Core PAM Review and Security PDF
Document Details
Uploaded by FancySarod
CyberArk University
2024
Tags
Summary
This document is a CyberArk University presentation on Core PAM Review and Security. It covers the architecture of the Privileged Access Manager solution, describes components, and provides key recommendations for protecting the CyberArk PAM environment.
Full Transcript
Core PAM Review and Security CyberArk University © 2024 CyberArk Software Ltd. All rights reserved By the end of this lesson, you will be able to: 1. D...
Core PAM Review and Security CyberArk University © 2024 CyberArk Software Ltd. All rights reserved By the end of this lesson, you will be able to: 1. Describe the Architecture of the Privileged Access Manager solution Objectives 2. Describe the CyberArk Components that comprise the Privileged Access Security solution 3. Describe the key recommendations for protecting the CyberArk PAM environment © 2024 CyberArk Software Ltd. All rights reserved Review © 2024 CyberArk Software Ltd. All rights reserved Privilege Typical is at the Center Lifecycle of the of a Cyber Attack Lifecycle Attack Typical Lifecycle of a Cyber Attack Penetration Credential theft Reconnaissance Lateral movement Privilege escalation EXISTING ACCESS Repeat Move Laterally Perform Internal Threats Reconnaissance Escalate Privileges External Threats Disrupt Business Network Perimeter Exfiltrate Data PERIMETER COMPROMISE © 2024 CyberArk Software Ltd. All rights reserved CyberArk PAM Delivers A New Critical Security Layer PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING PRIVILEGED ACCESS MANAGER © 2024 CyberArk Software Ltd. All rights reserved Comprehensive Controls on Privileged Activity Lock Down Isolate & Control Continuously Credentials Sessions Monitor Protect privileged Prevent malware Implement continuous passwords and attacks and control monitoring across all SSH keys privileged access privileged accounts © 2024 CyberArk Software Ltd. All rights reserved Privilege On-premises Components Enables organizations to secure, manage, and automatically change passwords Digital Vault and SSH keys, logging all activities. Password Vault Web The web interface for users to gain access to privileged account information Access (PVWA) Used by Vault administrators to configure policies Central Policy Manager Performs the password changes on devices (CPM) Scans the network for privileged accounts Privileged Session Enables organizations to control and monitor privileged accesses to sensitive Manager (PSM) systems and devices. Privileged Threat Provides an additional security layer, which detects malicious activity caused by Analytics (PTA) privileged accounts and can proactively contain in-progress attacks. On-Demand Privileges Provides a comprehensive solution that empowers IT and enables complete Manager visibility and control of super users and privileged accounts across the enterprise. © 2024 CyberArk Software Ltd. All rights reserved Digital Vault A hardened and secured digital vault used to store privileged account information Implemented in compliance with the CyberArk Digital Vault Server security standard results in a highly secure repository for privileged account passwords © 2024 CyberArk Software Ltd. All rights reserved CPM – Central Policy Manager The CPM performs password changes and SSH key rotations on devices based on the policies set by Vault Administrators Policy The CPM is also responsible for Accounts Feed operations ⎼ Discover – Automates privileged account discovery ⎼ Analyze - Provide an easy view of all discovered accounts y7qeF$1 Im7yT%w Tojsd$5fh gviNa9% X5$aq+p ⎼ Provision - The scope of the accounts to manage can be provisioned in the Vault in a simple and intuitive way Central Policy Manager System User Pass Unix root tops3cr3t Oracle SYS tops3cr3t Windows Administrator tops3cr3t z/OS DB2ADMIN tops3cr3t Cisco enable tops3cr3t IT Environment © 2024 CyberArk Software Ltd. All rights reserved PVWA - Password Vault Web Access The web interface used by Administrators to perform administrative tasks and by end users to gain access to privileged account information. © 2024 CyberArk Software Ltd. All rights reserved PSM – Privileged Session Manager Isolate Control Monitor Prevent cyber attacks Create accountability Deliver continuous by isolating desktops and control over monitoring and from sensitive target privileged session compliance with machines access with policies, session recording with workflows and privileged zero footprint on target single sign on machines © 2024 CyberArk Software Ltd. All rights reserved Enterprise Password Vault Solution Overview 1. Master/exception policy definition 2. Initial load & reset Accounts Discovery, REST API or Manual CPM Master Policy 3. Request workflow Dual control, lm7yT5w X5$aq+p Tojsd$5fh Oiue^$fgW y7qeF$1 gviNa9% Integration with ticketing systems, One-time passwords, exclusivity and more. EPV 4. PSM connection to device Policy System User Pass 5. Auditor access Unix root tops3cr3t Oracle SYS tops3cr3t Policy Windows Administrator tops3cr3t Security/ Risk Management z/OS DB2ADMIN tops3cr3t PVWA Cisco enable tops3cr3t Request access to Windows PSM Administrator On prod.dom.us IT Enterprise IT Environment Auditors © 2024 CyberArk Software Ltd. All rights reserved Request to view Reports High Level Systems Design © 2024 CyberArk Software Ltd. All rights reserved Vault and Components Privileged Session Manager Password Vault Web Access Central Policy Manager PACli and SDKs Vault PrivateArk Client Unix/Windows Application Providers Privileged Threat Analytics © 2024 CyberArk Software Ltd. All rights reserved Basic Deployment, Multiple Sites 1858 or 443 Vault 192.168.23.19 10.0.1.30 Target 1858 Target Systems Systems 192.168.23.20 Central Policy Central Policy 10.0.1.31 Manager 1858 Manager tcp_443 Password Vault 192.168.23.31 Web Access 10.0.1.60 tcp_443 must be open between the PVWA and CPM to enable End Users: Accounts Discovery operations IT Staff, Auditor, etc. End Users: IT Staff, Auditor, etc. © 2024 CyberArk Software Ltd. All rights reserved CyberArk Privileged Manager Security Fundamentals © 2024 CyberArk Software Ltd. All rights reserved CyberArk Security Fundamentals It is essential to deploy CyberArk in a secure manner and ensure the security controls you have implemented are not circumvented by an attacker. For more information please refer to the Security Fundamentals documentation at https://docs.cyberark.com. © 2024 CyberArk Software Ltd. All rights reserved 1 Critical principles of this control are: Restrict access to the Digital Vault Isolate and Not be and never have been a member of an Active Directory Harden Domain the Digital Vault No Third-party software, e.g., anti-virus and monitoring agents Network traffic should be restricted to CyberArk protocols only Server Physical servers (recommended) Recent attacks have shown that it is common for threat actors to leverage vulnerabilities in Kerberos protocol to move throughout the environment undetected. It is therefore required that the Digital Vault server run on an isolated and trusted platform. CONTINUE 2 Multi-factor Authentication (MFA) is an authentication method that uses two or more distinct mechanisms to Use Two-Factor validate a user’s identity, rather than relying on just a simple username and password combination. Authentication Using two-factor authentication enables you to mitigate common credential theft techniques such as basic key loggers or tools that are capable of harvesting plaintext passwords. CyberArk recommends that customers deploy multi-factor authentication to the CyberArk Digital Vault. CONTINUE Critical principles of this control are: 3 Consider installing each component on a dedicated server Consider installing on workgroup rather than domain joined servers Restrict non-essential applications on the component servers Restrict Access Limit the accounts that can access component servers and use only to Component accounts with local administrative permissions Use network-based firewalls and IPsec to restrict, encrypt and Servers authenticate inbound administrative traffic Use Privileged Session Manager with the local administrator account to access component servers Deploy application whitelisting and limit execution to authorized applications Additional recommendations can be found at https://docs.cyberark.com CyberArk components (PVWA, CPM and PSM) are sensitive assets. The core principle of this control is to treat CyberArk infrastructure with the highest level of sensitivity. CONTINUE Critical principles of this control are: 4 Reduce privileges of CyberArk administrative accounts Eliminate unnecessary CyberArk administrative accounts Limit Privileges CyberArk administrators should not have access to all credentials and Points of Require privilege elevation (with Dual Control or Ticketing Integration) Administration Use the PSM to isolate and monitor CyberArk administration Require two-factor authentication for all avenues of administrative access Reducing the number of privileged accounts and/or the extent of their privileges reduces the overall privileged account attack surface. The core principle of this control is that there should only be a few CyberArk administrators, and they should only possess limited privileges, unless elevated through a strong approval process. CONTINUE Critical principles of this control are: 5 Store the Master Password separately from the Master Key. Protect Assign each to different entities within an organization Store the Master Key and Password in a physical safe Sensitive Do not store the Operator Key on the same media as the Accounts and data. If possible, use a Hardware Security Module (HSM) to secure the Operator Key Encryption Keys Reducing the number of privileged accounts and/or the extent of their privileges reduces the overall privileged account attack surface. The core principle of this control is that there should only be a few CyberArk administrators, and they should only possess limited privileges, unless elevated through a strong approval process. CONTINUE 6 Critical principles of this control are: HTTPs for the PVWA LDAPs for Vault-LDAP integration and CPM Windows scans Use Secure RDP/TLS for connections to the PSM and from PSM to target Protocols machines SSH (instead of telnet) for password management The use of insecure protocols can easily render other controls void. To reduce the risk of eavesdropping and other network- based attacks, use encrypted and authenticated protocols for all communications. CONTINUE 7 Critical principles of this control are: Aggregate CyberArk logs within your SIEM Monitor Monitor and alert upon excessive authentication failures, Logs for logins to the Vault server OS, and logins as Administrator or Irregularities Master Consider implementing CyberArk Privileged Threat Analytics (PTA) for continuous monitoring of the use of privileged accounts that are managed or not yet managed in PAM In order to detect problems early, it is essential to monitor the logs generated by both the CyberArk and the infrastructure on which it runs. Early detection is one of the key elements in reducing the impact of any issue, whether security or operational. CONTINUE 8 Having a documented disaster recovery plan, and Create and periodically validating it, will ensure that you can quickly recover your data and restore operations Periodically Test A good disaster recovery plan begins with an a DR Plan assessment of the various risks, the likelihood of occurrence and impact The disaster recovery plan should provide information about the physical infrastructure, key contacts, processes to access out-of-band credentials and procedures to recover from likely and/or high-impact problems CONTINUE Summary In this session we covered: The CyberArk Components that comprise the Core Privileged Access Manager solution The Architecture of the CyberArk PAM Solution The CyberArk Security Fundamentals providing key recommendations for protecting the CyberArk environment © 2024 CyberArk Software Ltd. All rights reserved