Professional Documents
Culture Documents
The Vault
Objectives
2
Seven Layers of Security
Layers of Security in the Digital Vault
Hierarchical
Encryption
Tamper-Proof
Auditability
Comprehensive
Monitoring
Segregation of Session
Duties Encryption
Firewall 4 Authentication
End to End Security
Vault User
• Proprietary Protocol
• OpenSSL Encryption
Session Encryption
• Hardened built-in Windows Firewall
Firewall
• Single or Dual Factor Authentication (recommended)
Authentication
• Granular Permissions
• Role Based Access Control
Discretionary Access
Control • Subnet Based Access Control
• Time Limits and Delays
Mandatory Access
Control • Tamperproof Audit Trail
• Event Based Alerts
Auditing • Hierarchical Encryption Model
• Every object has unique key
File Encryption
Stored Credential
5
1. Session Encryption
End Users:
IT Staff, Auditor, etc.
And
Vault Vault Administrators
6
2. Firewall
▪ After installation the Vault takes control over the Windows firewall.
▪ By default only the CyberArk Proprietary Protocol port (TCP/1858) and
several other ports for administration are open for communication.
▪ Firewall should be managed through CyberArk configuration files and not
through the Windows OS tools
▪ If the firewall is down no external communication is allowed
Vault
7
3. Authentication
8
4. Discretionary Access Control
11
5. Mandatory Access Control
10
6. Auditing
11
7. File Encryption
12
Encryption Keys
Encryption Hierarchy
RecPub RecPrv
Server Key
Vault
AES-256
***** Passwords
Object Key
14
How Encryption Keys are Distributed
15
Master Key Storage Strategies
16
Operator Key Storage Strategies
Strong
• Store the Operator CD in a secure location and mount the
CD whenever starting/restarting the vault.
Convenient
• Copy the contents of the Operator CD to the Direct Attached
Storage of the vault server(s) and secure with NTFS
Permissions
17
Vault Hardening
An Island of Security
19
Hardening: Windows Services
20
Hardening: Firewall
Firewall before Vault installation
21
Administration Tools
Central Administration Station
stop/start
ITALOG.LOG
23
PrivateArk Client
24
Remote Control Agent
▪ The Remote Control Agent allows you to preform several Vault admin tasks
(without restarting the Vault) and view machine statistics
▪ Executed from a remote machine (no need to open RDP Port)
▪ Communicates through the CyberArk protocol
Note: The Remote Control Agent is also required to send out SNMP traps
25
Configuration and Log Files
Vault Configuration Files
▪ dbparm.ini
■ Main Configuration file of the Vault
■ Any change requires a restart of the Vault service.
▪ Passparm.ini
■ Configure password policy of the Vault
▪ PARagent.ini
■ Configure Remote Control Agent in the Vault
■ SNMP Configuration
27
dbparm.ini
28
Vault Log Files
▪ Italog.log
■ Main log file of the vault server.
▪ Trace.d0
■ Trace file of the Vault.
■ It is detailed according to the debug level
configured in the dbparm.ini.
29
Vault Configuration Files and Logs (File System)
▪ The Vault configuration and log files can found in the Server folder.
30
Vault Configuration Files and Logs (PrivateArk)
▪ The Vault’s main configuration files and logs can also be accessed from
remote stations using the PrivateArk Client (under the system safe)
31
Summary
Summary
33