Manage application policies

This topic describes how administrators can view and manage application security policies.

Overview

The Secure Web Sessions portal displays all the SSO applications that you can apply policies to. For each application, you can apply specific protections and security layers. For CyberArk Identity applications, you can also apply security layers either by group membership, or to individual users.

You can apply 4 types of security layers:

Security layer

Description

Step Recording

Monitors and records all user actions and events and use of the application.

The recording is not a video, but a step-by-step log with screenshots, and is fully searchable.

User events are captured locally in the browser via the Secure Web Sessions browser extension.

For more information, see What is Step Recording?

Session Protection

Protect the users web session in the browser, and the specific tab. This protects high-risk web sessions from malicious processes originating on the endpoint.

The following protections can be applied:

  • Block file downloads, context menu and clipboard actions

  • Enforce EPM protection

For more information, see What is Session Protection?

Continuous Authentication

Validates and verifies the user throughout their web session, based on certain conditions.

For more information, see What is Continuous Authentication?

Session Control

Implement controls and/or sends notifications based on rules that define specific user actions.

For more information, see What is Session Control?

Set security layers for application members

Use this procedure to set the security layers for members of an application.

Applies to CyberArk Identity SSO applications only.

  1. From the Secure Web Sessions portal, go the Application policies page, and select a CyberArk Identity application.

  2. To change the security layers for all members of the application:

    1. In the table heading, select the security layer/s you want applied to all members.

    2. In the pop-up message, click Add.

  3. To change the security layers for individual users or groups:

    1. Click the Edit button in the row of the group or user.

    2. Select the security layers you want to apply, and click Save.

Edit security layers per application

  1. From the Secure Web Sessions portal, go the Application policies page and select an application.

  2. Click the Edit button. In the pop-up message, select the security layers you want to apply for this application, and click Save.

Define security layer configurations per application policy

From the Secure Web Sessions portal, go the Application policies page, select an application, and click the Configuration tab.

Details

Description

Identity app key

The application key received from CyberArk Identity.

Step recording

  • Dynamic URLs - When the toggle is set to ON, recordings are triggered based on the root URLs of the configured app. For example, for AWS dynamic URLs, some of the URLs that would be included are aws.com/users and aws.com/services.

  • Manual mode - When enabled, Secure Web Sessions starts monitoring from the domains or specific application pages (URL's) you enter. (Wildcards * are supported).

  • Automatic/Manual excluded domains - Add application domains or specific application pages (URLs) that you want to exclude from being recorded. This list is applicable whether you select Automatic or Manual mode.

    login.cyberark.com

    https://eu123.cyberark.com/WildCardUsageHere?*

    https://eu123.cyberark.com/ThisPage

    If an exclude list is added in Settings > Security layers, this list applies to all application policies in this tenant. The tenant level exclude list overrides the app specific exclude list.

Session protection

Set the level of session protection you want applied to application sessions:

  • Block file downloads, context menu and clipboard actions - Blocks the following actions in an application session:

    • Cut/copy text from a protected session

    • Paste text to a protected session

    • Drag and drop action on text in a protected session

    • File downloads, including drag and drop of files from a protected session to a local repository

    • Open the context menu in a protected session

    This option is enabled by default.

  • Enforce EPM protection - Enforces EPM protections in an application session.

    To enforce EPM protection for a specific application, you need to first configure and enable integration from Settings > Security layers. For more information, see Configure Session Protection and EPM integration .

Continuous authentication

Apply the Enforce pedometer lock to lock a sensitive web session when the end user has taken the maximum configured number of footsteps. This is to monitor if a session might have been left unattended.

When the maximum number of steps is reached, the end user is required to re-authenticate to their session with a QR code using the CyberArk Mobile app.

This feature is enabled in Settings > Security layers.

Set default security layers for new application members

Use this procedure to set the default security layers that will be applied to new members of an application.

Applies to CyberArk Identity SSO applications only.

 

New applications enabled for SWS have step recording enabled by default.

  1. From the Secure Web Sessions portal, go the Application policies page, and select an application.

  2. From the Members table, go to the Default security layers for new members row, and click Edit from the quick menu.

  3. In the pop-up message, select the security layers you want to apply, and click Save default.

    The saved default security layers will be applied to all new members added for this application.

Change member security layers

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click on the row of a member to view its details.

  3. From the Security layers tab, enable or disable the security layers for this member.

Assign Session Control rules to a member

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click the row of a member to view its details.

  3. Select the Session Control rules tab.

    The list shows the currently assigned rules.

  4. To assign rules to this member, do one of the following:

    • Click Select all

    • Select specific rules and click Assign rules

  5. Click Save.

Manage Session Control rules

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click the row of a member to view its details.

  3. Select the Session Control rules tab.

  4. Hover over the row of a rule to delete, edit, or view the session recordings where this rule appears.

    You can click View steps to view the specific steps in the timeline where the rule was triggered.

    When you click on a specific rule, you can also view the recent user actions that triggered the rule, and the list of members assigned to the rule.

Deactivate application policies

When new applications are configured with SWS, by default they are in active mode. This means that SWS security layers are applied when users access the application.

You can deactivate application policies so that users are no longer routed through SWS security layers. Deactivating application policies does not delete any configurations, and can be activated again at any time.

  1. From the Secure Web Sessions portal, go the Application policies page, and select an application.

  2. Change the toggle from Active to Inactive.

Delete application policies

To remove CyberArk Identity applications from the SWS portal:

  1. In CyberArk Identity Admin Portal > Web Apps, select the application where you want to remove SWS.

  2. Click the Secure Web Sessions page, deselect Enable Secure Web Sessions, and then click OK at the confirmation message.

  3. Click Save.

To delete applications with external IdP (e.g. Okta, Microsoft Azure) from the SWS portal:

  1. In the SWS portal, go to the Application policies page.

  2. On the tile of an application, open the additional options menu, and click Delete application.

    Deleting an application with a external IdP will break the custom links that were configured for rerouting users through the SWS security layers. Make sure you update your IdP and target app configurations,

    Alternatively, you can deactivate the app. Deactivating the app will still allow end users to access the app, without changing app configurations, while removing the SWS security layers only.

Step recording limitations

  • Keyboard shortcut user action doesn't trigger a recorded step.

  • Drag-and-drop isn't recorded as a user action.

  • Web applications based on WebGL might not capture all user actions when using step recording. Some of Microsoft Office applications use this technology. Therefore, while recordings of Office 365 web apps include the name and type of files, users actions done inside the file won't be captured.