![]()
I’ve spent some time in the last weeks testing Cyber-Ark’s Enterprise Password Vault. First of all, let me say that I am in no way associated with them, and that this post reflects only my opinion of the software, and not that of any of my clients. This is not a review of the tool, but a bit of information on it and on why everyone should think about using such a solution to secure credentials and become compliant with various laws, guidelines, best practices and policies.
What’s Cyber-Ark Enterprise Password Vault?
Cyber-Ark’s password management environment is made out of multiple separate, secure pieces. At the core of the solution is the Cyber-Ark Vault itself. This server runs on a secured Windows server OS, with no standard services running, and with multiple security layers added. This machine can be considered as an “appliance”, as it is very different from a stock Windows environment. This is what will store files, which in the case of the Enterprise password vault, represent passwords. The vault can be highly available, in a cluster, and replicated as well.
In order to use those files, an interface is needed. The best way to do this is using the Password Vault Web Access, which resides on a web server and communicates with the Vault using proprietary protocols. This allows all systems administrators, operators, developers, etc, to access the vault without needing particular client software.
The third important block is the CPM (Central Password Manager), which will act as the enforcer of policies and as a bridge between the vault containing the accounts and the machines where they are used, when necessary.
Why should it be used?
A solution such as this one should be used at least to store “generic” accounts, while providing separation of duty, auditing, and ease of management. A good example would be the built-in Administrator account of an Active Directory domain. In many cases, the enterprise will want to keep this password somewhere, in case it is ever needed. However, if anyone knows it, there can be no traceability proof if something is done using it.
Companies often design complex pen and paper based systems to store these accounts, often in separate parts, in different safes, in different locations. This is all well until there are just too many generic accounts to keep track of. By using a good password vault product, you should be able to separate duties between password owners and users. Allow management to approve requests for viewing the passwords, allow sysadmins to reset some passwords but not others, and most importantly, log every access to those passwords.
Once someone has seen the password, it is important that it be changed. This is where the CPM comes handy. It is able to change passwords for multiple platforms. Coupled with the ability to delegate only “connect” access (basically, establishing a direct RDP or SSH session with the credentials without showing the password), it can be used to manage a list of passwords that should never be known by anyone until they need to be used. This can also be used to share accounts on systems that do not support multiple users. By changing the password every time it is used, and logging everything, even an appliance that only has a “root” user now has some traceability.
Another great improvement to security that can be made is proper management of service accounts. Many service accounts in environments are set to not expire, as they are to be managed manually.. this means that a lot of manual labor will be done managing them, or in many cases, that they will simply not be managed. Now, with a product such as this one, you can discover what service accounts are being used for what service on what server, as well as enable central management. Yes, this means that it can connect back to Windows servers (among others) and change the passwords used to start up services so that they match. This effectively means that service accounts could be set up with a temporary password during installation, and once managed by the tool, never seen or known again.
Do yourself a favor, and start studying those solutions. Start by storing “generic” and built-in administrative credentials, and work your way up to shared accounts and service accounts. Once they are all in the vault, you can start experimenting with automated management features. It is better to start now and have something ready to use than to wait until something bad happens and then do it in a hurry..
