CyberArk University

The Vault
Objectives

By the end of this lesson you will be able to:

▪ Describe the different Layers of Security that protect the Vault Data
▪ Describe the vault server environment

2
Seven Layers of Security
Layers of Security in the Digital Vault

Hierarchical
Encryption

Tamper-Proof
Auditability

Comprehensive
Monitoring

Segregation of Session
Duties Encryption

Firewall 4 Authentication
End to End Security
Vault User
• Proprietary Protocol
• OpenSSL Encryption
Session Encryption
• Hardened built-in Windows Firewall

Firewall
• Single or Dual Factor Authentication (recommended)
Authentication
• Granular Permissions
• Role Based Access Control
Discretionary Access
Control • Subnet Based Access Control
• Time Limits and Delays
Mandatory Access
Control • Tamperproof Audit Trail
• Event Based Alerts
Auditing • Hierarchical Encryption Model
• Every object has unique key
File Encryption

Stored Credential

5
1. Session Encryption

▪ The CyberArk Proprietary Protocol uses TCP/1858.

▪ Forces users to use the CyberArk interfaces to access the vault.
▪ Users can be restricted to specific interfaces such as PVWA or PACLI.
▪ Encryption/Decryption on client side - no bottle neck on server side

End Users:
IT Staff, Auditor, etc.
And
Vault Vault Administrators

6
2. Firewall

▪ After installation the Vault takes control over the Windows firewall.
▪ By default only the CyberArk Proprietary Protocol port (TCP/1858) and
several other ports for administration are open for communication.
▪ Firewall should be managed through CyberArk configuration files and not
through the Windows OS tools
▪ If the firewall is down no external communication is allowed

Vault
7
3. Authentication

 CyberArk (Vault Authentication

 LDAP Authentication
 Radius
 Windows Authentication
 User certificate (PKI)
 RSA SecurID
 OracleSSO
 SAML

8
4. Discretionary Access Control

Vault level permissions Safe level permissions

11
 5. Mandatory Access Control

 Geographical Control (Network Area)

 Time Limitations

10
6. Auditing

▪ ALL Vault activity is logged in a tamperproof audit trail.

▪ Event based notification allows alerting on specific vault actions.
▪ The Audit database is protected and is not accessible.

11
7. File Encryption

 Modular structure – Encryption, Hashing and Authentication modules can be

replaced by the customer
 Supported Encryption and Hash Algorithms – AES-256 / AES-128, RSA-
2048 / RSA-1024, 3DES, SHA1
 Every object has a unique encryption key
 When a user is removed from the system he holds no encryption key
 Secure recovery mechanism for encryption keys
 Backups are always encrypted and always recoverable

12
Encryption Keys
Encryption Hierarchy
RecPub RecPrv

Server Key
Vault
AES-256

Safes Safe Key

RSA
2048
AES-256

***** Passwords
Object Key

14
How Encryption Keys are Distributed

▪ Every new system is shipped with two CDs:

▪ Operator CD
￭ Operator CD contains:
• Server Key
• Recovery Public Key
￭ Operator CD keys are required to install and start the vault server.
▪ Master CD
￭ The Master CD contains:
• Server Key
• Recovery Public Key
• Recovery Private Key
• Used in emergency situations
￭ Master CD keys are required for emergencies.
(login as Master, recover the Vault, or re-key the Vault).

15
Master Key Storage Strategies

Always store the Master CD in a

secure location (physical safe).

16
Operator Key Storage Strategies

Strong
• Store the Operator CD in a secure location and mount the
CD whenever starting/restarting the vault.

Convenient
• Copy the contents of the Operator CD to the Direct Attached
Storage of the vault server(s) and secure with NTFS
Permissions

Strong & Convenient

• Copy only the Recovery Public Key to the server and store
the Server Key in a Hardware Security Module.

17
Vault Hardening
An Island of Security

▪ Isolating the Server

￭ No domain membership or trusts.
￭ Only TCP/IP v4.
￭ No DNS or WINS.
• Uses a manually configured Host file

▪ Hardening the Server

￭ Remove unnecessary services.
￭ Safe configuration for remaining services.
￭ Only Vault Server and PrivateArk Client are installed
￭ No additional applications.

19
Hardening: Windows Services

Services before Vault installation

Services post Hardening

20
Hardening: Firewall
Firewall before Vault installation

Firewall post hardening

21
Administration Tools
Central Administration Station

▪ Some of the operations the Server Interface allows are:

￭ Starting the Server, which then begins operating as a Windows service.
￭ Stopping the Server.
￭ Displaying the Server log.

▪ The Server interface can only be installed on the Server host

stop/start

ITALOG.LOG

23
PrivateArk Client

▪ The PrivateArk Client is the administrative interface to the Vault.

▪ The PrivateArk Client can be installed on any station with access to the Vault.

24
 Remote Control Agent

▪ The Remote Control Agent allows you to preform several Vault admin tasks
(without restarting the Vault) and view machine statistics
▪ Executed from a remote machine (no need to open RDP Port)
▪ Communicates through the CyberArk protocol
Note: The Remote Control Agent is also required to send out SNMP traps

Monitoring the Vault status using the Remote Client:

25
Configuration and Log Files
Vault Configuration Files

▪ dbparm.ini
￭ Main Configuration file of the Vault
￭ Any change requires a restart of the Vault service.

▪ Passparm.ini
￭ Configure password policy of the Vault

▪ PARagent.ini
￭ Configure Remote Control Agent in the Vault
￭ SNMP Configuration

27
dbparm.ini

▪ dbparm.ini: Log Level, Server Key, Syslog, Timeouts, Recovery Key.

▪ dbparm.sample.ini: contains all the possible configuration options.
▪ dbparm.ini.good: contains the last known good configuration of the
dbparm.ini file. created automatically when the Vault server comes up.

28
Vault Log Files

▪ Italog.log
￭ Main log file of the vault server.

▪ Trace.d0
￭ Trace file of the Vault.
￭ It is detailed according to the debug level
configured in the dbparm.ini.

29
Vault Configuration Files and Logs (File System)

▪ The Vault configuration and log files can found in the Server folder.

30
 Vault Configuration Files and Logs (PrivateArk)

▪ The Vault’s main configuration files and logs can also be accessed from
remote stations using the PrivateArk Client (under the system safe)

31
Summary
Summary

 This session covered:

 Hardened Vault Server is an Island of Security
 Seven Layers of Security Controls

33