What’s New

The following features were introduced or enhanced in Privileged Access Security solution 11.7.

Featured in this release - Deepening security controls for Cloud environments

Version 11.7 expands CyberArk's capabilities for securing privileges in cloud environments. This release contains several new capabilities for detecting unmanaged privileged accounts and shadow administrators (stealthy and undercover cloud administrators) and automatically adding them to pending accounts to contain the risk.

Additionally, CyberArk's out-of-the-box credential management plugins for Amazon Web Services, Microsoft Azure, and Google Cloud Platform now fully support IAM users authenticating to cloud consoles with multi-factor authentication (MFA).

Read about the new features below:

Microsoft Azure continuous discovery, detection, and response

A Cloud environment is a new surface for attackers to use privileged accounts, credentials and secrets to impersonate authorized users and stay under the radar.

Privileged accounts must be identified and managed in the cloud, but in most cases, it takes additional time and effort to cover an entire organization's network, due to the dynamic nature of cloud infrastructure.

To accelerate the onboarding process to CyberArk and proactively reduce risk, starting from this version Privileged Threat Analytics continuously monitors privileged Azure users and provides a solution to detect unmanaged privileged Microsoft Azure users from Azure Active Directory and Azure Subscription Admins.

To ensure that Privileged Account Security (PAS) controls are not bypassed, when an unmanaged privileged user access Azure portal, PTA automatically responds in order to contain the risk and adds the detected accounts to pending accounts.

The solution includes:

  • Detecting the most privileged accounts in Microsoft Azure

  • Taking Shadow Admins (users with limited permissions that in reality can escalate their privileges and become full cloud admins) into consideration

  • Adding the detected accounts to pending accounts as part of automatic remediation

To learn more, see Configure Azure.

Azure Discovered Accounts

Discovered Accounts APIs now support Microsoft Azure Active Directory (Azure AD) users.

The enhanced REST APIs are:

Add discovered accounts

An API that enables you to add newly discovered accounts including Azure Active Directory (Azure AD) users to the Pending Accounts list in PVWA, where the Vault user can decide how to manage them.

Get discovered accounts

An API that returns a list of all discovered accounts from the Pending Accounts list, including Azure Active Directory (Azure AD).

Credential rotation for IAM Users with MFA

MFA mitigates risks associated with password-only authentication methods by requiring additional factors of authentication.

More and more organizations are turning to MFA to secure their cloud environments and protect against unauthorized access, data breaches, and password-based cyber-attacks.

Credential management for the following cloud IAM users and keys authenticating to cloud consoles with MFA, is now supported for all of CyberArk out-of-the-box cloud plugins:

  • Amazon Web Services (AWS) IAM passwords and access keys

  • Microsoft Azure Active Directory user passwords and application keys

  • Google Cloud Platform (GCP) service accounts

To enhance the credential rotation of Azure Active Directory accounts, we have added keys support for logon and account reconciliation to Azure plugins.

To learn more, see Microsoft Azure Application Keys and Microsoft Azure Password Management.

Shared Technology Platform

Security Standards

CyberArk has updated its Digital Vault Security Standard with respect to applying Microsoft’s monthly security updates on CyberArk’s Vault servers. Customers are required to apply the updates on a regular basis, according to each customer's internal IT policies and procedures.

Security Third Party Updates

Internal software used by all Core PAS products was updated to support enhanced security.

Vault

Increase availability for SYSLOG and Radius integration by supporting domain name service (DNS) integration with the Vault

Until now, customers who wanted to establish SYSLOG and Radius integrations with the Vault could only set direct IP addresses to represent the relevant servers. This prevented them from being able to set redundancy for the SIEM and Radius servers on their side, as the integration was against a specific IP. Starting this version, customers can configure the Vault to work with DNS names for SYSLOG and Radius integrations. By doing so, customers can increase the availability and create redundancy for their SIEM and Radius integrations as the DNS name can represent multiple servers.

Password Vault Web Access

OpenID Connect authentication

We are happy to announce the addition of a new authentication method for PVWA, OpenID Connect (OIDC).

By enabling customers to leverage any identity provider that supports OpenID Connect (OIDC), we are expanding our flexibility and support of modern authentication.

Integrating OpenID Connect with PVWA is designed to support multiple OpenID Connect Identity Providers, using a centralized and simplified configuration, and is supported via REST APIs.

To learn more, see OpenID Connect (OIDC) authentication.

Just-In-Time for Windows Access Improvements

This release introduces several major improvements in our PVWA Just-In-Time (JIT) access solution. We simplified how you enable this capability by consolidating its configuration into a centralized location in order to avoid human errors. From now on, the JIT solution is configured only on the Platform level.

In addition, we improved the error messages that guide our customers in troubleshooting, and we increased the default timeout to avoid network latency errors.

To learn more, see Configure Just in Time access.

Central Policy Manager 

Management of Windows Domain accounts with Kerberos

We are happy to introduce a new Windows CPM plugin for managing Windows domain accounts over LDAP.

The new plugin enables you to manage members of protected user groups over Kerberos and TLS/SSL.

Protected Users is a global security group and its primary function is to prevent users' credentials from being abused on the devices where they log in.

To learn more, see Windows Domain Accounts via LDAP.

Code Analyzer for terminal-based plugins

To simplify the development of a terminal-based plugin, and to recognize potential issues in advance before running the plugin, we are providing developers with the Code Analyzer tool.

This new tool scans Terminal Plugin Controller (TPC) plugins and their platforms and provides a detailed report of issues that developers need to take into consideration such as file validations, process and prompts logic, syntax issues, parameters and linked accounts usage, and platform validations.

The Code Analyzer tool can be found in the CyberArk Marketplace.

To learn more, see Analyze the plugin code.

Privileged Session Manager

Additional keyboard layout support in HTML5 browser-based privileged sessions

This release provides additional keyboard layout support for end users who connect through HTML5 browser-based privileged sessions. In addition to en-us-qwerty (default), fr-fr-azerty, and de-de-qwertz, end-users can now use other keyboard layouts on their targets when working with privileged sessions.

To learn more, see Keyboard layouts.

Run custom code prior to connection when accessing Web applications through PSM

PSM can connect to Web applications using custom-built connectors. In some cases, there is a need to invoke custom operations before the actual connection to the target occurs, such as creating a temporary user just-in-time and using it for access. PSM connectors for Web applications can now be configured to run custom code prior to logging in to the target and can even provide on-the-fly data for the login process.

PSM HTML5 Gateway security improvements

Internal software used by the PSM HTML5 Gateway (Guacamole and Free-RDP) was upgraded for enhanced security.

Privileged Session Manager for SSH

PSM for SSH Just-In-Time with short-lived SSH certificates enhancement

With this release, users utilizing the Just-In-Time capability can use a logon account and an automatic logon sequence to initiate sessions to machines that do not permit direct logon, enabling the users to elevate themselves to a privileged user role.

To learn more, see Just in Time Access with short-lived SSH certificates.

Privileged Threat Analytics

PTA security improvements    

Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PTA Server.

Application Access Manager - Dynamic Access Provider (DAP)

Secrets Provider for Kubernetes enhancements

To simplify and better support large deployments, the Secrets Provider for Kubernetes can now run as a separate pod and serve multiple applications. For more information, see Secrets Provider for Kubernetes.

A new Helm chart is offered for easy deployment of the Secrets Provider for Kubernetes pod.

IP restrictions across load balancers (trusted proxies)

DAP now supports IP restrictions for clients connecting through load balancers or other proxies that correctly forward the originating client IP. Such proxies can be configured in DAP as trusted proxies. For more information, see Client IP Address Sourcing.

New REST API endpoint: /WhoAmI

This endpoint returns the caller's effective IP address as seen by DAP. It is particularly useful for validating the trusted proxy configuration. For details, see WhoAmI.

Puppet integration

The Conjur Puppet module has been enhanced and Puppet version 6 is now supported for both Windows and Linux.

  • Puppet 6 introduced Deferred Functions, a feature that was designed specifically to enable fetching secrets by the Puppet agent in runtime. By leveraging this feature, the Conjur Puppet module now enjoys a simplified and more effective flow.

  • The Conjur Puppet module now seamlessly works with multiple Compile Masters, enabling organizations to support high scale Puppet deployments.

Tanzu (Pivotal Cloud Foundry) integration - updated tile

A new Conjur - Tanzu tile is available with fixed bugs as well as support for Tanzu 2.9.

Application Access Manager - Credential Providers

Credentials Provider for z/OS

The Credentials Provider for z/OS now supports z/OS version 2.4.

Tools

CyberArk Icons for Visio Stencils

With an ongoing demand, and as one of the top voted Enhancement Requests, we are happy to share that CyberArk has created a pack of official 2D and 3D icons, released in both Visio stencil form and in raw form, within PowerPoint presentations.

The icons support CyberArk users who write documentation or create schema, diagrams, and any other material to communicate key information about CyberArk deployments. The new icons will collectively save time, and enable our company, our partners, and our customers to create more professional and similar-looking diagrams and slides.

The icons are easily accessible and useful for both Visio diagram creators and content creators in other mediums.

You can find all of this content here.

Docs

The following enhancements are available at docs.cyberark.com.

SearchUnify custom search engine

The SearchUnify custom search engine included in this release enables you to:

  • Search for content across all products
  • Filter search results by product and category
  • Perform advanced searches

Like Google, SearchUnify provides:

  • ‘Did you mean’ functionality
  • Auto suggestions

Idaptive Docs joins CyberArk Docs

As of September 21, Idaptive joined CyberArk product documentation. You can find a link to the Idaptive documentation at docs.cyberark.com, or by selecting Idaptive from the Products dropdown.