The 13th annual and largest ever CyberArk Impact Americas event officially kicked off in Chicago, bringing together customers, partners and a ton of cyber security experts to discuss all things privileged access management. One of the big announcements at Impact is the launch of the CyberArk Privileged Access Security Solution version 11. The latest version provides a geo-distributed architecture to support active/active Enterprise Password Vault topologies and simplifies the development of secure applications.
Let’s walk through some of the best features from this release in a bit more detail.
Geo-distribution and Support for Active/Active Enterprise Password Vaults
CyberArk is extending privileged access management to active/active architectures with multiple Enterprise Password Vaults. Customers have the ability to configure the CyberArk Privileged Access Security Solution to work in active/active topologies, providing transparent automatic failover and maintaining critical functions, such as password retrieval and session management, across geographically distributed vault configurations in the event of an outage. Moreover, this new architecture enables customers to work directly with their local vault, which automatically syncs with the master/primary vault (see Figure 1.). This ensures increased performance and resiliency and removes dependencies between different geo-locations that previously relied on a single vault. Along with previously released support for multiple web consoles and active/active vault configurations for CyberArk Application Access Manager, we deliver the industry’s most robust solution for high availability and disaster recovery in the privileged access management category.
Simplified Development of Secure Applications for Kubernetes and Red Hat OpenShift Environments
Hard-coding credentials in applications continue to pose an ongoing security risk, which is too often deprioritized by development teams wanting to rapidly deploy new applications. To increase developer adoption, CyberArk is adding an innovative new capability to Application Access Manager – Secretless Broker. Secretless Broker simplifies how applications in Kubernetes and Red Hat OpenShift environments securely access MySQL and PostgresSQL databases, HTTPs based services and SSH.
With Secretless Broker, when an application needs to securely access a resource, the app simply makes a local connection request to Secretless Broker. Secretless Broker then automatically authenticates the app, fetches the required credentials from the vault and establishes a connection to the database or other resource. Like the CyberArk Privileged Session Manager, Secretless Broker isolates the application so that it no longer has to store the secret, much like how an admin using Privilege Session Manager doesn’t need to know the password. This approach reduces the attack surface since the application doesn’t have access to credentials, preventing the inadvertent leaking or exposure of privileged credentials.
The approach offers two major simplifications for developers. First it eliminates the need to write API calls to fetch an access credential or secret and, second, it eliminates the need for the application to directly handle secrets. Only CyberArk offers this type of capability and, going forward, CyberArk plans to support additional databases, web applications and other services with Secretless Broker.
Secretless Broker is offered as a fully supported feature of the Application Access ManagerDynamic Access Provider and is also available for CyberArk’s open source secrets management solution, Conjur. Register for the Application Access Manager Secretless Broker webinar Security Win: Giving Developers the Access They Need Without the Hassle via Secretless Broker, at 1pm EST, 5 September.
Expanded Authentication Options Simplify Securing Applications
The latest release of Application Access Manager adds REST API support for Open ID Connect (OIDC) via the Dynamic Access Provider, along with existing support for AWS, Kubernetes/OpenShift, and LDAP authentication. With OIDC support, applications can natively and securely get secrets from Dynamic Access Provider to access other services and resources without needing to reauthenticate. This alongside other expanded authentication options make it easier for customers to use Application Access Manager to secure their increasingly large application portfolios, which can include hundreds of commercial-off-the-shelf (COTS), cloud native and other applications.
Partner with the Number One Leader in Privileged Access Management
The release of version 11 continues to demonstrate CyberArk’s ability to deliver the most comprehensive privileged access management functionality for both human and non-human users in the market. We continue to innovate with our solution to enable our 4,600+ customers to defend against targeted attacks while delivering a simplified experience to security, operations, and end users.
All of these features will be available to customers who upgrade to the CyberArk Privileged Access Security Solution version 11, which will be available this quarter.