EPM SaaS technical datasheet
This topic provides an overview of the CyberArk EPM SaaS security, and operations, and some of the processes that CyberArk uses to deliver the service.
Infrastructure and architecture
EPM SaaS requires no servers or controllers to be installed, freeing you from the cost and hassle of managing, maintaining, and updating on-premise software or equipment. EPM agents periodically communicate with the server and receive policy updates.
The following diagram shows a high-level architecture chart of the service:
CyberArk currently runs SOC 2 Type II certified EPM Services on AWS datacenters in the USA, UK, Germany, Canada, Australia, India, Japan, Singapore, and possible additional locations in the future. The EPM services can be accessed globally. For information on AWS security and compliance reports, see here.
EPM administration console
EPM administrators can only access the EPM Administration console over an SSL/TLS- encrypted tunnel. The console allows administrators to create application groups, manage policies, receive updates from endpoints into the console’s inbox, access the application catalog, and generate reports with usage, auditing and configuration information.
Each EPM administrator is associated with a specific account (“Account”), and each account may contain several manageable sets of endpoints (“Sets”). Each EPM administrator can be allowed to manage specific Sets in the account. The Sets and accounts are stored in a multi-tenant SaaS platform database.
Password compliance can be enforced through SAML integration with an identity provider, and EPM administrators are required to use SAML authentication when the console is configured.
EPM SaaS integration with identity providers is implemented using the industry standard SAML 2.0, and works with any identity provider that supports SAML 2.0, including Oracle Access Manager, Okta, OneLogin, Azure AD, Microsoft Active Directory Federation Services and others.
EPM SaaS integration with SAML provides an SP-initiated login when a user clicks a direct link to a special SAML EPM SaaS service (for example, https://vfsso.epm.cyberark.com/SAML).
User action audit logs
Every EPM administrator's activities in the console, including login, create and change policies and more, are audited and can be review through a report in the console.
Server – agent authentication
EPM agents connect to the internet using corporate settings and communicate with EPM SaaS over an SSL/TLS-encrypted tunnel for all types of communication (data sending and “keep alive” checks). The HTTPS connection to the service supports TLS 1.2 and later Cipher Suites. The latest TLS version is the default connection. All data transferred between the agent and the EPM service over HTTPS is encrypted in transit.
EPM agents and the EPM service communicate using several standard signed JSON Web Tokens (JWT). The downloaded agent installer includes a unique "registration token" to pair between the agent and the EPM set it was downloaded from (in addition to the other set-specific properties such as the SetId and Dispatcher URL). The “registration token” is encrypted using a proprietary installation key and signed by the EPM service. When the agent is installed, the registration token is saved encrypted and is guarded by EPM for maximum protection.
During the authentication process between the agent and the EPM service, additional tokens are exchanged, together with the SetID, Dispatcher URL and AgentID which the agent generates automatically. After installation, the following additional tokens are kept in memory, which is also guarded by EPM:
“Access Token” – Used for regular communication between the agent and the EPM service. The “Access Token” is valid for 24 hours.
“Refresh Token” – Used to request a new “Access Token” if the current one expired.
During the registration process (every restart or network reconnection) EPM rotates all tokens to keep them up-to-date and to make sure that communication is secured as much as possible. This method does not require any pre-configuration on the client machine.
Policies and end user data remain cached locally on end user computers, preserving security, limiting bandwidth consumption, and enabling management of end users who are not connected to the Internet.
Agent - EPM service communication
Here are a few additional facts regarding the server – agent communication:
The heartbeat from agent to server is1 byte every 30 seconds
The size of new policy file update is about 1KB per policy
The average size of policy file is about 0.5 MB-1.5 MB
Agent technical details
The CyberArk EPM agent uses the following:
Approximately 100MB disk space
About 15-50MB RAM (depend on number of policies)
Less than 1% of the CPU load, on average
Installation and upgrades of the CyberArk EPM agent do not require a reboot, in most cases
CyberArk EPM agents sit on both kernel and user levels of Windows and macOS
Agent deployment can be seamless to endpoint users so that an icon does not appear in the system tray, the product does not appear in Add/Remove programs, and no end user dialog is displayed.
Policy enforcement protection
Agents are protected from deletion or modification by standard users and they continue to enforce policies when the agent is offline by using cached policy files. The protection uses a special kernel level driver. CyberArk is not aware of any scenario where the policy file was corrupted. However, in the unlikely event that the policy file gets deleted or corrupted, the policies are immediately re-requested from the server. Until then, no elevation will occur and the default behavior without elevation will occur.
Policies are downloaded and updated when new policies are created or existing policies are updated in the EPM console. The check for new policies occurs by default every 30 seconds or can be adjusted to different intervals.
EPM service gives customers visibility into real-time and historical endpoint events by gathering relevant data required to identify, understand and respond in a timely manner to the event. It collects the following information for the purpose of providing the services to its customers and improving the services.
The following list includes data which may not be collected in every case. As we improve our product’s capabilities in response to the evolving privilege management and threat landscape, the specific data collected may vary.
EPM endpoints (agents): Computer name, network connections information (computer MAC address, IP addresses of the endpoint, etc.), local usernames and groups, currently logged in user, installed programs, hardware specifications, general system information, and launched applications.
EPM administrators: EPM username (email address) and the IP address from which the administrator is connected to the EPM console.
The purpose of the data collection is to run the pre-configured EPM policies on specific computers and computer groups, including to audit files and user actions.
EPM administrators can configure the following application information to be collected and stored on the EPM services:
List of application files and the files’ metadata
Details about a specific application's behavior (including access to files/registry and network requests)
Screen capture videos when specific applications are active
Data related to the customers’ access to and use of the EPM services, underlying production data and data derived from it may be used by CyberArk in an aggregated and anonymized manner to conduct performance testing, compile statistical information related to the provision and operation of the EPM services and to improve these services.
Cookies and web beacons
VFUSER - Includes the encrypted user name and role
VFOFFSET - Includes time presentation information
Data related to activities on the endpoint is gathered via the EPM SaaS agent and made available to the customer via the secure EPM SaaS web management console. EPM services are protected using multiple guardrails, controls, policies and procedures including data segregation, encryption at-rest and in-transit, access control policies and procedures.
Operating systems are hardened to provide the necessary ports, protocols, and services to meet business needs, using technical controls (antivirus, file integrity monitoring and logging) as part of their baseline build.
The EPM service cloud environment is protected by a threat protection service that continuously monitors for malicious activity and unauthorized behavior. The EPM services cloud environment uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
For details about AWS security measures, see here.
Encryption - EPM services currently leverage Windows OS and MS SQL platforms for encryption. Encryption and obfuscation are used as follows:
The policy file on the end-user computer is encrypted with 3Des-168.
The connection to the EPM Services is a standard SSL/TLS-encrypted tunnel connection. Encryption is RSA (2048-bits key) based with 128/256 bits SSL channels.
There is an AES 256 encryption between the two EPM agent Windows services using standard .Net encryption classes and standard C++ APIs. Communication between the two services is via pipes. Encryption and communication reside in the computer, and there is no communication outside the endpoint.
Obfuscation methods protect certain internal data in the EPM service application (in-memory). Accordingly, there is no external key outside the application to de-obfuscate the data. The entire logic resides in the code.
The EPM services admin user’s credentials are stored in the database, hashed with a salted SHA-512 PBKDF2 algorithm.
The Offline Policy Authorization Generator (OPAG) technology is based on 256-bit AES for short tokens and RSA1024-bit up to 8192-bit for long tokens.
The configuration of database connection parameters from IIS is encrypted with RSA, according to the .NET configuration on the server.
Cache files on end-user computers are encrypted with AES-256.
Authentication cookies passed between a server and a client are encrypted with 3DES-192
Data at rest is encrypted on AWS. EPM Services currently use AWS KMS (Key Management Service) to encrypt the disks, and AWS KMS uses FIPS 140-2 validated HSMs to protect the keys. AWS KMS uses the Advanced Encryption Standard (AES) algorithm with 256-bit secret keys. For more details about AWS KMS concepts, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html.
Privileged Identity Management - CyberArk uses a privileged identity management system to manage and audit of CyberArk personnel’s access to the EPM servers.
Access control - CyberArk performs background checks on all CyberArk employees who have access to operate and support the service, and they are required to attend security awareness training. Access to EPM services networks and systems is managed in accordance with our access policy and is granted only to individuals who are responsible for operating and supporting the EPM Services, based on least privilege principles. CyberArk service administrators perform all functions through a VPN connection. Segregation of duty isolates personnel who approve access from personnel who provide access. Access to the EPM servers and systems is periodically reviewed. Access rights of individuals who leave CyberArk are promptly revoked.
Security logs of access by CyberArk personnel are collected and stored for six months. Additionally, audit reports that include logins and actions performed by CyberArk personnel in the console are generated where required.
Third party contractors are not allowed to connect to EPM SaaS production servers and systems.
Protection against viruses and malware
All EPM SaaS servers are hardened and have anti-virus software running on them to protect the servers against viruses and malware. All security updates for the operating system and critical applications (like IIS and MS SQL Server) are applied. In addition, EPM agents enforce least privileged access policies.
CyberArk uses both an internal penetration testing team and an external vendor to run automatic and manual penetration testing on EPM SaaS, including network and web app vulnerability, at least annually.
Additional vulnerability penetration tests by a third party can be performed upon written request and reasonable notice.
Denial of service (DDoS) defense
CyberArk utilizes technologies and platforms to detect, mitigate and prevent DDoS attacks, as well as Web Application Firewall (WAF) protection.
Data retention and deletion
Customers can extract data at any time by generating out-of-the-box reports in the EPM console in CSV format, as well as by downloading policy definitions in JSON format (.epmb file). REST APIs can also be used to extract data from the SaaS service in JSON format. If you require assistance to extract the data, contact the CyberArk Customer Support portal.
Data deletion by customer
EPM administrators can configure the time period for which certain data on the EPM services is stored according to the customer’s applicable preferences. The following are the default time periods in place (unless configured differently by the customer):
Deletion of data regarding computers that have not reported into the console in X days - 30 days
Video audit retention - 14 days
Retention periods for certain data are not configurable. For example:
Event Management – 30 days
Policy audit data – 90 days
Admin activities on the web console - 1 year
Customer administrators can trigger a deletion process through the EPM services by navigating to Management Options, right-clicking on the Set name and deleting it. An administrator can also delete a specific person's data from the EPM Console.
Data deletion by CyberArk
Customer data (including back up data) will be deleted automatically 60 days after expiration/termination of the EPM Services or EPM Sets.
Additionally, a customer may make a specific written request at any time to CyberArk Customer Support portal for data deletion. Shortly after the customer request, the data will be deleted from the EPM services live systems (databases).
The EPM services SLA is detailed in the EPM SaaS Service Level Agreement (Service Availability) document.
The EPM agent continues to enforce policies, even without available connectivity to EPM services. An Offline Policy Authorization Generator tool is available for EPM administrators to authorize privilege elevation to an endpoint when the service is not available. This tool is a stand-alone executable that enables end users to request one-time use of an application they currently do not have privileges to run if there are issues accessing the service.
Disaster recovery and business continuity
CyberArk maintains disaster recovery and business continuity policies for the EPM Services, in which backup files are stored in a different availability zone in the same region. These policies are updated and tested with the release of every major version update at least annually.
Recovery Point Objective (RPO)
The RPO for EPM SaaS is up to two hours from the last working point in time.
Recovery Time Objective (RTO)
The RTO for EPM SaaS is between a few seconds and 24 hours, depending on the type of failure, although in most cases it is much lower than 24 hours.
For more information, refer to the EPM status page.