Operational efficiency and strong security. Finding the balance between the two is something security teams wrestle with every day. This was our vision for version 11.2 of the CyberArk Privileged Access Security Solution – to provide new privileged access management (PAM) features that make it easier for organizations to manage risk while enabling the business as digital transformation continues to evolve. In this version, customers benefit from new ways to achieve least privilege to manage risk and improve productivity.
New Just-in-Time Access and SSH Certificate Authentication for SSH Session Management
Leading companies like Netflix, Facebook and Uber are using SSH certificate authentication for SSH session management, citing scalability, ease of use and strong security. This type of approach provides a centralized point of trust via a certification authority so that servers (hosts) only need to trust the clients (users) who have the appropriate certificates.
SSH certificates contain a few important elements, including unique identity information, operational restrictions and a public key. With SSH certificate authentication, instead of having to manage the authorized keys of a host or control access to private keys, the host just needs to be configured to trust the SSH certification authority.
Limited SSH key management can lead to a large volume of privileged accounts and standing access on the target, increasing the attack surface. SSH certificate authentication at scale helps align with the principle of least privilege and balances ease of use and security.
To help customers unlock these benefits, CyberArk now allows for SSH certificate-based authentication by providing secure privileged session isolation, which grants Linux and Unix admins instant, just-in-time access, without security teams needing to manage a private-public key pair for each account and remote machine.
End-users connect via SSH to a remote machine through CyberArk and, after authenticating, CyberArk signs and uses a short lived SSH certificate to authenticate to the remote machine with an isolated and controlled session.
Here’s how it works:
- A user opens a native SSH session (e.g. PuTTY) to the CyberArk Privileged Session Manager server.
- CyberArk then signs an SSH key with a certification authority key from the CyberArk Vault, producing an SSH certificate in the process.
- The SSH session to the target system or Linux VM, whether on-premises or in the cloud, is then brokered with the necessary privileged account.
SSH certificates never travel to the end user’s workstation and all contain a short, hard-coded Time to Life (TTL) of five minutes. Once certificates are used for connection, they are immediately deleted so that if they are somehow exposed to attackers, they won’t be usable after that short period of time.
This new capability expands CyberArk’s just-in-time offerings across cloud and hybrid environments and on the endpoint.
Create Native, Secure Access with Privilege Session Manager for Web
Along with Privileged Session Manager for SSH, we’ve also added a new tool to make native session management for web applications even easier. The Universal Connector Generator allows CyberArk customers to develop custom connectors that extend native, secure access capabilities to a wide range of SaaS or homegrown web applications.
In the era of digital transformation, web apps are ubiquitous for employees, but, whether they’re AWS Cloud Consoles, corporate social media accounts, or proprietary payroll portals, privileged access to apps that store sensitive data introduces new security risks.
With the Universal Connector Generator, CyberArk users can develop custom connectors that allow employees to launch fully isolated privileged sessions in web apps without credentials or session identifiers ever crossing their workstations – significantly reducing the risk of credential theft and session hijacking, two of the most common attack vectors in web and cloud app breaches.
The best part? Creating a plug-in is super easy and can be done in less than 15 minutes.
The Universal Connector Generator automatically records the end user’s application login process, then creates a connector to isolate further sessions in this application. After testing confirms the connector provides native, isolated application access, the Universal Connector Generator automatically hardens the connector to ensure it meets security requirements. Teams can then export the connector for use by other Privileged Session Manager for Web users.
Custom Privileged Session Manager for Web connectors afford security teams the ability to provide secure, native access to their employees’ favorite applications.
This latest version of the CyberArk Privileged Access Security solution marks CyberArk’s ongoing commitment to helping our 5,000+ customers defend against targeted attacks with privileged access management while delivering a simple, efficient experience for their employees.
Expanded just-in-time capabilities and the addition of the Universal Connector are just two key features of v11.2. There are a host of PAM features with the CyberArk Privileged Access Security solution, including improved Kubernetes support for Application Access Manager, and new DevOps functionality in Privileged Session Manager for Web via out-of-the-box support for Jenkins and Ansible Tower.