Cyber-

Cyber-Ark lesson

Security Layers in the Vault

Objectives

• Review the Vault security concept

• Understand each security layer

2
Tightly Coupled Layers of Security

• US Patent #6,356,941
• Unparalleled centralized secure storage and sharing platform
• Securing data from end-to-end using multiple security layers

Cyber-Ark
LAN, WAN,
Vault Server INTERNET

3
End-to-end Security

1. VPN
2. Firewall
3. Data Access Control
4. Authentication (including PKI and Token
Based).

5. Encryption

6. Content Inspection

7. Secured Backup and Version Control

8-10. Visual, Manual and Geographical Security

4
Vault Competition -
A Handful of Partial Technologies

VPN Firewall

Vs.
Access Encryption
Control

Vault
Compression Access Control

Choosing many product will cause:

Low Security, Low Performance, Complex Admin., Limited Accessibility
and Very Expensive.

5
Hardened Machine

• Dedicated server
• Remove potentially vulnerable services
• Use “safe configuration” for remaining
services

6
Firewall

• Dedicated firewall
• Cannot be configured
• Code isolation

Cyber-Ark Protocol
Only

7
VPN

• End to end security using session key

• Files are encrypted at rest
• Encryption/Decryption on client side - no
bottle neck on server side

8
Encryption Highlights

• Modular structure – Encryption, Hashing and

Authentication modules can be replaced by the
customer.
• Supported Encryption and Hash Algorithms – AES-
256 / AES-128, RSA-2048 / RSA-1024, 3DES, SHA1
• Every object has a unique encryption key
• When a user is removed from the system he holds no
encryption key
• Secure recovery mechanism for encryption keys.
• Backups are always encrypted and always
recoverable.
9
Encryption
• Default Encryption Algorithm –AES 256
bit + RSA 2048
• Key Hierarchy

10
Data Access Control

• Safe - Basic Access Control Unit in the Vault

• Granular access permissions
– Monitor
– Retrieve
– Store
– Delete
– Backup
– More…
• Object Access Level control – retrieve for
files/passwords
• Users are totally unaware of information that is not
intended for their use
11
Authentication Supported:

• Password (using the SRP protocol)

• User certificate (PKI) – including SmartCard / USB
token support
• Radius (Vasco, Aladdin, RSA,etc..)
• RSA SecurID tokens as secondary authentication
• NT Domain (windows integration)
• LDAP Authentication

Always using strong Two-Way authentication protocols.

12
Visual Security

Back
13
Administrators –
No access to data

Back
14
Build-in Users & Groups

• Administrator
• Auditor (Auditors)
• Backup (Backup Users)
• Batch
• DR (DR Users)
• Master
• NotificationEngine (Notifition Engines)
• Operator (Operators)

15
Manual Security
• Confirmation
• Delay
• Time Limitations

16
Geographical Security

• Network Area

17
Additional Security layers

• PADiskMon –protects server’s keys and

sensitive data
• Content Validated safes
• Text Only Safes
• Vault’s Password policy
• Version control
• Data retention policy

18
Cyber-Ark Vault Secured
Environment

• Enterprise requirements vs. Secured

Environment of the Vault
– Monitoring
– Anti Virus
– Backup
– RDP
– NTP
• Vault Server - Dedicated Hardware vs. Virtual
Machines
– Security Vulnerabilities
– Vault Operator and Master Keys
19
Summary

• Vault – Island of security

• “All-In-One” Multi layers security
• More detailed information can be found in the
Technical white papers.

20
Q&A