New Secrets Management Capabilities: CyberArk Secrets Hub, CyberArk Conjur Cloud, CyberArk Conjur Enterprise, CyberArk Credential Providers

Chris Smith

We’re excited about the new Secrets Management capabilities released over the past few weeks. This summary includes new capabilities for CyberArk’s SaaS-based Secrets Management Solutions (CyberArk Secrets Hub and CyberArk Conjur Cloud) and recent releases for CyberArk Conjur Enterprise (v13.2) and CyberArk Credential Providers (v14 and patch v13.0.3), and several new integrations. 

As always, the latest information and details are in the respective What’s New sections of the appropriate product documentation.

CyberArk Secrets Hub

Now Discover and View Secrets in Azure Secrets Stores 

CyberArk Secrets Hub can now discover and centrally view secrets across multiple instances of Azure Key Vault (AKV). Now, security teams can scan Azure secrets stores and gain insights into the security posture of the cloud platform (for example, identifying secrets in Azure secrets stores that are not managed by CyberArk). Results can also be filtered. 

For more information visit Secrets Hub What’s New

Note, these new capabilities are in addition to existing capabilities for managing secrets in AKV and discovering and centrally managing secrets in AWS Secrets Manager (ASM).

CyberArk Secrets Hub

Note, subscription and resource group information need to be added to Azure secret stores so that the CyberArk Secrets Hub dashboard shows the secret stores. This information can be useful for finding Azure Key Vaults that belong to the same subscription or resource group and are available in both API and UI. 

To learn more, see Add secret store details

AWS Dashboard Enhancements

The AWS dashboard has been enhanced to View and filter secrets.  

AWS Dashboard

Default Tags Added to AWS Secrets

The sync process now tags the secret in ASM with the CyberArk Privileged Access Manager Safe and account names. 

Note, if the CyberArk PAM Safe or account name includes a special character that is not supported by AWS, then the invalid character is replaced with a hyphen '-' in the tag value (e.g., 'My Account (21)' will be replaced with 'My Account -21-' for the tag 'CyberArk Account'.) 

To learn more, see the CyberArk Technical Community article.

Note, new capabilities are frequently added to CyberArk Secrets Hub, please check the Secrets Hub What’s New for the latest updates.

CyberArk Conjur Cloud

New UI Enhancements for Group Membership

A new UI enhancement gives users the option to manage group membership from the UI.

For more information, see the new CyberArk Conjur Cloud UI enhancements in action:

Conjur Cloud

CyberArk Conjur Cloud Edge and CyberArk Conjur Cloud CLI Proxy Support 

Customers now can route Edge and CLI traffic through an explicit HTTP/HTTPS forward-proxy server. 

For more information, see here and here.
 

Now SOC2 Certified

CyberArk Conjur Cloud obtained SOC2 certification with no exceptions.  SOC2 (Service Organization Control Type 2) is a widely used global cybersecurity compliance framework that many CyberArk customers have requested.

Note, new capabilities are frequently added to CyberArk Conjur Cloud, please check the CyberArk Conjur Cloud What’s New for the latest updates.

CyberArk Conjur Enterprise Release v13.2

CyberArk Conjur Enterprise and Vault Synchronizer v 13.2 now supports the Container Storage Interface (CSI) driver for Kubernetes, adds cluster commands to evoke and the vault synchronizer adds high availability support.  

Release highlights include:

CyberArk Vault Synchronizer High Availability Support

Customers can now install multiple Synchronizer instances in a cluster with one primary Synchronizer instance and one or more standby instances. Customers with existing Vault Synchronizers deployed can switch to the high availability configuration after upgrading both Conjur Enterprise and Synchronizer to this release, this is recommended for production systems.

Container Storage Interface (CSI) Driver for Kubernetes

CyberArk has enhanced the integration with Kubernetes to support CSI drivers. The new Conjur provider allows for secrets stored in Conjur Enterprise to be consumed in Kubernetes with a seamless and secure method, leveraging the secrets store CSI driver interface.

New Evoke Cluster Administration Commands

CyberArk has expanded the supported commands for the Conjur evoke configuration utility, simplifying Conjur cluster administration with auto failover management operations. The new clear command provides an easy way to recover a corrupted auto failover cluster. In addition, we have introduced pause and resume commands for the Conjur cluster, supporting organization maintenance periods. 

Configurable Audit Log Format 

Customers can now configure the required audit log format. Customers can enable and disable each log format according to the organization requirements. 

For more details, please refer to the Conjur Enterprise 13.2 release notes.

CyberArk Credential Providers v14.0 and Previously Release Patch 13.0.3

Highlights in the CyberArk Credential Providers v14.0 Release include: 

CP Cache and Refresh Cache Improvements

CyberArk Credential Providers (CP) version 14.0 introduces a modern implementation for managing CP cache. The new caching mechanism is more efficient and consumes less memory and CPU from the server. The local cache management also reduces load on the vault. 

The release also improves the mechanism for refreshing the cache, with less overhead and much more efficient querying from the Vault. In addition, as a security measurement, a configurable time-to-live (TTL) mechanism for the cache has been introduced, which ensures that unused accounts are not kept locally. By default, unused accounts are deleted after seven days. 

For more information about mechanisms for CP caching and refreshing the cache, see Caching
 

IPv6 Application Authentication

IPv6 addresses are now supported when using the allowed machines application authentication method. 
For more information, see Allowed machines authentication. 

CCP Trusted Proxy Subnet

More options are now available for CCP trusted proxy configuration. Customers can now configure single IPs, an IP range and CIDR notation in IPv4 as trusted proxy IPs. 

For more details, see Load balance the Central Credential Provider

For more details about this release, see the Credential Providers v14.0 release notes


Highlights in the CyberArk Credential Providers v13.0.3 Patch Release include:  

Application Server Credential Provider (ASCP) JDBC Driver Proxy for WebSphere Classic

The Application Server Credential Provider JDBC driver proxy now supports WebSphere Classic.  

For installation details, see Install WebSphere Application Server Classic JDBC Driver

For information about migrating from Credential Mapper to the JDBC driver proxy for WebSphere Classic, see Migrate Credential Mapper for WebSphere Classic to JDBC driver proxy

For more details about this patch release, see the Credential Providers v13.0.3 release notes

Other: Recently Released Guidelines and Benchmarks

Central Credential Provider (CCP) Hardening Guidelines

CCP is now compatible with CIS benchmark security and hardening guidelines. Center for Internet Security (CIS) benchmarks from the CIS are a set of globally recognized and consensus-driven best practices to help security practitioners implement and manage their cybersecurity defenses. They are a set of industry standard security and hardening guidelines and best practices. 

Central Credential Provider v12.6 and v13.0 have been verified as compatible with the CIS benchmark v1.1.1 guidelines and best practices. 

CIS benchmark recommendations can be found on the CIS website

For more information about hardening CCP based on the CIS benchmark, see CIS benchmark compatibility for Central Credential Provider

Central Credential Provider Performance Benchmark Report

Updated CCP recommendations for best performance and performance benchmarks have been recently published, see Central Credential Provider Benchmark report.

For high availability and better performance, CyberArk recommends using at least two CCPs behind a load balancer. 

CyberArk Conjur Integrations

Recent integrations with CyberArk Conjur Cloud and CyberArk Conjur Enterprise include:

MuleSoft Connector for CyberArk Conjur Cloud, Enterprise and OSS

The CyberArk Conjur Connector for MuleSoft enables seamless and secure access to secrets stored in Conjur.  This connector provides customers with a secure solution for accessing sensitive credentials within their integration flows between various systems, applications and data sources.  This connector is certified and supported by CyberArk. 

For more information visit our official documentation for Conjur Enterprise, and Conjur OSS


Conjur Terraform Provider for CyberArk Conjur Cloud, Enterprise and OSS

This provider enables Terraform to securely retrieve credentials, such as API keys and passwords stored in Conjur, during the provisioning process, such as when automatically building, changing and versioning infrastructure.  This provider is certified and supported by CyberArk. 

This provider is Certified and supported by CyberArk. For more information visit our official documentation for Conjur Cloud, Conjur Enterprise, and Conjur OSS.  


Conjur AWS IAM Client for Python (Cloud, Enterprise and OSS)

The Conjur AWS IAM client for Python equips developers with the ability to securely authenticate and retrieve secrets from Conjur using AWS IAM roles.  This is particularly useful for developers with Python applications running on AWS EC2 instances.  This client is certified and supported by CyberArk. 

For more information visit our official documentation for  CyberArk Conjur Cloud,  CyberArk Conjur Enterprise, and CyberArk Conjur OSS


 

Previous Video
Software Development Environments in the Real-World: Striking the Right Balance between Security and Innovation
Software Development Environments in the Real-World: Striking the Right Balance between Security and Innovation

In part 4 of our continuing webinar series supporting the upcoming O’Reilly book “Identity Security for Sof...

Next Video
Core Principles of Identity Security for Software Developers
Core Principles of Identity Security for Software Developers

In this webinar, the authors of the upcoming O’Reilly book, "Identity Security for Software Development," w...