
The Vault must run on a dedicated server, eliminating security holes in third party products. This is enforced by the CyberArk firewall, which doesn’t let any communication into the server or out of it other than its own authenticated protocol – the Vault protocol. No other component is able to communicate with the outside world, except for the Storage Engine. The fact that the Vault’s code is the only code that runs on the dedicated server assures a sterile environment and total control over the server by the security system.
The VPN encrypts every transmission (i.e. transactions and data) over the network. About 95% of the encryption processes occur on the client side, thus offloading the Vault and allowing higher throughput.
Every access to the Vault must be authenticated. The PAM - Self-Hosted solution uses a strong two-way authentication protocol. Authentication is based on passwords, PKI digital certificates, RSA SecurID tokens, RADIUS protocol, USB tokens, or Windows authentication. Taking the latter approach requires no additional authentication to be made by the end-user. The PAM - Self-Hosted solution also supports third-party authentication that can be integrated into the organization's existing authentication server.
The PAM - Self-Hosted solution provides a built-in access control mechanism. Users are totally unaware of passwords or information that is not intended for their use. Users can be permitted to read, write, delete, or administer data according to the access control rules.
Every password and file stored on the Vault is encrypted, using an encryption infrastructure that is totally hidden from the end user. This means that neither users nor administrators need to concern themselves with any key management issues.
The Vault assigns a unique symmetric encryption key to every version of every password or file stored in it. These encryption keys are securely delivered only to authenticated users that have appropriate access control rights. This enables the administrator to grant and deny access to passwords and files without the need to re-encrypt them. Users are never exposed to extraneous encryption keys and cannot decrypt passwords or files once their permissions are removed.
This unique key management also provides the means for the client-side VPN and the encrypted backups.
The Vault's Visual Security is the first and only technology that lets Users see activities carried out in their Safes by other Users. Real-time monitoring of who is logged on to the Safe and the information they have retrieved enables Users to track passwords and files in the Vault. Other Visual Security features inform Users whenever activity occurs in the Vault, and mark passwords and files so that those that have been accessed by other Users are noticeable immediately.
Manual security enables Users to define access to Safes that contain highly sensitive information so that users require manual confirmation from one or more Safe Supervisors before they can access privileged accounts. In this way, authorized users can permit or deny a request for access to a Safe or accounts by other users, and retain complete control over their information. Authorized users can confirm requests from mobile devices regardless of their physical location, enabling continuous workflows and preventing loss of productivity.
The Vault uses Geographical security to restrict Users’ logon areas. That means that Users can be permitted to log on only from certain areas of the network, or from a specific terminal.
The Vault is a plug-and-play, ready-to-use product that implements its security mechanisms immediately after installation. It works with any network, and an unlimited number of Users.
How the Vault Protects your Passwords
Passwords that are stored in the Safe are protected in a variety of ways:
| Method | Description |
|---|---|
| Password |
The Vault cannot be entered without a password and/or key. |
| Timing restrictions |
You can limit the times during which the Vaults/Safes can be opened (e.g., 8 a.m. to 5 p.m.). |
| Protected network area | You can determine the locations on the network from which your Vault is accessed. This process is called defining a Private Network Area. For instance, an employee at an international company can set a Private Network Area so that the User account is only available from the Boston branch where the user resides. |
| Access control | You can define the level of access to a Safe for other Users. For instance, you can authorize Users to work with files but not to delete them. |
| Auditing | Each time files are accessed for any purpose, the activity is written in the Vault activity log. This enables you to track all file activity and benefit from detailed auditing facilities. |
| Version control | The CyberArk Vault tracks versions of the passwords and files it stores. Every time a password or file is updated, a new version is created. This means that if the most recent version is corrupted, previous versions are still available. In addition, you can undelete passwords and files that have been previously deleted. |
| Dual control |
Users may need to receive permission from other Users in order to open a Safe. For example, before another User can access a Safe they may need to request your permission and request confirmation. |
| Activity Logs | The CyberArk Vault keeps records of all activities that take place inside it. An alert appears each time there is illegal activity in the Vault. For instance, an alert is issued when an attempt is made to logon to the Vault without the correct password. |
