Security layers settings

This topic describes how to configure the general settings for the Step Recording, Session Protection and Continuous Authentication security layers applied to applications.

Configure step recording settings

For more information about the step recording solution, see What is Step Recording?

  1. In the SWS Admin portal, go to Settings > Security layers.

  2. In the Step recording section, set the following:

    Setting

    Description

    Exclude domains and URLs

    Add application domains or specific application pages (URLs) that you want to exclude from being recorded. (Wildcard characters are supported.)

    login.cyberark.com

    https://eu123.cyberark.com/WildCardUsageHere?*

    https://eu123.cyberark.com/ThisPage

    Certain domains, such as my.idaptive.app, are added to the list by default, and can be removed if necessary.

    This exclude list applies to all your application policies in this tenant.

    For details on how to add an exclude list of domains and URLs at the app level, see Define security layer configurations per application policy

    If you are using custom domains in CyberArk Identity, we recommend adding these domains to the exclude list.

Configure Session Protection and EPM integration

You can apply additional endpoint protections by integrating with Endpoint Privilege Manager

To integrate Session Protection with EPM, you need to download and import the SWS - EPM policy template into the EPM management console, and apply it to computers where sessions are initiated. For more information about the objects included in this policy, see Session protection with CyberArk EPM integration.

Before you begin

The SWS - EPM policy includes a script that runs in the background on each end user's machine via Microsoft PowerShell. This script is signed by CyberArk with a Root-CA certificate issued by GlobalSign.

  • Users who are using Windows 8.1 and earlier versions need to make sure that minimum PowerShell version 5.1 is installed.

  • Make sure GlobalSign Root CA-R3 is in your organization's Trusted Publishers/Trusted Root CAs certificate store.

To integrate Session Protection with EPM:

  1. In the SWS Admin portal, go to Settings > Security layers.

  2. In the Session Protection section, download the SWS - EPM policy.

    • VFP file - If your EPM tenant is using the previous policies user interface, download the VFP file.

    • EPMP file - If your EPM tenant is using the new policies user interface, download the EPMP file.

  3. In the EPM management console, import the policy.

    For more information, see Import policies in the Endpoint Privilege Manager docs.

  4. Activate and target the imported policy to computers. For more information, see Additional policy management in the Endpoint Privilege Manager docs.

  5. In the SWS Admin portal, turn the Enable the EPM integration with SWS toggle to ON.

    You can now enforce EPM protection per application policy. For more information, see Define security layer configurations per application policy

    To ensure Chrome is further protected, additional configurations must be made in the in the EPM management console. For more information, see SWS - EPM policy additional configurations

Configure Continuous Authentication with MFA

SWS integrates with CyberArk Identity multi-factor authentication (MFA) to define triggers for re-authenticating users. When the SWS - MFA integration is activated, a CyberArk Identity SAML based application is created for managing the authentication settings.

For more information about this solution, see Continuous authentication with MFA integration.

To enable continuous authentication with MFA:

  1. In the SWS Admin portal, go to Settings > Security layers.

  2. In the Continuous authentication section, turn the Enable Continuous Authentication toggle to ON.

  3. Set the Idle session timeout in minutes to determine the amount of idle time after which a user is prompted for re-authentication.

  4. Select Authenticate via CyberArk Identity MFA.

  5. Click Save.

    An application named SWS Continuous Authentication is created in the CyberArk Identity Admin portal.

  6. In the CyberArk Identity Admin portal, go to Settings > Authentication > Authentication Profile and click New Profile.

  7. Enter a unique name for this profile.

  8. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism. For more information, see Create an authentication profile.

  9. Make sure Challenge Pass-Through Duration is set to No Pass -through.

  10. Click OK.

  11. Go to Apps > WebApps and click on the SWS Continuous Authentication app.

  12. Select Policy. In Default Policy, select the Authentication Policy you previously created.

  13. Click Save.

    You can now apply Continuous Authentication per application policy. For more information, see Manage application policies.

Configure Continuous Authentication with the CyberArk Mobile app

As an admin, you can determine the amount of idle time passed after which an application session is locked, and end users are required to re-authenticate to their web session via the CyberArk Mobile app.

You can also activate the mobile device pedometer lock option, which is used to determine the amount of footsteps an end user takes from the start of a web session. When the amount of set footsteps is reached by the end user, they are required to re-authenticate via the CyberArk Mobile app.

For more information about this solution, see Continuous authentication with the CyberArk Mobile app

To enable continuous authentication via CyberArk Mobile app:

  1. In the SWS portal, go to Settings > Security layers.

  2. In the Continuous authentication section, turn the Enable Continuous Authentication toggle to ON.

  3. Set the Idle session timeout in minutes to determine the amount of idle time after which a user is prompted to re-authenticate to their web session.

  4. Select Authenticate via CyberArk Mobile app.

  5. (Optional) Determine a pedometer threshold. Set the number of footsteps a user takes after which an open application session is locked, and the user is prompted to re-authenticate.

    The default amount of steps is 5, and can be set between 1 to 20 steps.

  6. (Optional) Turn the toggle to ON if you want the configured pedometer threshold applied by default to all new application policies.

    If you choose to apply the pedometer threshold to future policies, you can also select the check box to apply the pedometer threshold to all your existing application policies as well.

    The option to apply the pedometer threshold to all your existing policies in bulk is only available the first time you choose to apply the pedometer threshold to future policies.

    After you click Save, you will not be able to select this option.

    To apply the pedometer threshold for individual application policies, select a specific application policy, and go to the Configuration settings.

  7. Click Save.

Configure Session Control rule notification limit

You can limit the amount of email notifications that will be sent during a specified time period in case a rule requiring email notification is triggered multiple times by the same user.

  1. In the SWS portal, go to Settings > Security layers.

  2. In the Session Control section, enter a rate limit.

    Example

    User A triggers Rule B in application C 10 times within 30 minutes. The notification limit is set to no more than 1 every 30 minutes.

    This means you will receive one notification, that includes the details of all 10 Rule B events that User A triggered in application C.

    When User A triggers rule D, a separate notification is sent.