Vault Synchronizer with Privilege Cloud

Privilege Cloud integrates with Conjur (Conjur) to expand Privileged Access Management to the DevOps space and to modern and dynamic environments. Secrets that are stored and managed in Privilege Cloud can now be shared with Conjur and used via its clients, APIs, and SDKs to enhance security and reduce risks for the DevOps environments, including CI/CD pipelines, containerized applications, and cloud platforms.

The integration between Privilege Cloud and Conjur provides Security, IT, and DevOps teams with a common platform to enforce privileged access security policies on all platforms - on-premises, cloud, and hybrid - to form a consistent, unified enterprise-wide Privileged Access Management Program.

Solution benefits

Privilege Cloud integration with Conjur provides the following benefits:

  • Enables CyberArk customers who store and manage their secrets in Privilege Cloud to benefit from Conjur's capabilities to provide secrets in dynamic and ephemeral environments and containers.

  • Enable central policy enforcement for DevOps use cases, such as rotation, monitoring, and auditing.

How does it work?

An LOB represents a business group that requires access to secrets from Privilege Cloud. This enables segregation of duty (SoD). The LOB facilitates the syncing of accounts to Conjur.

  1. The Privilege Cloud admin creates LOB users and grants them ownership to specific Safes. These LOBs facilitate the syncing of accounts to Conjur.

  2. The CyberArk Vault Synchronizer service (Synchronizer) retrieves the accounts for these LOBs.

  3. The Synchronizer generates a policy for these LOBs that contains the secrets defined as variables, and loads them to Conjur.

  4. The Synchronizer syncs the accounts to Conjur as Conjur variables.

  5. The Conjur admin creates and loads a policy that delegates users and hosts permissions to the variables.

    During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3 and 4.

Synchronizer flow

The Synchronizer syncs secrets from accounts in the root folder of Safes that are owned by the LOB user. The Synchronizer uses two types of synchronization intervals: a general sync, which refreshes new and updated accounts, and a full sync, which refreshes all accounts, including accounts that have been deleted or moved. By default, the general sync occurs every minute and the full sync occurs every hour.

The Synchronizer supports most account types. To learn more about single and dual accounts, see Accounts and Safes.

Accounts used on Service Account platforms are not synced.

Full sync flow

  1. The Synchronizer user retrieves all LOB User accounts from the Synchronizer Safe in intervals of half the time defined in the GENERAL_SYNC_INTERVAL_TIME parameter.

    If there is a new LOB, the Synchronizer generates the policy and loads it to Conjur.

    If multiple LOBs own the same Safe, a set of variables representing the accounts are created for each LOB in Conjur.

  2. The Synchronizer runs in intervals as defined in the VaultConjurSynchronizer.exe.config file in the FULL_SYNC_INTERVAL_TIME parameter. By default, this occurs every 60 minutes. This process syncs the LOB owned Safes with Conjur.

    If the synchronization process does not finish before the next scheduled general sync interval, subsequent sync intervals for this LOB are skipped until the running synchronization is complete.

  3. If an account is added to a synced Safe, or if a new Safe was added or assigned to the LOB User, then the new accounts are synced to Conjur in the next sync interval. The Synchronizer first refreshes changes in currently synced secrets and then adds the new accounts to Conjur, so ongoing changes are updated as soon as possible.

    All accounts are synchronized during the full sync, but because the general sync occurs more frequently, the full sync is less likely to synchronize new and updated accounts.

General sync flow

  1. The Synchronizer user retrieves new and updated LOB User accounts from the Synchronizer Safe in intervals of half the length of the GENERAL_SYNC_INTERVAL_TIME parameter.

    If multiple LOBs own the same Safe, a set of variables representing the accounts are created for each LOB in Conjur.

  2. The Synchronizer runs in intervals as defined in the VaultConjurSynchronizer.exe.config file in the GENERAL_SYNC_INTERVAL_TIME parameter. By default, this occurs every one minute. This process syncs the LOB owned Safes with Conjur.

    If the synchronization process does not finish before the next scheduled sync interval, subsequent sync intervals for this LOB are skipped until the running synchronization is complete.

  3. If an account is added to a synced Safe, the new account is synced to Conjur in the next sync interval.

    Accounts that are deleted or moved are not synchronized during the general sync.

System requirements

For information about the Vault Synchronizer system requirements, see System requirements for CyberArk Vault Synchronizer.

Setup options

This section describes the options for setting up the synchronization between Privilege Cloud and Conjur.

Option Description

Single Privilege Cloud to single Conjur cluster

In this set up, a single Vault Synchronizer syncs between one Privilege Cloud and one Conjur cluster.

Multiple Privilege Clouds to single Conjur cluster

Use this setup if you have multiple Privilege Clouds with secrets that need to be retrieved from Privilege Cloud. This requires setting up a different Vault Synchronizer for each Privilege Cloud. For maximum Privilege Cloud and Conjur performance, we recommend synchronizing up to 3 Privilege Clouds.

Audits

Audit records are stored in Privilege Cloud and in Conjur. The Vault Synchronizer does not maintain audit records.