In CyberArk Privileged Access Management (PAM), the term Vault refers to the Digital Vault, which is a highly secure repository designed to store and manage sensitive information such as privileged credentials, passwords, SSH keys, and certificates. It forms the core component of CyberArk’s security, ensuring that privileged data is encrypted, protected, and accessible only by authorized users or applications.
What is a Vault?
The Digital Vault in CyberArk is a specialized, secure storage solution that uses a proprietary encryption mechanism to safeguard privileged information. It operates in an isolated environment and protects the information through:
• Encryption: All stored data is encrypted using high-level encryption standards.
• Access Control: Only authorized users, applications, or systems can access the vault based on defined permissions.
• Auditing and Monitoring: Tracks who accesses the vault, changes made, and other activities for compliance and security audits.
• Tamper-Proof: The vault is designed to be tamper-resistant, ensuring that unauthorized access attempts are blocked and recorded.
Types of Vaults in CyberArk
In the context of CyberArk, although there is only one primary vault (Digital Vault), there are logical compartments or “safes” within the vault where credentials and data are organized. These vaults or safes are set up based on organizational requirements. Here’s how it works:
1. Digital Vault (Central Vault):
• This is the core vault where all privileged credentials, keys, and secrets are stored.
• All data inside the vault is encrypted, and access to the vault is highly restricted.
2. Safes (Logical Vaults):
• Safes are logical compartments within the Digital Vault. Each safe can store specific data and be assigned permissions based on users or groups.
• Safes help in organizing and segregating sensitive data, ensuring only specific teams or applications can access certain safes.
• Each safe can have its own access control, policies, and retention rules.
3. Disaster Recovery Vault (DR Vault):
• A backup vault that is synchronized with the primary Digital Vault and is used in case of a disaster or failure in the primary vault.
• This ensures business continuity by keeping privileged credentials available even if the primary vault goes offline.
• The DR vault runs in a separate infrastructure and location from the primary vault.
How to Configure the CyberArk Vault
Configuring the CyberArk Vault involves several key steps, including installing the Digital Vault, setting up safes, and configuring access permissions. Here’s a basic overview:
Step 1: Install the Digital Vault Server
• Pre-requisites: Ensure that the system meets the necessary requirements (e.g., operating system, hardware).
• Install the Vault:
1. Download the CyberArk Vault installation package.
2. Install the vault on a dedicated and secure server.
3. During installation, you will be asked to configure encryption keys and set up secure communication.
4. Once installed, configure the Vault Admin user, which is the super-user responsible for managing the vault.
Step 2: Create Safes (Logical Vaults)
• Access the PVWA (Password Vault Web Access) interface.
• Navigate to the “Safes” section and click “Create Safe.”
1. Provide a name for the safe (e.g., “Network Admin Passwords”).
2. Define the Retention Period (how long credentials should be retained).
3. Assign Access Permissions for specific users or groups. Permissions can include:
• List accounts
• Retrieve accounts
• Store accounts
• Manage safe settings
4. Configure Usage Policies for the safe, such as password rotation, expiration, and check-out/check-in rules.
Step 3: Assign User and Group Permissions
• Access PVWA and go to the “Users” or “Groups” section.
• Assign relevant permissions to users or groups:
1. Read: Ability to view credentials in the safe.
2. Write: Ability to update credentials or add new entries.
3. Manage: Full control over the safe and its settings.
• Apply permissions based on roles or responsibilities (e.g., admins, developers).
Step 4: Configure Disaster Recovery (DR) Vault
• Install and configure the DR Vault on a separate server.
1. Synchronize the DR Vault with the primary Digital Vault.
2. Regularly back up data to the DR Vault.
3. Test DR Vault operations to ensure it can take over seamlessly in case of a disaster.
Step 5: Set Up Monitoring and Auditing
• Configure logging and auditing policies to track all activities in the vault, including who accessed credentials, what changes were made, and when.
• Set up alerts and reporting for unusual activities, such as unauthorized access attempts or failed login attempts.
Conclusion
The CyberArk Vault plays a central role in protecting privileged information. The main types of vaults are the Digital Vault (primary secure storage), Safes (logical containers for segregating data), and the Disaster Recovery (DR) Vault for backup purposes. Properly configuring the vault and its safes, along with permissions and auditing, is crucial to ensure the security and proper management of privileged credentials.
Comments