This post is trying to summarize some PAS solution’s design and deployment thoughts and notes.
- Cluster HA / DR
- Appliance / Virtual Machine
- Cloud / On-Prem
- Multiple PVWA
- HA / Load balance
- Multiple CPM
- Load balance on different types of Safe, such as one for Windows, one for *nux/Cloud.
- Multiple PSM
- Load balance
- Safe Name Convention
- Safe Access Mapping from Roles to Access Rights
- Safe Access Model : Share , Personal, Mix
- Name Convention
- Account name length restriction
- Account name convention
- Personalized accounts, Shared accounts for different technologies (DB, Windows, *Nix, Networking, Cloud)
Traffic Flow Design
- Firewall Ports
- Traffic direction : one way or two way
- All components including integration with NTP, AD, DC, Target Servers, DBs, Cloud , SIEM, Ticket system, etc
- MFA, 2FA
- First Factor
- Second Factor
- Non Web Client Authentication – All kinds of Native Clients
CyberArk Brief: A phased approach for implementing a Privileged Access Security Program
1.1 Crown of jewels – Most critical assets
1.2 Accounts who can access those assets
shared / role based privilege accounts – built-in administrator account and root account
personal privilege accounts : accounts with -adm, or $ at the end
Focus on shared / role based privilege accounts first will get you least push back from admins.
Load credentials into actual vaults
Set up automatic verification process to confirm those credentials are accurate
End user should be able to use connect to reach their targets to do their administration work
Choose selective subset accounts to change password. Start with change button to confirm the CPM process is working.
Automated changes to rotate credentials’ passwords.
2.2 Isolate –> Monitor –> Analyze
Remove show/copy buttons to require end users to connect to target.
PSM will provide connectivity and monitor/record the session without exposing credentials.
PTA component will detect / alert threat detected from multiple sources
Going wider: – expand the process to other end points we identified (Networking devices, databases, web applications, iol devices)
Going deeper: – non human id ( application accounts, iis app pool, registry keys )
This is basic sample implementation schedule to roll out a non-ha basic design PAS solution
Pre-implementation to collect following information;
1. network design diagram including firewall, domain controller, VM ip, dns, smtp, snmp , ntp, etc.
2. hardware / virtual machine information based on size evaluation
3. traffic flow diagram
4. firewall rule sets based on traffic flow diagram
5. Details of SMTP, DC, SNMP, NTP,
6. CA certificate
7. Download software copy and licenses.
8. Make sure hard copy of Master CD, Operator CD in safe hand.
• Onsite Implementation Day 1: Install and perform initial configuration of the Production including advanced Vault integration such as SNMP, SMTP, SYSLOG and any others the were agreed upon.
• Onsite Implementation Day 2: Install and perform initial configuration of the Central Policy Manager, Password Vault Web Access 1 and 2, Privileged Session Manager, Secure Replication Utility and the PrivateArk Client.
•Onsite Implementation Day 3 Perform advanced configuration for the CPM, PVWAs and PSM. Test CPM management on 3 5 types of the out of the box plug ins. Test PSM workflows on 3 5 types of the out of the box connectors.
• Onsite Implementation Day 4 Troubleshoot any issues discovered during the CPM testing and PSM workflows. Perform overview session with administrators. Go over and assist in documenting the Master Policy, Access Control Model data and permission structures. Set up and go over support access and procedures.