Security Fundamentals

Compromising privileged accounts is a central objective for any attacker, and CyberArk Privilege Cloud is designed to help improve your organization’s ability to control and monitor privileged activity. As with any security solution, it is essential to secure Privilege Cloud to ensure the controls you have implemented are not circumvented by an attacker.

The controls described in this document are the minimal requirements for protecting our services and products, and therefore your privileged accounts. Consolidated by our team, these controls reflect our experience in implementing industry best practices when supporting our customers. The requirements are also based upon analysis of various reports made by companies that experienced a security incident and other research data generally available in the industry.

It is imperative that you follow as many of these steps as possible in your environment, recognizing there may be other methods that you might want to use based on your organization’s expertise. Review your CyberArk services and deployments on a regular basis to ensure it complies with industry best practices, including those outlined in this topic. For questions or assistance with designing and implementing these controls or support in reviewing your deployment, contact your CyberArk or partner representative.

For more information see the CyberArk Privilege Cloud security datasheet.

Requirements for protecting your CyberArk deployment

The System requirements section describes the ports required for the various components and integrations. Make sure to open the ports only for the components that you are implementing in your deployment.

The CyberArk Privilege Cloud service hosts customer credentials and secrets. Treat this service with the highest level of security.

Network traffic to the Privilege Cloud Vault must be restricted to required protocols. For details, see System requirements.

Enable access to the CyberArk Connectors:

  • CPM
  • PSM
  • PSM for SSH
  • CyberArk Credential Providers or Central Credential Provider

Using multi-factor authentication to Privilege Cloud for all users and product administrators, enables you to mitigate common credential theft techniques, for example:

  • Key loggers
  • Tools capable of harvesting plaintext passwords

If you cannot implement multi-factor authentication for one of these avenues of access, then you need to apply the following protection measures:

  • Manage the user as a Privilege Cloud user

  • Configure the connection to the privileged account via privileged session monitoring (PSM)

For details, see Configure SAML authentication

The PSM, CPM, PSM for SSH, and the Credential Providers/Central Credential Provider are sensitive assets. The core principle of this control is to treat CyberArk components with the highest level of security.

Minimal requirements for restricting access:

  • Follow Microsoft’s best-practices for mitigating credential theft and securing Active Directory CyberArk component servers are of the same security level as domain controllers (tier 0). For details , see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques

  • Do not install non-CyberArk applications on the component servers, as this prevents hardening the component server

  • Limit the accounts that can access component servers. Ensure that any domain accounts used to access CyberArk servers are unable to access domain controllers and other member servers and workstations

  • Limit the number of domain credentials that are able to access the component servers

  • Use network-based firewalls and IPsec to restrict, encrypt and authenticate inbound administrative traffic; use the PSM and the local administrator account to access component servers

  • Deploy application allowlisting and limit execution to authorized applications

  • Apply Microsoft security updates regularly

Reducing the number of privileged accounts and/or the extent of their privileges reduces the overall privileged account attack surface. This is true both for the enterprise as a whole and for each solution implemented, including CyberArk. The core principle of this control is that there should only be a few CyberArk administrators, and they should only possess limited privileges, unless elevated through a strong approval process.

Minimal requirements:

  • Eliminate unnecessary CyberArk administrative accounts

  • Reduce privileges of CyberArk administrative accounts

  • Restrict personal accounts to business-as-usual permissions justified for their role. CyberArk administrators do not have justification to access all credentials

  • Use PSM to isolate and monitor CyberArk administration

  • For all other avenues of administrative access (the OS, VMware, and so on):

    • Require multi-factor authentication

If you cannot implement multi-factor authentication for one of these avenues of access, then you need to apply the following protection measures:

  • Manage the user as a Privilege Cloud user

  • Configure the connection to the privileged account via privileged session monitoring (PSM)

The use of insecure protocols can easily render other controls invalid. To reduce the risk of eavesdropping and other network-based attacks, use encrypted and authenticated protocols for all communications.

For example:

  • Use HTTPS for the Privilege Cloud Portal and for REST APIs
  • RDP/TLS for connections to the PSM, SSH (instead of telnet) for password management, and TLS for syslog messages
  • TLS is required for the following:
    • RDP
    • SMTP
    • Syslog

Any custom changes or additions you make to configuration files provided out of the box by CyberArk may affect the security of your environment and are outside of CyberArk's control. You are responsible for verifying these changes align with your organization's security policies.

For example, edit the Applocker.xml file to define a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities.

To detect problems early, it is essential to monitor the logs generated by both Privilege Cloud and the infrastructure on which it runs. Early detection is one of the key elements in reducing the impact of any issue, whether security or operational.

Best practices:

  • Aggregate CyberArk application and infrastructure logging within your SIEM

  • Monitor and alert upon excessive authentication failures and important infrastructure events

Session expiration timeout must reflect the purpose and nature of the application and keep the right balance between security and usability. Users should be able to comfortably complete operations without being frequently disrupted. On the other hand, the longer the timeout, the higher the chances of session compromise. Therefore, we recommend keeping the timeout as short as possible. In any case, sessions expiration should not exceed 12 hours.