CyberArk Cloud Automation Capabilities Support Hybrid & Native Cloud Environments
October 3, 2017 | Security and Risk | Chris Smith
CyberArk’s AMI and Cloud Formation Templates enable a complete CyberArk environment, (including primary and Disaster Recovery (DR) vaults with all of the components and session monitoring), to be conveniently built and deployed in as little as 15 minutes in an AWS environment. This is very powerful for customers with “all in,” or native cloud environments. However, unless organizations have fully adopted the cloud, most will have some form of a hybrid environment. The CyberArk AMI and Cloud Formation Templates can now be configured to support hybrid environments too.
Securing the operations of both cloud and on-premises environments is one of the unique challenges of hybrid environments. Typically customers run the CyberArk Privileged Account Security Solution, including the vault, on-premises and extend into the cloud environment. But, customers can also run the vault in the cloud to support on premises and cloud workloads.
By using CyberArk’s reference architecture for AWS, the CyberArk Cloud Formation Templates can be configured to support hybrid environments. There are, of course, many different hybrid environments and potential deployment configurations.
The key decisions to make are where to deploy the primary and DR vaults, and how to deploy the components (Password Vault Web Access, Central Password Management, CyberArk Privileged Session Manager and CyberArk Privileged Session Manager SSH Proxy) to efficiently support privilege requests in the on-premises and AWS environments. In organizations with hybrid environments that are already using a privileged account security solution, the deployed solution already helps to secure the on-premises environment. In this case, the primary and DR vaults will run in the on-premises data center, but instances of the components will need to run in both the on-premises and hybrid environments.
Here, the CyberArk Cloud Formation Templates for AWS (CFT) can be used to build the components in the AWS environment. These components can then be linked to the vaults using a secure connection.
Two typical configurations are shown in the following diagrams. The first diagram, of an extended configuration, shows the vault (Primary and DR) running on premises and managing infrastructure and workloads in the on-premises environment and extended out to manage infrastructure and workloads running on the AWS cloud. Here, the CyberArk components running on AWS have been built leveraging CyberArk’s CFT and AMI automation capabilities.
Note: To simplify the diagrams, the additional layers of redundancy and security used in a typical deployment are not shown. The second diagram shows the vault (Primary and DR) running on the AWS cloud and managing privileges for the both the on-premises and cloud infrastructure and workloads. In this example, vaults running on AWS extend back to the on-premises environment. Note that the complete AWS environment (vaults and components) have been built leveraging CyberArk’s CFT and AMI automation capabilities.
The CyberArk architecture has been designed to be very flexible and to be configured to support complex and demanding environments. For example, configurations become more challenging when organizations use multiple cloud vendors and operate multiple on-premises environments. However, for CISOs wanting to consistently enforce security and access policies across hybrid environments, it is important to establish a single control point for the on-premises and cloud environment—this is achieved by using the same privileged account security solution to manage all the environments.
All CyberArk solutions, including CyberArk Conjur, are designed to scale to meet the needs of large enterprises with globally distributed operations. In these hybrid examples, the architecture has been designed to optimize performance by deploying the CyberArk components close to the devices they are managing. The CyberArk architecture is also designed to allow multiple instances of the components to be deployed—so components can be located on multiple on-premises and cloud environments.
The CyberArk CFT and AMIs for AWS are available now and can be configured to support various native/“all in cloud” and hybrid environments. Contact sales or customer support for additional information or learn more about how CyberArk can support your cloud environment.