Security Q&A

This topic answers common security questions about Cloud Entitlements Manager.

Authentication and Authorization

How can I change or reset my password in Cloud Entitlements Manager?

  1. Go to the CEM sign-in page.
  2. Click Forgot password? on the bottom left-hand side of the page.

Can I access Cloud Entitlements Manager outside of my company perimeter? If so, can access to Cloud Entitlements Manager be restricted by NATed IPs?

As a SaaS offering, Cloud Entitlements Manager is accessible from any browser. You can't restrict access to NATed IPs or specific organizational IPs.

How does Cloud Entitlements Manager handle authentication to the cloud platforms?

Cloud Entitlements Manager uses an application identity and/or a role to authenticate to the cloud platform using a shared client secret.CEM stores the credentials securely and connects to the cloud environment.

How does Cloud Entitlements Manager ensure passwords are securely stored?

For each tenant, we generate a public and a private key. Only the tenant can access this key using Task Based Access Control (TBAC) in AWS.

When a user send sensitive data, such as connection details to account, Cloud Entitlements Manager encrypts the data with the public key, then Cloud Entitlements Manager hashes the data so only the tenant, using their private key, can decrypt the data.

Does Cloud Entitlements Manager support MFA that sends a one time code via text message or via phone call, or both?

Cloud Entitlements Manager supports a second factor via SMS (text message) or Time-based One Time Password (TOTP), using any supported authenticator application.

How is access managed for API? Who controls it and how is it requested?

API calls are authenticated by using access keys generated by the CEM Admin.

Access keys are protected and cannot be accessed by Admins or users once created.

You can revoke API keys at any time.


What logs does Cloud Entitlements Manager provide?

Cloud Entitlements Manager saves generates logs in our hosted AWS environment.

Cloud Entitlements Manager generates logs of internal Cloud Entitlements Manager activity . Each log contains a tenant id and a user id to associate it to a specific a tenant.

The audit types and messages stored in these logs are exposed in the app.

The User Audit contains a record of admin and user activities.

Input Validation

How does Cloud Entitlements Manager validate input and protect against malicious input?

Cloud Entitlements Manager performs input validation at different layers including API GW, WAF services and internal APIs. Cloud Entitlements Manager uses Synthetic and Semantic rules.

Session Management

How does Cloud Entitlements Manager manage user sessions between their web browser and the Cloud Entitlements Manager back end?

Cloud Entitlements Manager does not save session data from our client / server. The client and server connect using api calls with cookies and JWT.

To authorize a request, Cloud Entitlements Manager uses an api gateway. Each user authenticates and is authorized to their tenant only.


How does Cloud Entitlements Manager avoid reading sensitive data on your cloud platform?

Cloud Entitlements Manager has access only to services and data required to provide the service to which the customer has given permission for Cloud Entitlements Manager to access. In addition, when relevant, Cloud Entitlements Manager uses a filter to retrieve only the required only the required fields.

What information does Cloud Entitlements Manager store?

Cloud Entitlements Manager stores the IAM entities and the audit logs (after filtering unnecessary fields).

What is Cloud Entitlements Manager's data retention policy?

In keeping with CyberArk's data retention policy and procedures, if you have a CEM tenant with an expired license, CyberArkis required to delete all data relating to that tenant within 60 days of expiry. If you hold more than one Cloud Entitlements Manager tenant, note that data relating to non-expired Cloud Entitlements Manager tenants is not deleted. Based on CyberArk's records, if your Cloud Entitlements Manager tenant license expired over 30 days ago, data relating to that Cloud Entitlements Manager tenant is deleted unless you contact CyberArk within 14 days of the date the notification. Once your data has been deleted, it cannot be recovered.

How can I remove all my data from Cloud Entitlements Manager?

To remove data from a Cloud Entitlements Manager, contact Support.

Is data encrypted at rest in the Cloud Entitlements Manager SaaS instance?


What algorithm does Cloud Entitlements Manager use to encrypt data at rest? How does Cloud Entitlements Manager manage keys?

Cloud Entitlements Manager uses encryption at rest using the services' builtin option.

AWS manages the encryption.

Does Cloud Entitlements Manager encrypt data in transit on API calls? Does Cloud Entitlements Manager also encrypt data entered into the app? What version of TLS does Cloud Entitlements Manager use?

Yes, all data in transit in encrypted. The connection to the Cloud Entitlements Manager app is handled by REST APIs calls over https TLS 1.2.

What input validation techniques does Cloud Entitlements Manager use?

Cloud Entitlements Manager uses Syntactic and Semantic rules.

How is your data segregated from other customers?

Each Cloud Entitlements Manager tenant data is stored in a separate AWS bucket.

In addition Cloud Entitlements Manager segregates the tenant data using 2 dedicated roles for each tenant (currently user and admin roles) and combining RBAC with TBAC.

Both of these roles have permissions to access tenant data but with different permissions. The admin role has write permissions while the user role has read only permissions,

Cloud Entitlements Manager's services rely on these roles to access Cloud Entitlements Manager's internal storage services.

Once a service access data from a specific resource, the service uses the role's permissions to do so.

This ensures that a role for Tenant 1 cannot get data from Tenant 2.

How often is data collected from the API?

Each time you connect an account Cloud Entitlements Manager collects the last 90 days of activity. Ongoing, Cloud Entitlements Manager scans for activity for that specific day.

What are some examples of activities collected in the logs?

User activates in the console including log-in are audited with time, username, the specific action description and status.

Connection to Cloud infrastructure

Secure Development Life Cycle

Cloud Entitlements Manager development life cycle includes security controls according to industry best practices, CyberArk SDLC methodologies including:

  • Restrictions on accessing production environment based on location, authorized personnel, and strong authentication.

  • Continuous static and dynamic code analysis

  • Vulnerability assessment of third-party code and components

  • Secure code reviews

  • Repository restrictions

  • Regular penetration tests (internal and external Compliance with AWS CIS Benchmark)

  • Compliance with OWASP Serverless Top 10

Who has access to my data?

Selected CyberArk engineers have secured access to customer data where required to access the data for advanced troubleshooting purposes. A policy and technical controls are in place to ensure that other CyberArk employees do not have such access.

Which security benchmark's does Cloud Entitlements Manager follow?

Cloud Entitlements Manager uses the following benchmarks: AWS CIS benchmark, OWASP Severless Top 10

What tools do you use to prevent exploits on your back-end, code and customer front-end?

  • Static and dynamic code analysis tools.

  • Vulnerability assessment tools for third-party code and components.

  • Input validation techniques

The specific tools in use may change based on need and capabilities:

Is Cloud Entitlements Manager certified as SOC II compliant?