Professional Documents
Culture Documents
Remote Access Technical Whitepaper
Remote Access Technical Whitepaper
www.cyberark.com
CYBERARK WHITE PAPER
Table of Contents
The Problem....................................................................................................................................................................3
Introducing CyberArk Remote Access........................................................................................................................3
Features ....................................................................................................................................................................4
CyberArk Mobile Application .......................................................................................................................................4
Remote Access Cloud Service......................................................................................................................................4
HTML5 Gateway..............................................................................................................................................................5
Remote Access Connector............................................................................................................................................5
Onboarding Process ......................................................................................................................................................5
Create a Tenant Account in Remote Access service........................................................................................ 6
Activate the Tenant................................................................................................................................................ 6
Set up the Tenant................................................................................................................................................... 6
Set up PAM for Remote Access............................................................................................................................ 6
End-user workflow.........................................................................................................................................................7
Invite a user...............................................................................................................................................................7
Install the CyberArk Mobile app............................................................................................................................7
Registration and access......................................................................................................................................... 8
About CyberArk.............................................................................................................................................................. 8
www.cyberark.com Page 2 of 8
CYBERARK WHITE PAPER
The Problem
Organizations today rely on contractors, managed service vendors and SaaS providers more than ever for critical IT operations
and things like managing infrastructure. These external vendors provide valuable services to organizations by handling tasks that
the organizations are either not able to do themselves or have chosen to hand off to 3rd parties due to some external expertise.
Further, with the workforce proliferating out, employees also require privileged access to critical internal resources without
being tied in to the internal network, and require access wherever they are, whenever they are working. With a clear eye towards
improving operational effectiveness by leveraging the power ofexternal vendors and remote employees, these arrangements
bring with them significant security considerations and risk, largely stemming from the fact that they work remotely.
For starters, ensuring that external vendors uphold your own organization’s security standards is often overlooked and/or are
not held to the same standards as the host organization. This in turn creates a series of risks that only serves to broaden the
attack surface. For years, organizations have looked to Virtual Private Networks (VPNs) to extend private networks to the remote
workforce and enable them to receive and send data as if they were connected to the internal network. VPNs were introduced in
the mid-1990s and provide authenticated remote users with unfettered access throughout the network. The problems with VPNs
have been well documented, especially in recent years. However, according to a 2020 CyberArk survey, 84% of organizations still
rely on VPNs as their primary method of providing remote vendors with privileged access. In reality, organizations need solutions
that provide application specific or user-role specific access; something that VPNs simply aren’t programmed to do.
The use of agents has also long been the part of corporate strategy, but like VPNs, agents come with their own set of problems.
Mainly, agents can be cumbersome to manage operationally and shipping corporate laptops simply is not feasible or affordable.
External vendors and remote employees alike also personify the dissolved perimeter facing organizations today in that they:
bring their own devices, are located somewhere other than company headquarters, require advanced access to sensitive assets
and often are either sporadically part of, or not a part of the Active Directory (AD). User management when done via AD can
be onerous for administrators and also requires the manual provisioning (and de-provisioning) of access rights which can take
weeks, if not longer. In the same CyberArk study respondents indicated leveraging directory services to onboard and deprovision
3rd party vendors is the most popular method, showing clear room for improvement to help administrators and operations.
Additionally, user accounts and passwords have to be set up which need to not only be assigned, but ensure that these remote
vendors, who are not part of the AD, are taking precautions on password complexity, rotation and overall security.
All these aspects bring problems for both the security of the organization as well as additional headaches for security
administrators and even problems for the remote vendors themselves.
www.cyberark.com Page 3 of 8
CYBERARK WHITE PAPER
Features
Remote Access combines Zero Trust access, biometric multi-factor authentication, just-in-time provisioning for external vendors,
and full integration with CyberArk Privileged Access Manager for full visibility and audit for administrators, into one single
SaaS solution. By requiring remote users to authenticate their identities using modern, biometric capabilities of smartphones,
organizations are able to introduce a Zero Trust framework for remote users seeking access to critical assets being managed
by CyberArk. While onboarding users, security administrators can provision access to external vendors for a specific amount of
time and/or a specific number of sessions. This provides external vendors with the minimum amount of access they need, and
automatically de-provisions access when it is no longer required; a staple of the new just-in-time concept. The direct integration
with CyberArk Privileged Access Manager ensures that all remote users, whether a vendor or employee, is automatically using the
secure control point which isolates and records their sessions whenever they need access.
When the application authenticates a user, it asks the mobile device kernel to ask the Mobile Device Secure Area if the authorized
person is indeed the one holding the phone. The device subsequently checks against internal stored validation data using
fingerprint or facial recognition technology. A pass or fail response is then sent back to the mobile application. This pass or fail
response is the only information that the CyberArk Mobile application receives for the authentication question, not how it was
calculated, nor the biometric data used.
If the user gets a pass response and successfully authenticates, the app passes the information contained in the QR code and the
identity of the confirmed user to the relevant Remote Access Cloud Service (for registration, authentication, and/or verification
purposes).
If for any reason the signature of the biometric data on the phone is changed, even by a legitimate user adding an additional
fingerprint as an example, the connection between the CyberArk Mobile app and the service is immediately severed to prevent
tampering. The user will then need reverify their onboarding process before being able to login via Remote Access again.
The Remote Access Cloud Service uses AWS managed micro-services inside of Kubernetes Pods configured for auto scaling. The
result is an agile and fully scalable service where additional resources are spun up and deployed seamlessly to meet additional need.
The design of the full solution ensures that no user credentials or biometric data is stored in the Remote Access Cloud Service. All
traffic which passes through the SaaS is encrypted end-to-end, and CyberArk does not have access to the unencrypted traffic at
any time via the SaaS service.
www.cyberark.com Page 4 of 8
CYBERARK WHITE PAPER
HTML5 Gateway
The Remote Access full integration with CyberArk Privileged Access Manager ensures that the external vendors and remote
employees that access critical systems do so via CyberArk’s session management capabilities. CyberArk’s HTML5 Gateway is part
of Privileged Access Manager and is responsible for tunneling the session between the Remote Access Connector and CyberArk’s
session management capabilities by “translating” incoming web protocol to outgoing RDP over TLS.
The HTML5 Gateway is a hardened and secured component which is placed inside the internal network. It is implemented as a
Docker container that can be installed on the same host as the Remote Access connector. It utilizes a software called Apache
Guacamole and requires a Web service installed, preferably, but not required to be Tomcat.
After logging on to the CyberArk web-based portal (Password Vault Web Access or ‘PVWA’) and connecting to an internal system
via a privileged account, a session is redirected to go through the Remote Access connector and the HTML5 Gateway. The session
itself is performed in the web browser window, agnostic of the vendor’s workstation OS or browser.
Within Privileged Access Manager, each server can be configured to work with the HTML5 Gateway. Multiple PSM servers can work
with the same gateway or with different gateways. Organizations can also deploy multiple HTML5 Gateway servers behind a load
balancer. When an end user connects with an account, the web-based portal redirects the connection through the gateway or load
balancer that is configured for the Privileged Session Manager server.
The Remote Access connector is configured as a SAML identity provider (IDP) and also as an OpenLDAP server to facilitate Remote
Access configured user provisioning to the web-based portal and CyberArk Vault. The connector also holds the secure data keys and
unique private certificates that validates the Remote Access end-to-end encryption chain, thus helping to ensure that all customer
secrets remain in the customer’s control and ownership.
The Remote Access Connector’s first initialization and any subsequent login for Connector management are performed using the
CyberArk Mobile app thereby leveraging the biometric authentication and QR code authorization method also used by the Remote
Access Cloud Service.
Onboarding Process
User onboarding is an important task, as external vendors are typically not part of the Active Directory and require granular, role-
based access. Onboarding users with Remote Access is easy for administrators and secure for end-users.
To start using Remote Access, an organization goes through the following stages: Create a Tenant Account in the Remote Access
Service -> Activate the Tenant -> Set up the Tenant.
www.cyberark.com Page 5 of 8
CYBERARK WHITE PAPER
The Administrator downloads the CyberArk Mobile app to their mobile phone and registers (see “end-user workflow” for details).
Next, the Administrator installs a Remote Access connector on a dedicated machine inside the site (see “Remote Access Connector”
section for details on the connector). Each site will use a dedicated connector.
Lastly, the Remote Access Administrators adds CyberArk PAM as an application that can be accessed via Remote Access.
The next step is to set up Remote Access as a SAML identity provider (IDP) for the web-based portal, so that user authentication
from Remote Access is accepted by the web-based portal.
www.cyberark.com Page 6 of 8
CYBERARK WHITE PAPER
Lastly, the Vault Administrator configures Privileged Access Manager to integrate with Remote Access as an LDAP so that Remote
Access can provision and de-provision external vendors as users. When Remote Access provisions a vendor as a user, it adds that
user to the groups that are defined in the invitation process (see “end-user workflow”). It is recommended to create dedicated
Vault groups with permissions for the relevant accounts that the organization wishes to have the vendors access.
End-user workflow
Invite a user
From the Remote Access portal, an Administrator can invite external vendors and remote employees to access Privileged Access
Manager. The invitation includes, among others, the following details and configurations:
• User details: Name, Email address, the phone number that the user set when they registered (or will register) to
Remote Access.
• Allow or deny this vendor to invite other vendors (useful when the organization wishes to delegate the responsibility to a
specific person from the vendor to invite their employees).
Once completed, the user will receive an invitation email. Vendors who were granted permissions to invite other vendors, can do
so from the Remote Access portal as well.
www.cyberark.com Page 7 of 8
CYBERARK WHITE PAPER
Using the CyberArk mobile app on their mobile phone, they scan the QR code and join the Remote Access tenant for the first time.
Biometric authorization is also used to verify and authenticate the user identity.
Afterwards, they sign in to Remote Access by scanning the QR code with their mobile phone and using their phone’s biometric
authentication to authenticate and display the Applications page. Now, the user can log in to the web-based portal, either by
selecting the CyberArk PAM icon in the Remote Access portal, or by copying the PVWA URL from the Remote Access portal and
connecting directly to it. The user can also bookmark it in the browser. Users can also initiate privileged sessions directly from
their desktop or mobile device with connection manager and RDP clients when the Administrator sets the “allow secure native
access” toggle to on. Once reaching the web-based portal, they will see and use accounts according to their groups’ permissions.
The user can access web-based portal (through the direct URL or through the Remote Access portal) during the allowed timeframe
and if they did not exceed the number of allowed sessions. Upon each access, they will authenticate with the Remote Access
authentication method.
About CyberArk
CyberArk (NASDAQ: CYBR) is the global leader in Identity Security. Centered on privileged access management, CyberArk provides
the most comprehensive security solutions for any identity – human or machine – across business applications, distributed
workforces, hybrid cloud workloads, and throughout DevOps pipelines. The world’s leading organizations trust Cyberark to help
secure their most critical assets. To learn more about CyberArk, visit www.cyberark.com.
©Copyright 2021 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express
written consent of CyberArk Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks)
of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective owners.
CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied
warranties and is subject to change without notice. U.S., 06.21 Doc. 398421227
THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED,
INCLUDING WARRANT Y OF MERCHANTABILIT Y, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK
BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR
INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA
ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILIT Y OF SUCH DAMAGES.
www.cyberark.com Page 8 of 8