WHITE PAPER

PRIVILEGED REMOTE ACCESS

A Growing Attack Vector

www.cyberark.com
 CYBERARK WHITE PAPER

Table of Contents
The Problem....................................................................................................................................................................3
Introducing CyberArk Remote Access........................................................................................................................3
Features ....................................................................................................................................................................4
CyberArk Mobile Application .......................................................................................................................................4
Remote Access Cloud Service......................................................................................................................................4
HTML5 Gateway..............................................................................................................................................................5
Remote Access Connector............................................................................................................................................5
Onboarding Process ......................................................................................................................................................5
Create a Tenant Account in Remote Access service........................................................................................ 6
Activate the Tenant................................................................................................................................................ 6
Set up the Tenant................................................................................................................................................... 6
Set up PAM for Remote Access............................................................................................................................ 6
End-user workflow.........................................................................................................................................................7
Invite a user...............................................................................................................................................................7
Install the CyberArk Mobile app............................................................................................................................7
Registration and access......................................................................................................................................... 8
About CyberArk.............................................................................................................................................................. 8

www.cyberark.com Page 2 of 8
 CYBERARK WHITE PAPER

The Problem
Organizations today rely on contractors, managed service vendors and SaaS providers more than ever for critical IT operations
and things like managing infrastructure. These external vendors provide valuable services to organizations by handling tasks that
the organizations are either not able to do themselves or have chosen to hand off to 3rd parties due to some external expertise.
Further, with the workforce proliferating out, employees also require privileged access to critical internal resources without
being tied in to the internal network, and require access wherever they are, whenever they are working. With a clear eye towards
improving operational effectiveness by leveraging the power ofexternal vendors and remote employees, these arrangements
bring with them significant security considerations and risk, largely stemming from the fact that they work remotely.

For starters, ensuring that external vendors uphold your own organization’s security standards is often overlooked and/or are
not held to the same standards as the host organization. This in turn creates a series of risks that only serves to broaden the
attack surface. For years, organizations have looked to Virtual Private Networks (VPNs) to extend private networks to the remote
workforce and enable them to receive and send data as if they were connected to the internal network. VPNs were introduced in
the mid-1990s and provide authenticated remote users with unfettered access throughout the network. The problems with VPNs
have been well documented, especially in recent years. However, according to a 2020 CyberArk survey, 84% of organizations still
rely on VPNs as their primary method of providing remote vendors with privileged access. In reality, organizations need solutions
that provide application specific or user-role specific access; something that VPNs simply aren’t programmed to do.

The use of agents has also long been the part of corporate strategy, but like VPNs, agents come with their own set of problems.
Mainly, agents can be cumbersome to manage operationally and shipping corporate laptops simply is not feasible or affordable.
External vendors and remote employees alike also personify the dissolved perimeter facing organizations today in that they:
bring their own devices, are located somewhere other than company headquarters, require advanced access to sensitive assets
and often are either sporadically part of, or not a part of the Active Directory (AD). User management when done via AD can
be onerous for administrators and also requires the manual provisioning (and de-provisioning) of access rights which can take
weeks, if not longer. In the same CyberArk study respondents indicated leveraging directory services to onboard and deprovision
3rd party vendors is the most popular method, showing clear room for improvement to help administrators and operations.
Additionally, user accounts and passwords have to be set up which need to not only be assigned, but ensure that these remote
vendors, who are not part of the AD, are taking precautions on password complexity, rotation and overall security.

All these aspects bring problems for both the security of the organization as well as additional headaches for security
administrators and even problems for the remote vendors themselves.

Introducing CyberArk Remote Access

CyberArk® Remote Access is specifically designed to provide fast, easy and secure privileged access for external vendors and
remote privileged employees that need to access critical internal systems that are managed by CyberArk. The cloud-based,
multifactor authentication provided with Remote Access leverages the biometric capabilities from smartphones which in turn
allows authorized remote workers with Zero Trust privileged access with a simple glance or tap of a finger. Remote Access
eliminates the need for VPNs, agents or passwords that can frustrate users, add risk and create administrative headaches. Instead,
users authenticate using native smartphone facial or fingerprint recognition functionality authenticated for secure access to
CyberArk Privileged Access Manager. Once authenticated, all privileged sessions are automatically recorded for full audit and
monitored in real-time. For external vendors, who are not permanent employees of the company, they are provisioned just-in-time
access to Privileged Access Manager via Remote Access, without needing to add the user to the directory service, which can be
cumbersome, time-consuming and error-prone.

www.cyberark.com Page 3 of 8
 CYBERARK WHITE PAPER

Features
Remote Access combines Zero Trust access, biometric multi-factor authentication, just-in-time provisioning for external vendors,
and full integration with CyberArk Privileged Access Manager for full visibility and audit for administrators, into one single
SaaS solution. By requiring remote users to authenticate their identities using modern, biometric capabilities of smartphones,
organizations are able to introduce a Zero Trust framework for remote users seeking access to critical assets being managed
by CyberArk. While onboarding users, security administrators can provision access to external vendors for a specific amount of
time and/or a specific number of sessions. This provides external vendors with the minimum amount of access they need, and
automatically de-provisions access when it is no longer required; a staple of the new just-in-time concept. The direct integration
with CyberArk Privileged Access Manager ensures that all remote users, whether a vendor or employee, is automatically using the
secure control point which isolates and records their sessions whenever they need access.

CyberArk Mobile Application

The CyberArk Mobile application can be downloaded from either the iOS App Store or Google Play Store and performs the
biometric authentication of the user and simultaneous scan of a unique QR code generated by the Remote Access web page.
The mobile application is used to read the unique, one-time and time limited QR code and to confirm the biometric identity on
the user’s smartphone via facial recognition or fingerprint scan. User biometric data is never stored in the Remote Access Cloud
Service; it remains on the user’s smartphone at all times.

When the application authenticates a user, it asks the mobile device kernel to ask the Mobile Device Secure Area if the authorized
person is indeed the one holding the phone. The device subsequently checks against internal stored validation data using
fingerprint or facial recognition technology. A pass or fail response is then sent back to the mobile application. This pass or fail
response is the only information that the CyberArk Mobile application receives for the authentication question, not how it was
calculated, nor the biometric data used.

If the user gets a pass response and successfully authenticates, the app passes the information contained in the QR code and the
identity of the confirmed user to the relevant Remote Access Cloud Service (for registration, authentication, and/or verification
purposes).

If for any reason the signature of the biometric data on the phone is changed, even by a legitimate user adding an additional
fingerprint as an example, the connection between the CyberArk Mobile app and the service is immediately severed to prevent
tampering. The user will then need reverify their onboarding process before being able to login via Remote Access again.

Remote Access Cloud Service

Remote Access is a Software-as-a-Service that is deployed on an AWS platform and resides on three different Availability Zones
(AZ), in a case of an outage in one of the AZ data-centers. The Remote Access Cloud Service is the platform through which users
can access applications, and administrators can configure sites, tenants, vendors, and more. It is also where the CyberArk Mobile
application and on-site Remote Access Connector communication chain is orchestrated.

The Remote Access Cloud Service uses AWS managed micro-services inside of Kubernetes Pods configured for auto scaling. The
result is an agile and fully scalable service where additional resources are spun up and deployed seamlessly to meet additional need.

The design of the full solution ensures that no user credentials or biometric data is stored in the Remote Access Cloud Service. All
traffic which passes through the SaaS is encrypted end-to-end, and CyberArk does not have access to the unencrypted traffic at
any time via the SaaS service.

www.cyberark.com Page 4 of 8
 CYBERARK WHITE PAPER

HTML5 Gateway
The Remote Access full integration with CyberArk Privileged Access Manager ensures that the external vendors and remote
employees that access critical systems do so via CyberArk’s session management capabilities. CyberArk’s HTML5 Gateway is part
of Privileged Access Manager and is responsible for tunneling the session between the Remote Access Connector and CyberArk’s
session management capabilities by “translating” incoming web protocol to outgoing RDP over TLS.

The HTML5 Gateway is a hardened and secured component which is placed inside the internal network. It is implemented as a
Docker container that can be installed on the same host as the Remote Access connector. It utilizes a software called Apache
Guacamole and requires a Web service installed, preferably, but not required to be Tomcat.

After logging on to the CyberArk web-based portal (Password Vault Web Access or ‘PVWA’) and connecting to an internal system
via a privileged account, a session is redirected to go through the Remote Access connector and the HTML5 Gateway. The session
itself is performed in the web browser window, agnostic of the vendor’s workstation OS or browser.

Within Privileged Access Manager, each server can be configured to work with the HTML5 Gateway. Multiple PSM servers can work
with the same gateway or with different gateways. Organizations can also deploy multiple HTML5 Gateway servers behind a load
balancer. When an end user connects with an account, the web-based portal redirects the connection through the gateway or load
balancer that is configured for the Privileged Session Manager server.

Remote Access Connector

The Remote Access Connector is the component that brokers connections between the Remote Access Cloud Service and the
customer’s Privileged Access Manager environment. It is installed internally behind the customer firewall and built inside of a Docker
container for both ease of management and deployment. Once a remote user attempts to authenticate, the initial encryption tunnel
from the browser ends and a new encrypted channel is opened directly to the web-based portal. This authentication is done by the
Remote Access service which leverages biometric technology available on smartphones, as well as standard atheization federation
protocols (OpenID Connect and SAML). In between these encrypted sessions, the connector validates the session and user cookies as
well as the web-based portal and HTML5 Gateway certificates to ensure their authenticity.

The Remote Access connector is configured as a SAML identity provider (IDP) and also as an OpenLDAP server to facilitate Remote
Access configured user provisioning to the web-based portal and CyberArk Vault. The connector also holds the secure data keys and
unique private certificates that validates the Remote Access end-to-end encryption chain, thus helping to ensure that all customer
secrets remain in the customer’s control and ownership.

The Remote Access Connector’s first initialization and any subsequent login for Connector management are performed using the
CyberArk Mobile app thereby leveraging the biometric authentication and QR code authorization method also used by the Remote
Access Cloud Service.

Onboarding Process
User onboarding is an important task, as external vendors are typically not part of the Active Directory and require granular, role-
based access. Onboarding users with Remote Access is easy for administrators and secure for end-users.

To start using Remote Access, an organization goes through the following stages: Create a Tenant Account in the Remote Access
Service -> Activate the Tenant -> Set up the Tenant.

www.cyberark.com Page 5 of 8
 CYBERARK WHITE PAPER

Create a Tenant Account in Remote Access service

After receiving a link to the Sign-up page, the administrator in the organization fills the company details and their personal details
in the sign-up page. Once completed, a tenant for the organization is created and an activation email is sent to the Administrator.

The Administrator downloads the CyberArk Mobile app to their mobile phone and registers (see “end-user workflow” for details).

Activate the Tenant

The administrator opens the activation email and clicks on the activation link. The Remote Access portal will launch in the browser
and display a QR code. Using the CyberArk Mobile app on their mobile phone, the Administrator scans the QR code and activates
their tenant. Biometric authorization is also used to verify and authenticate the user identification.

Set up the Tenant

After the activation, the Administrator can Sign-in to the Remote Access portal and set up their tenant. The first step is to define a
site that represents a location where the organization assets and applications reside (for example, an internal network, or a cloud
environment).

Next, the Administrator installs a Remote Access connector on a dedicated machine inside the site (see “Remote Access Connector”
section for details on the connector). Each site will use a dedicated connector.

Lastly, the Remote Access Administrators adds CyberArk PAM as an application that can be accessed via Remote Access.

Set up PAM for Remote Access

A Remote Access Administrator or Vault Administrator needs to install CyberArk’s HTML5 Gateway inside the site (see “HTML5
Gateway” above) and configures Privileged Access Manager to work with it.

The next step is to set up Remote Access as a SAML identity provider (IDP) for the web-based portal, so that user authentication
from Remote Access is accepted by the web-based portal.

www.cyberark.com Page 6 of 8
 CYBERARK WHITE PAPER

Lastly, the Vault Administrator configures Privileged Access Manager to integrate with Remote Access as an LDAP so that Remote
Access can provision and de-provision external vendors as users. When Remote Access provisions a vendor as a user, it adds that
user to the groups that are defined in the invitation process (see “end-user workflow”). It is recommended to create dedicated
Vault groups with permissions for the relevant accounts that the organization wishes to have the vendors access.

End-user workflow
Invite a user
From the Remote Access portal, an Administrator can invite external vendors and remote employees to access Privileged Access
Manager. The invitation includes, among others, the following details and configurations:

• User details: Name, Email address, the phone number that the user set when they registered (or will register) to
Remote Access.

• Access restrictions: number of allowed sessions and timeframe for access.

• Allow or deny this vendor to invite other vendors (useful when the organization wishes to delegate the responsibility to a
specific person from the vendor to invite their employees).

Once completed, the user will receive an invitation email. Vendors who were granted permissions to invite other vendors, can do
so from the Remote Access portal as well.

Install the CyberArk Mobile app

The CyberArk Mobile app can be downloaded to an iOS or Android device via their official respective app stores. Following install,
the user is prompted to perform initial registration via the app by providing their name, phone number, and an optional profile
photo. The user is prompted by the device to allow the app permission to biometric authentication via the existing device security
and pin code is also created for use in restoring the app account if required. Finally, a one-time SMS is sent for verification to the
device number provided on the previous screen. The CyberArk Mobile app is now ready to be joined to a tenant.

www.cyberark.com Page 7 of 8
 CYBERARK WHITE PAPER

Registration and access

After a user receives an invitation email, they click on the invitation link to display a QR code.

Using the CyberArk mobile app on their mobile phone, they scan the QR code and join the Remote Access tenant for the first time.
Biometric authorization is also used to verify and authenticate the user identity.

Afterwards, they sign in to Remote Access by scanning the QR code with their mobile phone and using their phone’s biometric
authentication to authenticate and display the Applications page. Now, the user can log in to the web-based portal, either by
selecting the CyberArk PAM icon in the Remote Access portal, or by copying the PVWA URL from the Remote Access portal and
connecting directly to it. The user can also bookmark it in the browser. Users can also initiate privileged sessions directly from
their desktop or mobile device with connection manager and RDP clients when the Administrator sets the “allow secure native
access” toggle to on. Once reaching the web-based portal, they will see and use accounts according to their groups’ permissions.

The user can access web-based portal (through the direct URL or through the Remote Access portal) during the allowed timeframe
and if they did not exceed the number of allowed sessions. Upon each access, they will authenticate with the Remote Access
authentication method.

About CyberArk
CyberArk (NASDAQ: CYBR) is the global leader in Identity Security. Centered on privileged access management, CyberArk provides
the most comprehensive security solutions for any identity – human or machine – across business applications, distributed
workforces, hybrid cloud workloads, and throughout DevOps pipelines. The world’s leading organizations trust Cyberark to help
secure their most critical assets. To learn more about CyberArk, visit www.cyberark.com.

©Copyright 2021 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express
written consent of CyberArk Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks)
of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective owners.

CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied
warranties and is subject to change without notice. U.S., 06.21 Doc. 398421227

THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED,
INCLUDING WARRANT Y OF MERCHANTABILIT Y, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK
BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR
INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA
ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILIT Y OF SUCH DAMAGES.

www.cyberark.com Page 8 of 8