PAM Administration Vault Security PDF

PAM Administration Vault Security © 2023 CyberArk Software Ltd. All rights reserved In this session, we will look at: Agenda 1. Vault security controls 2. Vault Encryption and Key Management © 2023 CyberArk Software Ltd. All rights reserved Vault Security Controls © 2023 CyberArk Software Ltd. All rights reserved The Vault: An Island of Security Isolating Hardening the Server the Server No domain membership Remove unnecessary or trusts services No DNS or WINS Secure configuration for – Uses a manually configured remaining services Host file Only Vault Server and PrivateArk Client are installed No additional applications © 2023 CyberArk Software Ltd. All rights reserved Documentation Resources There are several documents that are key to successfully protecting your implementation They include: Security Fundamentals Digital Vault Security Standard © 2023 CyberArk Software Ltd. All rights reserved Security Fundamentals Details eight controls to protect your CyberArk deployment and, therefore, your privileged accounts 1. Isolate and Harden the Digital Vault Server 2. Use Two-Factor Authentication 3. Restrict Access to Component Servers 4. Limit Privileges and Points of Administration 5. Protect Sensitive Accounts and Encryption Keys 6. Use Secure Protocols 7. Monitor Logs for Irregularities 8. Create and Periodically Test a CyberArk Disaster Recovery Plan © 2023 CyberArk Software Ltd. All rights reserved CyberArk Digital Vault Security Standards Securing your CyberArk implementation is CRITICAL! The CyberArk Digital Vault Security Standard describes how to securely configure and maintain the digital vault. It details: 1 The Vault Security Layers 2 The Digital Vault Secure Platform and Enterprise Management Tools, including: Backup/HA/DR Virtualization of the Vault Monitoring the Vault Vault domain membership Remote Administration Anti-virus External Storage In almost all cases, installing third-party applications, virtualization, and external storage result in a relaxation of security. All customers and partners should carefully read the Secure Platform document. © 2023 CyberArk Software Ltd. All rights reserved The Vault: End-to-End Security Stored Vault User Credential Discretionary Mandatory Session File Firewall Authentication Access Access Auditing Encryption Encryption Control Control Proprietary Hardened Single or Two Granular Subnet Based Tamperproof Hierarchical Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model Windows Authentication OpenSSL Firewall (recommended) Role Based Time Limits Event-based Every object has Encryption Access Control and Delays Alerts unique key © 2023 CyberArk Software Ltd. All rights reserved Vault Encryption and Key Management © 2023 CyberArk Software Ltd. All rights reserved Encryption Keys There are three files that form the cornerstone of the CyberArk PAM solution encryption methodology. These encryption key files are required to install and operate CyberArk PAM. They are: Server Key Recovery Public Key Recovery Private Key Let’s have a look at how these keys are used to protect the keys to your kingdom. © 2023 CyberArk Software Ltd. All rights reserved Vault Object Encryption – Day-to-Day Operations Vault Server Key AES-256 Safe Safe Key AES-256 Password File Key AES-256 © 2023 CyberArk Software Ltd. All rights reserved Vault Object Encryption – Emergency Measures RecPub Key RecPrv Key Vault Server Key RSA 2048 AES-256 Safe Safe Key Safe Key RSA 2048 AES-256 Password File Key AES-256 © 2023 CyberArk Software Ltd. All rights reserved File Encryption Process Each Credential is stored as an encrypted RecPub Key RecPrv Key file on the Vault Server Key RSA 2048 ⎼ The File key is a unique symmetric key generated for each file AES-256 ⎼ The File Key is then encrypted with the Safe key, which is a symmetric key unique to the Safe ⎼ The Safe key is then encrypted with the symmetric Server key, which is unique to the Safe Key Safe Key Vault RSA 2048 Server Key AES-256 ⎼ The Server Key is loaded into memory when the Vault starts RecPub Key ⎼ A copy of the relevant Safe Key is encrypted File Key with the RecPub Key and stored with the Safe AES-256 © 2023 CyberArk Software Ltd. All rights reserved How Encryption Keys are Distributed Previously, the encryption keys required to install and operate the CyberArk PAM solution were physically delivered in the form of CDs containing the files. As of March 2022, CyberArk now delivers these encryption key files via a secure email service. You can go to the link below for more information on key delivery. https://cyberark-customers.force.com/s/article/Digitized-Encryption-Keys-Delivery-End-User-Guide © 2023 CyberArk Software Ltd. All rights reserved Recovery Private Key Storage Strategies The Recovery Private Key* must be copied to physical media and stored in at least two separate and secure locations: One on the Primary site and one on the Disaster Recovery site. * AKA the “Master Key” © 2023 CyberArk Software Ltd. All rights reserved Server Key Storage Strategies Convenient Strong & Strong Convenient Copy the key to external Copy the key to direct Store the Server key in medium (USB drive, attached storage of the a Hardware Security CD-ROM) and store it in Vault server(s) and Module (HSM). a physical safe. secure with NTFS Always available. permissions or by Insert the medium encrypting the key with Key NOT in RAM whenever a 3rd-party tool. starting/restarting the Vault. Always available. Key in RAM Key in RAM © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed: The security controls protecting the Vault and encryption keys The encryption mechanisms protecting Vault data © 2023 CyberArk Software Ltd. All rights reserved

PAM Administration Vault Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue