Phase 3 – Launch and execution

Step 1: Project kick-off

Once the team, scope, project goals, product breakdown structure, use cases, high level schedule, and budget are prepared, a kick-off meeting should be scheduled to ensure all the stakeholders are informed and prepared to engage. This will set the expectations for all parties involved and define accountabilities for driving progress.

Step 2: Architecture design

The CyberArk Digital Vault will house the organization’s most sensitive credentials which provide access to the most sensitive data and business critical systems. Privilege Cloud is the broker between your privileged users and your highly sensitive systems, and it will enable users to securely carry out extremely important tasks. As such, the security of Privilege Cloud and the stability of the platform are paramount.

Considerations before deploying the CPM:

Consideration

Details

Load-balancing

CyberArk recommends that organizations use a hardware-based load balancer of their choice.

Firewall traffic

Organizations should determine in advance what ports will need to be open and engage firewall teams to work through necessary rules.CPM may require additional ports to be open based on where and how they are deployed. Organizations should review documentation to understand what ports may need to be open on component servers. Notable firewall considerations include:

  • Privilege Cloud Portal must be available to all CyberArk users on port 443.

  • CPM servers will require clear firewall rules, as they will communicate to your entire estate.

  •  

Organizations should identify the secure zones, DMZs, data centers and assets in all geographical locations that will need to be considered, include on premise, cloud, and hybrid infrastructure:

  • Identify locations of the users and how they will access Privilege Cloud

  • Identify locations of the devices and accounts to be managed

  • Identify locations of the CyberArk servers

Step 3: Solution design

It is recommended that CyberArk Digital Vault user groups be defined and managed based on user role.

Role

Definition

Vault Administrators

Vault Administrators should be native CyberArk users, meaning they should have individual accounts that are managed within Privilege Cloud directly.

End Users, Auditors and Safe Owners

End Users, Auditors and Safe Owners should be managed using an external directory (AD, LDAP, etc.). This division allows for large scale user management via external directories while maintaining additional security for high-privileged users such as Vault Administrators. Vault Administrator credentials can be stored within the CyberArk Enterprise Password Vault so that organizations can audit Vault Admin account usage as well as secure administrative access to Privilege Cloud Portal and PrivateArk client sessions using via PSM.

Transparent User and Group Mapping

Users and groups from an attached directory service will be used to grant safe access. Each group will be configured as a “safe member” with the appropriate access rights. As users are added to defined groups in the directory, they will automatically gain access to the configured safes. Similarly, users who are removed from defined groups will automatically be removed from the CyberArk Digital Vault.

Local User Management

Privilege Cloud offers comprehensive management of internal users. If there is no directory service available or an organization prefers to not rely on it, they can create local users and groups in the CyberArk Digital Vault. This can either be done manually or automatically using one of the many APIs CyberArk offers (i.e. REST API, Command Line Interface, etc.). When managing users locally, CyberArk can support local authentication as well as any external authentication service that is configurable (LDAP, RADIUS, SAML, etc.).

External directory users

When integrating CyberArk solutions with an external directory, it’s important to consider which directory administrators can add users to user groups that have access to the CyberArk Digital Vault. If an unauthorized user was added to a CyberArk user group, that user could gain access to privileged accounts secured within the CyberArk Digital Vault. Organizations should work with directory administrators to establish a trusted approval process before a new user may be added to a CyberArk user group. SSL connection from the CyberArk Digital Vault to the directory is highly recommended, and it will require a Root Certificate for the CA that issued the certificate on the directory server(s).

Safes are the logical structures through which organizations control access to the sensitive data (credentials, audit logs, recordings) stored within the CyberArk Digital Vault. Poor safe design can lead to either too many people having access to sensitive data (increasing the risk of malicious or accidental errors) or too few (resulting in significant management overhead due to constant one-off access requests and approvals).

  • Two basic approaches to safe design and naming conventions are 1) by platform (Windows, Unix, etc.) or 2) by region (AMER, EMEA, etc.). There is no single best approach, but CyberArk Security Services can provide guidelines.

  • More information on safe naming convention design can be found in the document Safe Naming Convention Creation Procedure. Safe permissions should be designed based on roles, LDAP groups, etc. while incorporating technical and business requirements.

Once the safe structure is designed and agreed upon, the next step is to design the Master Policy. The Master Policy should usually reflect an organization’s IT Security and/or Password Policy. The names of policy settings are built to match what is typically found in an IT security policy, helping to more easily craft requirements. Common policies include:

  • Password age set between 30 and 60 days

  • Check-Out/Check-In of privileged credentials

  • Dual Control for manual access to the credentials

For consistency and ease of management, organizations should consider designing additional control sets such as data and application classification, platform settings, and platform naming convention for managed privileged credentials. Workshops may be scheduled with application and/or platform owners and users to map out their use cases and address any questions that may arise with regard to impacts and changes.

Workflows may include:

Workflow

Description

Dual control

Require users to submit a request to management whenever an account is needed

Exclusive accounts

Force accounts to be checked in and out and only one user can be in possession at a time

One-time passwords

Credentials automatically change after every use

Email alerts

Any time an account is used an alert email will be sent to subscribers

There are several ways to provision accounts, but the most common are through the Accounts Feed:

Provisioning process

Description

Accounts Feed

The Accounts Feed scans the Active Directory for machines and then reaches out to all machines to scan for accounts. The Accounts Feed can also scan a defined list of UNIX systems to discover accounts and credentials. Following the scan and discovery, privileged accounts and credentials are placed into a “Pending Accounts” page, from which one can select specific accounts to add to specific safes. The Accounts Feed continually scan OUs and machines to automatically provision privileged accounts from newly created servers. The Accounts Feed allows for a more flexible discovery of the following accounts and retains the ability to analyze and provision them with service account dependencies:

  • Windows Local Accounts;

  • Domain Accounts;

  • Windows Services and Scheduled Tasks;

  • UNIX Local Accounts;

  • SSH Keys and their trusts.

Automate account creation, provisioning, etc.

  • REST API

As mentioned above, account provisioning is typically prioritized by risk and ease of provisioning. As such, common scenarios include the security of credentials and SSH keys used to access databases, network devices and applications-- but these are not set in stone. Each organization will have different priorities, and there are no “wrong” approaches. It’s recommended that organizations select an approach that best suits their needs.

Organizations should consider compliance and audit requirements and identify out-of-the-box reports that can be generated in meeting those requirements. Workflows and roles of the auditors who will be generating the reports should be mapped. If customized reports are required, organizations can engage CyberArk certified experts to assist with the customization.

The PSM requires additional considerations prior to implementation. Prior to an implementation, organizations should check the following:

Task

Details

Verify licenses

Verify and/or acquire Terminal Server Licenses and RDP Services CAL licenses. CyberArk Privileged Session Manager is based on Microsoft Terminal Server Technology and thus requires the appropriate Microsoft licenses. It’s important to ensure there are sufficient CAL licenses and a licensing server available.

Ensure sufficient storage capacity

Organizations should ensure sufficient storage capacity for session recordings on the CPM servers.

Group policy settings

Group policy settings should be configured to allow the CyberArk Privileged Session Manager to work securely. Since these servers are usually domain members, an organization’s GPOs will apply to them. Be aware of common GPO settings that can stop the CyberArk Privileged Session Manager from functioning. For example, “AllowLogonLocally” should include the local CyberArk Privileged Session Manager group. CyberArk can supply GPO files to set all necessary policies so that CyberArk Privileged Session Manager is able to work properly. Additional information can be obtained from CyberArk Security Services engineers.

Load balancing

Load balancing should be configured to handle peaks in access and support the amount of required concurrent connections.

Review the PSM hardening procedure

Review the PSM hardening procedure included in the install pack to understand the hardening configurations.

Step 4: Solution implementation

CyberArk Security Services will provide organizations with a pre-requisites checklist so that they can be prepared for your deployment. With the guidance of certified CyberArk experts/SMEs, the Technical Leads will be ready to proceed with the installation, configuration.