The following features were introduced or enhanced in Privileged Access Manager - Self-Hosted version 13.2.
Featured in this release
This release offers great improvements in terms of ease of deployment in PAM on Cloud with Bring Your Own Image delivery and automation-supporting improvements such as bulk operations and new REST APIs
In addition, we've included many improvements in the end user experience by simplifying the daily processes, such as streamlining PSM upgrades, adding user management operations in PVWA, and consolidating PTA administration into PVWA as a single web portal for all PAM Self-Hosted operations.
From a compliance and security perspective, we've expanded PSM audits to include multiple layers of data and enhanced privileged session integrations with ticketing systems for greater control and accountability, and have improved our web portal's accessibility compliance.
This version includes some significant performance enhancements and faster processing time for the following use cases:
Search activities that contain up to two keywords on the account view page in PVWA.
Generate account activities reports through PVWA.
Generate the following ExportVaultData utility reports:
Activity (logs) report
Group members report
Object properties report
Faster upgrade process in a Distributed Vaults environment
Starting from this version, if you perform an upgrade in a Distributed Vaults environment, you will no longer need to apply full replication at the end of each satellite upgrade.
The removal of this step reduces the satellite downtime during an upgrade and shortens the overall upgrade process of the environment.
This is one step toward our goal of simplifying administration in a Distributed Vaults environment.
Privileged Access Manager - Self-Hosted on cloud
Share AWS images through CyberArk Marketplace
Until now, if you want to use our PAM on Cloud solution for AWS, you need to submit a request through the account portal and wait for account representative action. Starting from this version, you can obtain AWS images on your own, in a streamlined fashion, through the Cyberark Marketplace.
PAM On Cloud images can be found in the PAM Self Hosted product page per version. At this point, the Cyberark Marketplace includes only AWS images, both regular and GovCloud.
Bring your own AWS images
Organizations require that cloud deployments follow their own internal policies and use their own images, and not necessarily an image provided by their vendor.
Starting from this version, you can use your own images for deploying Privileged Access Manager - Self-Hosted on cloud.
You must prepare your images in advance, following the prerequisites set by CyberArk. Once your images are ready, you can easily download the PAM on cloud deployment from the CyberArk Marketplace and run it on your images.
For more information, see Images.
Password Vault Web Access
User Management module in the modern interface
User management capabilities are key for streamlining administration of authorized users in Privileged Access Manager - Self-Hosted.
We are excited to introduce our User Management module in the web portal administration view. This new view introduces simplification and better visibility , which will help improve the process of managing your users and groups.
The new view enables you to:
Create and edit CyberArk users (including setting the user type, authorized interfaces, and user expiration date)
Create groups and assign users to these groups
View all users (both LDAP and CyberArk users) and groups
Disable a user or activate a suspended user
Reset a user’s password
Create a new user based on the permissions of an existing user
Request access to multiple accounts
You can work more efficiently by performing management operations on multiple accounts at once.
As a first step to address this challenge, this version introduces the ability to request access to multiple accounts at once via the Accounts View.
Before a user can retrieve an account in an environment where the Master Policy enforces access confirmation, a request must be sent to authorized users to be confirmed. Starting from this version, you can create multiple requests in a single action to streamline the access workflow.
The ability to request access to multiple accounts includes:
Requesting access to multiple accounts asynchronously, which enables you to continue working on PVWA while the access request runs in the background.
Supporting request access to multiple accounts even when enforced by both access confirmation and ticketing systems to ensure that users are authorized to access passwords.
To learn more, see Request access to multiple accounts.
You can also request access to multiple accounts via REST APIs. For more information, see Create access request for multiple accounts.
Allow non-Vault Admin users access to Accounts Feed capabilities
The Accounts Feed View enables you to simplify and accelerate the deployment and management of privileged account security.
It scans your machines to discover privileged accounts and their dependencies. It provides a clear and comprehensive picture of existing accounts in your organization. You can view the discovered accounts and onboard them, either manually or automatically via the onboarding rules, based on various criteria that you can define.
Starting from this version, we extend access to this view to users who are members of the PVWAAccountsFeedAdmins group. These users, just like the Vault Admin, can access the Accounts Feed, launch scans, analyze the discovered accounts and onboard them.
To learn more, see Predefined groups.
This release includes several accessibility improvements in our web portal. We are now fully WCAG 2.1 compliant for contrast and screen reader on the Logon, Accounts, CreateRequest, MyRequest and Incoming Requests pages.
PVWA session timeout notification
Session timeout and expiration are security mechanisms to end a session after a certain period of inactivity or of session duration. These mechanisms help prevent unauthorized access, session hijacking, and resource consumption.
Starting from this version, the PVWA interface notifies users when their session is about to expire.
For more information, see Session timeout.
New and improved REST APIs for user and account management
User management and account management are the key elements in the organization's onboarding automated processes.
This version includes several improvements in our REST API Web services specifically around these areas for easier automation and usage.
Two new APIs were added to enable asynchronously requesting access for multiple privileged accounts:
Create access request for multiple accounts - Enables the user to request access (copy, show and connect) to multiple accounts simultaneously.
Get bulk account upload result - Returns the status of the Request Bulk Access API that was sent (whether it was completed or not). When the status returns as Completed, it also returns the result for each request access that was sent.
As part of our ongoing improvements to existing APIs, we also enhanced the filtering options of the Get users API according to the following:
User Type - the type of the users, according to the license, defined in the system
User Source - whether the source of the user is from LDAP or from the Vault
User Status - whether the users are active, disabled, or suspended
Central Policy Manager
Automatically manage accounts for platforms
In environments where multiple CPMs manage accounts in the same Safe, you can manage accounts using different CPMs according to platform. You can define the platforms managed by each CPM using the PlatformsToManage parameter in the CPM configuration file.
In this version, we added more flexibility when determining which platforms will be managed by each CPM and when excluding platforms from being managed by specific CPMs.
This flexibility helps prevent access control overload by enabling you to store multiple reconciliation accounts in a single safe while using PlatformsToManage to define which CPM manages which reconciliation account.
For more information, see Enable Automatic Account Management for Platforms.
Deploy plugins on multiple CPMs
You may need to upload a CPM plugin to multiple CPM servers to update the plugin when it is used by one or more platforms.
Starting from this version, CyberArk supports a centralized repository that simplifies management of CPM plugins in the environment and ensures that all CPM servers are aligned with the identical plugins in the same version.
For more information, see Deploy a CPM plugin to all CPM servers.
Web application framework improvements
The Web applications for PSM and Create CPM plugins for Web applications provide a simple way to create new PSM connection components for web and password management plugins (CPM plug-in) for web-based applications without needing any developer expertise or experience.
CyberArk enhanced the web framework to enable you to build custom conditional logic for the plugin or connection component, based on your web application conditional behavior.
To enjoy this new capability, download the latest frameworks from the CyberArk Marketplace:
Web Application Connection Components
CPM Plugin Frameworks
Manage EPM privileged accounts
The CyberArk Endpoint Privilege Manager (EPM) for SaaS plugin enables you to manage CyberArk Endpoint Privilege Manager (EPM) privileged accounts for SaaS users. This plugin is now officially supported by CyberArk.
Manage SAP NetWeaver privileged accounts
The SAP NetWeaver plugin manages SAP NetWeaver ABAP, Java, and Dialog privileged accounts.
The plugin now supports managing SAP application server accounts through SAProuter and SAP Message Servers (MS).
The SAP NetWeaver plugin is available in the CyberArk Marketplace.
For more information, see SAP applications.
Conjur Enterprise plugin
We are happy to introduce the Conjur Enterprise Password plugin, for managing passwords for Conjur users, and the Conjur Enterprise Keys plugin, for managing API keys for both Conjur users and hosts.
Automatic Chrome and Edge drivers update
The CyberArk plugins and connection components use web drivers in connection with web-based targets. The driver version needs to be the same as the browser version for the connection to work.
If you have automatic updates set on your browsers on the CPM and PSM servers, the WebDriverUpdater application facilitates Chrome and Edge driver updates to ensure the continued integrity of the web-based plugins and connection components.
The WebDriverUpdater application is available for download from the CyberArk Marketplace. It is compatible with PSM version 13.2 and later and any supported CPM version.
Privileged Session Manager
Automatic merge of AppLocker configuration files
You can now enjoy an automatic merge of your XML file with a new version of the PSMConfigureAppLocker.xml file during upgrade of PSM. All your additions or changes will be merged with the latest version of the XML file, enabling you to keep your own configurations and approved applications in a simpler way.
Simultaneous multi-audit support
You can now monitor sessions with all audit capabilities (keystrokes, windows titles, and SQL commands where applicable) simultaneously. This provides a more holistic view of the session activity, increasing compliance and audit coverage of sessions. In addition, PTA detection of suspicious activities in PSM sessions is extended to support the simultaneous audit capabilities.
PSM for Windows integration with ticketing systems
If you use the direct PSM for Windows connection, you can enforce ticketing system validation for a higher level of control and accountability on privileged sessions.
Privileged Session Manager for SSH
Using Commands Access Control is an integral part of the work within a PSM for SSH session. The new feature enables you to copy and paste multiple lines simultaneously into scripts and config files for a much smoother workflow.
New API for session termination
You can simplify the enforcement over live PSM for SSH sessions using automation and non-interactive actions. This version includes a new API for terminating a PSM for SSH session. Along with the ability to use both the SessionID and SessionGuid identifiers, the new API enhances our PSM for SSH and PTA integration for automatic termination based on a set of rules such as risky commands.
PSM for SSH can now automatically stop logging to a file if it exceeds a set size or duration limit and start logging to a new file. This simplifies the management of logs and ensures that all logs can be restored properly, Additionally, the folder containing the log files can be cleaned automatically based on the date of the files or the total size of the folder. All limits and frequency of the clean-up can be customized.
Custom directory to store recordings
With the increasing need to adapt to compliance requirements in a global deployment environment, it is now possible to configure a customized folder path to store PSM for SSH recordings as defined by each different organization.
Privileged Threat Analytics
Detect suspicious logon attempts
This new detection reveals an attacker at an early stage, based on failed logon attempts to the Vault that occur within a short duration, and may indicate a potential brute-force attack attempt on the Vault users.
The system also identifies if the originating IP is not associated with the user profile, and includes an indication in the security event and raises the event score accordingly.
The default logic for recognizing a suspicious logon attempt is five failed logon attempts within two minutes. You can customize this to meet your organization's needs. For more information, see Algorithms - sub-section: Suspicious multiple authentication failures to the Vault.
Expose PTA security risks in PVWA and REST API
We continue the consolidation of the PTA Classic UI into PVWA. In this version, security risks that are detected by PTA have been moved to PVWA, and are available on the Security Risks page, located under the Security tab in the PVWA navigation bar.
Another means for getting the PTA security risks is via a REST API, which enables you to combine this information with other security-related information that is gathered automatically.
One of our most important goals for PTA is to improve its scale and performance, enabling it to process more audits and expedite the analysis process.
The first step towards this goal includes improved storage utilization and purge capabilities, by removing irrelevant data types as well as adding retention configuration to determine how long closed security and risk events are stored in the PTA database.
Amazon Web Services (AWS) console with STS
The AWS STS connection component enables an end user to log in to the AWS platform using a secured connection from an internet browser via a PSM monitored session.
We have updated the AWS SDK third-party component that is used by the AWS STS connection component to enhance security and make technological improvements.
Download the latest AWS STS connection component from the CyberArk Marketplace.
Extended PKI/PKIPN certificate verification in PVWA
PKI enables the use of certificates for servers and users to identify each other and establish a secure connection. Certificates contain encryption values, or keys, that are used for encrypting and ensuring the integrity of messages sent between the two parties.
When a user logs on to PVWA using the PKI/PKIPN authentication method, the user and the server establish an SSL0020 (Secure Socket Layer) connection. During the SSL handshake, the parties exchange certificates and check their validity. They also check that the other party’s certificate was issued by a trusted CA (Certification Authority).
In this version, we extended the PKI/PKIPN certificate validation to perform validations such as discarding all the client-side certificates that contain elliptic curves and use SHA1 for either hashing or signing.
You can enable the extended PKI/PKIPN certificate validation by setting the ValidatePKICertificate parameter in Configuration Options to Yes. This validation is disabled by default. For more information, see PKI authentication (Personal Certificate).
PTA security improvements
Internal components, core dependencies, and third-party libraries were upgraded to enhance security and make technological improvements to the components of PTA.
Upgrade of PVWA internal components
Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PVWA server.
We improved input sanitization of REST APIs to ensure better protection from injection attacks.