04-PAM-ADMIN-Safes.pdf
Document Details
Uploaded by FancySarod
2023
Tags
Full Transcript
PAM Administration Safes © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: 1. Describe the Vault Model...
PAM Administration Safes © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: 1. Describe the Vault Model Agenda 2. Describe what a Safe is 3. Describe the key criteria for designing a Safe model 4. Describe basic access control concepts and Safe permissions 5. Create and manage Safes 6. Add Safe Members and assign them permissions © 2023 CyberArk Software Ltd. All rights reserved Overview The Vault Model What is a Safe Viewing Safes © 2023 CyberArk Software Ltd. All rights reserved The Vault Model We use the metaphor of a bank when talking about the CyberArk Vault: Encryption, Firewall, Audit, Vault and Authentication First you authenticate yourself to the bank teller Then you use your key to access your safe deposit box Safes Authorization Then you have access to everything in the box Passwords Policy cyberark.com © 2023 CyberArk Software Ltd. All rights reserved Basic Access Control Concepts Access control determines who can access information and from where CyberArk manages access control by storing privileged identities in Safes, only giving access to authorized users A user's access to a Safe usually applies to all the objects (passwords) inside that safe © 2023 CyberArk Software Ltd. All rights reserved What is a Safe? Container in the Vault for data, primarily privileged accounts Basis for managing Access Control to privileged accounts The Vault and CyberArk components have Safes for storing their data and files Can be created manually or programmatically (e.g., via the REST API) © 2023 CyberArk Software Ltd. All rights reserved Where are the Safes? Safes are stored in the Vault and can be viewed through a number of different means. PVWA Vault file system PrivateArk Client © 2023 CyberArk Software Ltd. All rights reserved Designing a Safe Model In this section we will discuss the main considerations for designing the Safe model © 2023 CyberArk Software Ltd. All rights reserved Defining a Safe Model To develop a system for how to store passwords in Safes through an authorization model that meets the needs of the organization. There is no generic “Safe model” that fits all CyberArk implementations Defining a Safe model is an individual, implementation- specific process best defined during the planning stages Customers typically work with the implementation team to create the Safe model during the implementation © 2023 CyberArk Software Ltd. All rights reserved Questions to Answer When Defining Safe Model Who needs access to data stored in the Who needs Vault? access to data Internal (e.g., Employees) or External Users stored in the Vault? (e.g., Partners, Contractors, etc.) What is the security level of Secret, Informational, Production, Development, Test, etc. data stored in the Vault? Who must not see Is there any type of data that needs to be available a specific type of data? to some users, but not to others? Should additional access limitations apply to Multiple Central Policy Managers, system load, regulations (specific) objects? © 2023 CyberArk Software Ltd. All rights reserved Safe Naming Constraints Safe names are limited to 28 characters Double-byte characters are not supported (Chinese, Korean, etc.) © 2023 CyberArk Software Ltd. All rights reserved Safe Naming Convention For local admin accounts on HR production servers running Windows based in a Boston data center: P-BOS-SRV-WIN-LAD-HR For Financial department test servers in a New York data center running Linux: T-NYC-SRV-LIN-FIN © 2023 CyberArk Software Ltd. All rights reserved Safe Constraints For performance reasons, the number of objects stored in a Safe should be limited to 20,000 This includes versions of passwords The recommended number of accounts or files stored in a Safe is between 3,000 and 5,000 © 2023 CyberArk Software Ltd. All rights reserved Access Control In this section we will discuss how to manage access control to privileged identities in CyberArk © 2023 CyberArk Software Ltd. All rights reserved Least Privilege Objects should be stored in Safes following the principle of “least privilege”. If a user does not NEED access to a password, they should not have access to the Safe containing it. Separate Safes for: ⎼ Windows Desktop Accounts ⎼ Windows Local Administrators ⎼ Windows Domain Accounts The PVWA makes Safe structure largely invisible to end users, so don't oversimplify for their sake. © 2023 CyberArk Software Ltd. All rights reserved The ACME corporation wants to onboard the following accounts to CyberArk: ⎼ 50 Windows server local admin accounts ⎼ 10 Oracle sysadmin accounts 10 Windows servers host Oracle databases (40 Windows servers do not host Oracle databases). The Windows team needs to have access to all Windows Servers local admin accounts Example: The Oracle team needs to have access to all local admin ACME Corporation accounts on Windows Servers hosting Oracle Database and Oracle Database login accounts (sysadmin) How many Safes would you create? Which Safes will be accessed by which team? © 2023 CyberArk Software Ltd. All rights reserved Example: The ACME Corporation 50 Windows servers, of which 10 host Oracle databases WIN-SRV 40 50 Windows Server Accounts Windows Team 10 WIN-SRV-ORA 10 sysadmin 10 DB-ORA accounts Oracle Team © 2023 CyberArk Software Ltd. All rights reserved Granular Safe Permissions © 2023 CyberArk Software Ltd. All rights reserved Safe Permissions In the Safe Members tab, we can see the Users and Groups who have been granted access to this Safe And if we have the appropriate permissions, we can also add new members to the Safe and assign them permissions. Access to accounts and their passwords is managed through the permissions assigned to Members of the individual Safes © 2023 CyberArk Software Ltd. All rights reserved Permissions: Access The permissions are organized into groups for convenience: Access Account management Safe management and monitoring Workflow Advanced © 2023 CyberArk Software Ltd. All rights reserved Permissions: Access Users who have the List Accounts permission can see the accounts in the Safe Users who have the Use Accounts and List Accounts permissions can use the accounts in the Safe to log on to a remote machine through a PSM connection Users who also have the Retrieve Accounts permission can view the account password and copy it © 2023 CyberArk Software Ltd. All rights reserved Permissions: Account Management Account Management permissions enable users to perform such tasks as: Add accounts Edit accounts Initiate account management operations through the CPM Rename accounts Delete accounts Unlock accounts © 2023 CyberArk Software Ltd. All rights reserved Permissions: Safe Management Users who have the Manage Safe permission can modify some of the Safe properties Users who have the Manage Safe Members permission can add or remove users and groups – both Vault users and external LDAP users – to Safes and specify their Safe authorizations © 2023 CyberArk Software Ltd. All rights reserved Creating and Managing Safes In this section we will discuss: ⎼ The purpose of using Safes ⎼ Creating a new Safe ⎼ Assigning Safe permissions ⎼ The connection between Safes and Platforms © 2023 CyberArk Software Ltd. All rights reserved Policies, Platforms, Safes, and Accounts Add exceptions Review/Edit Create Add to Master Policy Create Safes Master Policy Platforms Accounts based on Platforms Business/audit rules Technical settings for Exceptions to Access control Individual objects for managing managing passwords Master Policy rules containing the required passwords information (address, Basis for exceptions username, password, Global policy etc.) to manage settings privileged accounts © 2023 CyberArk Software Ltd. All rights reserved Add Safes Not all users have the right to add Safes Vault Admins and Safe Managers have this permission © 2023 CyberArk Software Ltd. All rights reserved Add Safe Prior to version 12.6, Safe creation was performed through the “classic” interface. This interface is still available, but a new wizard has been added to streamline the process of creating Safes and adding the initial members. Remember: A safe name cannot be more than 28 characters Object-level access control is not recommended © 2023 CyberArk Software Ltd. All rights reserved Access Control: Add Safe Members Using the new wizard, you can search for users or groups in the Vault or in LDAP © 2023 CyberArk Software Ltd. All rights reserved Access Control: Add Safe Members Permission presets © 2023 CyberArk Software Ltd. All rights reserved Access Control: Add Safe Members Adding members and managing permissions © 2023 CyberArk Software Ltd. All rights reserved Predefined Users and Groups © 2023 CyberArk Software Ltd. All rights reserved Platforms and Safes Using the AllowedSafes parameter, you can limit the scope of a particular platform to only those Safes that match the regular expression pattern For example, Accounts associated with the LIN SSH 30 Platform can only be stored in Safes that start with the string - “Lin-” This will help improve the performance of the CPM and simplify administrative tasks © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved In this session we covered: Summary The Vault model What is a Safe The key criteria for designing a Safe model Basic Access Control concepts and Safe permissions How to create and manage Safes How to add Safe Members and assign them permissions © 2023 CyberArk Software Ltd. All rights reserved You may now complete the following exercise: Securing Windows Domain Accounts Exercises Safe Management ̶ Creating a Safe ̶ Add Safe Members PrivateArk Client/PVWA Safe Permissions There are some differences in the terminology used in the Private Ark Client and the PVWA Private Ark Client ⎼ Owners List ⎼ Files PVWA ⎼ Members List ⎼ Accounts © 2023 CyberArk Software Ltd. All rights reserved
