Scribd
Upload
228 views15 pages

CyberArk PrivilegeCloud BreakglassProcedures

The document discusses offline access and physical safe storage of credentials when the CyberArk Privilege Cloud service is unavailable. It provides an overview of offline access via the CyberArk mobile app, best practices for usage, and current limitations. Physical safe storage involves limiting credential scope, onboarding in CyberArk, rotating passwords manually, and updating when the service restores.

Uploaded by

ramu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
228 views15 pages

CyberArk PrivilegeCloud BreakglassProcedures

The document discusses offline access and physical safe storage of credentials when the CyberArk Privilege Cloud service is unavailable. It provides an overview of offline access via the CyberArk mobile app, best practices for usage, and current limitations. Physical safe storage involves limiting credential scope, onboarding in CyberArk, rotating passwords manually, and updating when the service restores.

Uploaded by

ramu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Privilege Cloud

Environment
1 definitions

cyberark.com
cyberark.com
Customer
2 Environment

cyberark.com
PSM CPM Secure Tunnel
• Single PSM failure • Always a manual failover to avoid risk of ‘split • Single tunnel failure
brain’
• Recommendation – automatically • Supports high availability. Automatic
handled by load-balancer • If not urgently required – no action failover to next available tunnel
necessary
• Alternative – DNS round robin • All tunnel failure
• Pending rotations will happen when
• Alternative – manual failover by editing CPM started • Root cause needs to be investigated
Platform settings based on affected integration e.g.,
• If needed urgently – e.g. if using OTP + LDAP, SAML, HTML5 Gateway, RADIUS
• All PSM failure Exclusive Access
• Temporarily allow ‘retrieve’ via Web • Passive CPM can assume identity of
Portal (PVWA) normally active CPM by performing 5

CPM failover
cyberark.com
Privilege Cloud
3 Service

cyberark.com
• CyberArk service availability and security is committed to an SLA of 99.95%

• Deployed on AWS Tier IV datacenters on different Availability Zones

• A monitoring system is responsible for a service health check and interacts with an on-call automatic management system

• The Privilege Cloud portal and vault instances are both immutable

• Data is stored and located on the RDS & EBS

• Each customer has isolated tenant and dedicated service components (e.g. instances, network, security groups etc.)

• DDoS protection, WAF and additional AWS Security services are applied to protect and secure the service

• The service has the following certifications and compliance:

• SOC 2 Type II​​

• CSA CAIQ

• SIG LITE

• ISO 27001 (Corporate)

cyberark.com
3.1 Offline Access

cyberark.com
Solution Overview
• Utilizes the CyberArk Mobile app (Available on iOS and Android) that allows for offline syncing of credentials

• Data is stored securely

• iOS - Secure Enclave

• Android – Trusted Execution Environment (TEE)

• Control when credentials become available on the CyberArk Mobile app

• Only available during a Privilege Cloud service outage

• Available when no network connection is available to the CyberArk Mobile Application

• Unrestricted mode – Always available

• Can be restricted on account level

• Syncing of credentials is a manual process

• Can configure notification interval (days) to prompt the user to sync credentials
9
• Supports biometric and SAML authentication

Link to online documentation here cyberark.com


Best Practices
• Restrict access to offline credentials when the CyberArk Privilege Cloud Service are unavailable

• Limit the scope to a small number of emergency break-glass accounts

• Domain Admin, Unix Root, Network equipment admin, other mission critical accounts

• Password rotation frequency should not be too high

• Password syncing is a manual process and frequent rotation may cause passwords to become out of sync

• Limit the scope to a small number of users who have access to these accounts

• Rotate and sync credentials once the service is restored

• Monitoring use of the accounts via SIEM alerts or similar

• Consider using ‘split password’ functionality (like a physical safe requiring two people to access)

10

Link to online documentation here cyberark.com


11

Link to online documentation here cyberark.com


Current Limitations
• Accounts under the following policies cannot be saved offline

• Enforced check-in/check-out exclusive access

• Requires dual control password access approval

• Enforced one-time password access

• Ticketing systems integration

12

Link to online documentation here cyberark.com


Physical
3.2 Safe/Offline
storage
13

cyberark.com
• The scope of credentials should be limited to a small number of users and accounts. Similar to offline access.

• Accounts should still be onboarded in CyberArk

• Consider implementing Dual control

• Stored in a secure location (physical safe)

• Passwords should be rotated manually

• Configure notifications to ensure that they are being rotated

• Monitor the accounts to ensure that passwords are being rotated

• Ideally requiring at least two people for access

• Rotate and update the credentials in the safe once the service is restored

14

cyberark.com
More Information
Configure Offline Access to target machines

Connect when Privilege Cloud is unavailable

SLA for Privilege Cloud

15

cyberark.com

You might also like