With release 22.5, CyberArk Workforce Identity supports the following new features.
Multi-Factor Authentication – Granular Controls for RADIUS Server Authentication
Administrators can now select specific RADIUS servers used for multi-factor authentication. Previously, all available servers were shown to end users who selected the RADIUS authentication method. Now, administrators can configure the RADIUS server options users may select within authentication profiles. For example, global organizations can now ensure that only local RADIUS servers are used for authentication at each of their locations to reduce latency and session delays. This provides admins with granular, policy-based control over the RADIUS authentication method and improves the user experience.
Workforce Password Management – Non-AD User Credential Storage in CyberArk Self-Hosted Vault
CyberArk Workforce Password Management is an enterprise-focused password manager that provides a user-friendly solution for storing and sharing business application credentials and secure notes in a centralized vault. With this release, all enterprise users can securely store credentials and data in the CyberArk PAM Self-Hosted Vault. Previously, only Active Directory (AD) users could store credentials in the Self-Hosted Vault, while non-AD users could store credentials in the CyberArk Identity Cloud. Now all users, regardless of where their identity is stored, can leverage the Self-Hosted Vault. This provides organizations with CyberArk PAM solutions additional flexibility for deploying Workforce Password Management and ensures that all business credentials can be protected and securely shared. Refer to Store Secured Items and Business Application credentials in the PAM Self-Hosted Vault for more information.
Lifecycle Management – Enhancements to Outbound Provisioning
The outbound provisioning process is an integral part of the CyberArk Identity Lifecycle Management solution, enabling companies to provision access from CyberArk Identity to external applications. With this release, you can now use two additional outbound provisioning capabilities:
- Obtain a list of all Active Directory (AD) groups for a specific user. Using this new capability, you can now use scripting to discover all AD groups to which a particular user belongs.
- Deprovision users based on specific group membership. Using this capability, you can remove users from one or more apps based on their AD group membership.
The combination of these new capabilities provides companies with additional flexibility to control application access. For example, you can now provision users to groups or roles in an application only if the user is part of a specific AD group. You can also deprovision access when the user ceases to be a specific group member. Please refer to Script Capabilities in Provisioning for more information.
Mobile Authenticator – UI Enhancements to the Passcodes Menu
The passcode menu of the CyberArk Identity Mobile App contains time-based one-time passwords (TOTP) used for secondary authentication. With this release, the mobile authenticator TOTP has moved from the App Menu section to the Passcodes section, where all TOTPs can be viewed in a single location. In addition, each code now displays the logo of the app they are associated with for easy identification.
Secure Web Sessions – Bookmark Sessions and Events
With the 2022.4.17 release of Secure Web Sessions, customers can now flag both sessions and events. These flags can identify suspicious sessions or events that need additional review. They can also act as bookmarks, allowing customers to filter their views and see all flagged items in one place.
Secure Web Sessions – Continuous Authentication
CyberArk Identity Secure Web Sessions now supports the continuous user authentication security layer to ensure that no session is left unattended and that the user who started the session is the one using it. With the Continuous Authentication security layer, you can now set an idle timeout for specific high-risk applications and require users to reauthenticate using CyberArk Identity Adaptive Multi-factor Authentication (MFA). For example, you can configure the idle timeout for your financial apps to five minutes, after which the app session locks up. Users who walk away from the active session for more than five minutes will need to reauthenticate to continue using the app. CyberArk Identity MFA supports a wide range of authentication mechanisms, including passwordless factors such as QR codes and biometrics, making reauthentication seamless.
Secure Web Sessions – Vendor Access Now Protected
This release offers an integration between CyberArk Vendor Privileged Access Manager and Secure Web Sessions, extending protection to vendor user sessions. When vendor users log in via the Vendor Access Portal, they will now have access to CyberArk Identity applications, according to their role. Remote Access provides vendors with just-in-time (JIT), biometric authentication-protected, VPN-less access to company resources. Vendors can be invited through Remote Access to CyberArk Identity web applications, including both Remote Access, Identity Single Sign-On and Secure Web Sessions capabilities: JIT provisioning, strong authentication, single sign-on, recording, continuous authentication and session protection. During the invitation, vendors will be assigned identity roles to control the apps allowed for access, and will be deprovisioned on Remote Access timeframe expiration. See Vendors’ Access to Identity Web Apps for more information.
Secure Web Sessions – HIPAA Compliance
Secure Web Sessions is now compliant with the United States Health Insurance Portability and Accountability Act (HIPAA), and can be leveraged to protect web sessions for healthcare applications. Since Secure Web Sessions records and stores data about web sessions that could contain patient information, it’s important that data handling complies with all necessary regulations. To learn more, please visit Health Insurance Portability and Accountability Act (HIPAA) – CyberArk.
With release 22.5, CyberArk Customer Identity supports the following new features.
Customization of Text in Authentication Widgets
Customers can now edit and customize the text in the authentication widget. Previously, editing was limited to only three fields. Now, admins can edit the script directly to modify all text instructions and labels included in the widget. With the option to customize these labels and the style of text, customers are able to create a better end-user experience to fit their organizational needs, and to tailor the wording to their brand and style. To learn more, please see Customize the Login Form.
For more information on the 22.5 release, please see CyberArk Identity Release Notes.
