Managing Privileged Account Security

Trusted Privileged Account Security Experts

CyberArk Privileged Account Security Solution

Management Portal/Web Access

On-
Application
Enterprise Privileged Demand
SSH Key Identity Privileged
Discovery Password Session Privileges
Manager Manager Threat
and Vault® Manager® Manager
™ Analytics
Audit™ ™
™

Master Policy

Secure Digital Vault™

Any Device, Any Datacenter –

On Premise, Hosted or In The Cloud
 Enterprise Password Vault Infrastructure

1. Master/exception policy definition

Central Policy Manager

Vault

System User Pass

Policy
Unix root tops3cr3t
Oracle SYS tops3cr3t
Policy Windows Administrator tops3cr3t
Security/
Risk Management z/OS DB2ADMIN tops3cr3t
Cisco enable tops3cr3t
Password Vault Web Access

Enterprise IT Environment
Master Policy: “Native” language, simplified
management

In-Line Help
For quick answers

Basic Policy rules

-grouped by topic

Managing Exceptions and

Separating Basic and Advanced settings
(including dependencies)
 Enterprise Password Vault Overview

1. Master/exception policy definition

2. Initial load & reset
Automatic Detection, Bulk upload, Manual Central Policy Manager

gviNa9%
X5$aq+p
lm7yT5w
Tojsd$5fh
y7qeF$1

Vault

System User Pass

Policy
Unix root tops3cr3t
Oracle SYS tops3cr3t
Windows Administrator tops3cr3t
z/OS DB2ADMIN tops3cr3t
Cisco enable tops3cr3t
Password Vault Web Access

Enterprise IT Environment
What happens next?
CyberArk Applications Identity Management:
A variety of solutions

“Push” solutions for changing

passwords in target systems
Application Server
Available for any EPV customer Credential Provider
Transparent data-source credentials
management for WebSphere, WebLogic,
Tomcat, JBoss
Central Credential
Provider
Credential Provider
Light, Agentless, Web service based,
for Non mission critical applications and
scripts Windows, *nix, zOS, iSeries
Java, .Net, CLI, C/C++, COM
Local caching
Strong authentication
Hard-coded credentials - Wherever they are…
Web.config files
Configuration files,
databases, FTP
connections, registry

INI/Text Files
Hard-coded credentials - Wherever they are…

Configuration
Configurationfiles,
files, databases,
databases, FTP
FTP connections,
• Windows Service
connections, registry
registry • Scheduled Tasks
• IIS application pool
Service accounts • IIS Directory Security
• COM+
• Registry
Hard-coded credentials - Wherever they are…

Configuration
Configurationfiles,
files, databases,
databases, FTP
FTP connections,
connections, registry
registry

Service accounts

Application Servers
Hard-coded credentials - Wherever they are…

Configuration
Configurationfiles,
files, databases,
databases, FTP
FTP connections,
connections, registry
registry

Service accounts

Application Servers

UserName = “app”
Hard-coded Password = “y7qeF$1”
application Host = “10.10.3.56”
credentials ConnectDatabase(Host, UserName, Password)
String Username = getUsername()
String Password = getPassword()
String Host = “192.168.3.56”
ConnectDatabase(Host, UserName, Password)
Hard-coded credentials - Wherever they are…

Configuration
Configurationfiles,
files, databases,
databases, FTP
FTP connections,
connections, registry
registry

Service accounts

Application Servers

Hard-coded
application
credentials

Third party
applications
CyberArk Credential Providers Architecture

Server 2 (agentless) Server 1

Application
Application

Vault

Server 3 (agentless)

Application

Credential Provider
(agent)

Central Credential Provider

(agentless)