Securing privileged access is more important than ever in today's rapidly evolving digital landscape. CyberArk, a leader in Privileged Access Management (PAM), has been at the forefront of this effort, providing innovative solutions with the CyberArk Identity Security Platform (ISP) to help organizations protect their most sensitive assets. CyberArk's session management offering enables footprint reduction, TCO saving, and enhanced security.
Lessons Learned: Deploying Privileged Session Management at Scale
Privileged session management is a foundational part of identity security and privileged access management. CyberArk Privileged Session Manager (PSM) has been providing session management capabilities for many years, and it has a proven track record with thousands of customers. PSM is designed to secure, manage, and monitor privileged sessions. It acts as a secure proxy between privileged users and target systems, allowing users to access systems without directly exposing sensitive credentials and leveraging their native clients. It ensures that privileged sessions are isolated and monitored, reducing the risk of unauthorized access, credential theft, and other security threats. It is a trusted tool with vast capabilities, including session recording and auditing, session isolation and flexible customization to support a wide range of asset types, from proprietary systems and mainframe to all aspects of the IT stack to Cloud environments.
Here are a few examples of lessons learned from deploying privileged session management at scale:
- To secure the PSM component deployed on the organization’s premises, dedicated Group Policies and hardening are required for the host machine, which may conflict with existing organizational controls. While the security measures in PSM have been selected after extensive work by security experts, organizations sometimes feel more comfortable with their hardening. Conflicts also mean that the PAM deployment involves other teams beyond the PAM\IAM in the organization, such as Infrastructure teams. Moving the sensitive and vulnerable areas of the PSM component to the CyberArk cloud-based service, where it can be hosted securely by CyberArk and protected by the most advanced security measures, is a solution to this challenge.
- In a large-scale environment that runs many concurrent user sessions, PSM consumes resources extensively from its host machine. Large organizations sometimes must deploy many PSM servers to ensure service availability and reliability. Disassembling the resource-consuming parts of PSM and moving them to the CyberArk cloud-based service can extensively reduce the compute strength required from the PSM servers or the number of servers needed.
- PSM architecture is built upon Microsoft Terminal Server technology, which requires Remote Desktop Services (RDS) licenses that inflict costs on customers and add another step for deployment. Re-architecting the solution without using Terminal Server technology eliminates these needs.
- As the ‘brain’ of PSM is on the customer premises, enhancement and bug fixes require an upgrade of this component. Moving more capabilities to be hosted by CyberArk will mean we can deliver capabilities without forcing customers to upgrade their components frequently, and with near zero downtime.
- PSM provides access to different target types, including Virtual Machines, websites, databases, management tools and more. It does that by using a “universal connector” capability, which requires hosting the relevant connection client (e.g., SQL Server Management Studio) on the PSM server and visualizing it as a remote application for users who connect to PSM through Remote Desktop Protocol (RDP). Regarding databases, admins and developers usually use multiple database clients. We have learned that it can be challenging for PAM administrators to deploy and maintain the various database software on the PSM servers, and the fact that those clients are not on the users’ desktops may lead to poor user experience. Native and secure database access, in which users can ‘bring their own tool’ and connect with a proxied connection to the database can reduce the PAM admin overhead and significantly improve user experience.
In addition to how you deploy the privileged session management capabilities, we have learned how it is best to use it, about the different account types, and how to secure them. Currently, there are three categories for classifying privileged accounts:
System accounts
The operating system or cloud provider often establishes administrative accounts. These accounts possess inherent high-risk characteristics, featuring persistent privileges and predefined passwords, necessitating secure vaulting, deployment in emergency access situations and ongoing monitoring for authorized user access.
Operational accounts
Operational accounts with privileged access roles are created for SaaS applications and CSPs and should be used for day-to-day tasks with varying permission levels. Following a Zero Standing Privilege (ZSP) north star, these accounts do not need standing privileges and should be provisioned just-in-time (JIT) or provided with JIT access.
Application accounts
Application or machine accounts are used for things like scripts, infrastructure automation, RPA bots, container services, and IoT/OT devices. These accounts also bring out additional threats to the organization.
Providing secure access to system accounts and operational accounts requires a unified privileged session management solution to ease deployment, day-to-day operation, and audit activity.
Deploying Privileged Session Management - the CyberArk Way
Throughout 2023, we made significant efforts that culminated with the release of major improvements to our session management capabilities. We took the lessons learned through the years and applied them to new capabilities that help PAM customers improve the security of session management and operational efficiency by enabling access to a broader range of targets, improving user experience, and reducing total cost of ownership (TCO). Here’s how we did it.
Session Management with DPA Technology Using Vaulted Credentials from Privilege Cloud
DPA (Dynamic Privileged Access) began as a born-in-the-cloud- SaaS solution to provide just-in-time (JIT) access with ZSP to Windows and Linux VMs in cloud and hybrid environments. We chose to expand the technology and architecture to enrich our session management capabilities to include access to infrastructure (Windows, Linux, Databases, and Kubernetes) using vaulted credentials from Privilege Cloud or with ZSP with an isolated and monitored session from within the network or from remote.
It provides the following benefits:
Significantly improve the efficiency of managing privileged sessions and TCO savings:
- 16-32X reduced footprint cost with more concurrent sessions per connector and lower specs needed.
- No RDS licensing is needed.
Easy deployment:
- Utilize the existing access control policies defined by users' permissions in Safes. The only step that is required to start working is to deploy a lightweight connector.
- Near zero downtime upgrades.
- Built-in high availability and load balancing.
- Non-intrusive deployment (No Applocker, GPO).
Usability and Security:
- VPN-less native access with vaulted credentials and ZSP.
- Native access with IDP-based authentication.
- The sessions are isolated, monitored, and audited including secure shell (SSH) commands, SQL queries, kubectl commands, and RDP video recording.
- Unified audit and SOC view.
Wider support of native tools:
- Native access to Kubernetes.
- Reduced PAM admin overhead and increased user adoption with native database access.
- ZSP access to databases.
How it works
Let’s dive into the details and start with a brief review of the architecture.
The flow begins when a user tries to access a target machine using their preferred SSH, RDP, database, or Kubernetes client. The request is directed to the CyberArk Cloud service, specifically to the relevant component gateway (RDP, SSH, Kubernetes, Databases). The user is authenticated via the organization's directory service or identity provider, be it CyberArk Identity or a 3rd party IDP. Then, authorization to allow the user access to the target takes place and varies between the different flows. Access with vaulted credentials utilizes the user permissions on safes (like PSM). Access with zero standing privileges utilizes attribute-based access (ABAC) policies defined in the ISP portal. Once authenticated and authorized, the DPA connector establishes a session between the component gateway and the relevant target. This lightweight connector is deployed in the organization’s data centers. It creates an encrypted, secure, reverse tunnel between the SaaS service in the cloud and the target machine. The connection to the service is an outbound connection over transport layer security (TLS). The session to the target is redirected by the connector client on the relevant port. Inbound connectivity into the customer’s environment is not allowed. The session to the target is established with either vaulted credentials from Privilege Cloud or with JIT ephemeral access (ephemeral user or ephemeral certificate, depending on the target system).
Advantages of Session Management Cloud Service and the DPA Connector
This architecture allowed us to move most of the ‘brains’ of privileged session management to the Cloud, hosted by CyberArk, so we reduced the resource-consuming parts from the organization’s premises. What’s left on the organization’s premises is a lightweight connector that acts as a reverse proxy to allow secure access from the CyberArk Cloud service to the organization’s assets. How lightweight? See the following example for specs required for the organization-side connector to run RDP sessions:
| Architecture | # of CPU | Equivalent VM type | hourly rate | # of concurrent sessions |
| With PSM | 32 vCPUs | AWS: m5.8xlarge Azure: Standard_F32s_v2 | ~$1.5-3 | Up to 100 |
| With the DPA connector | 4 vCPUs | AWS: t2.xlarge Azure: D4as_v5 | ~$0.18-0.22 | Up to 200 |
We can see that with one-eighth of the hourly rate, we can run twice the number of concurrent sessions, saving 16-32 times the costs for the on-premises footprint. Also, the connector can be deployed on either Windows or Linux while brokering sessions to all asset types (Windows, Linux, Databases, and Kubernetes).
Moving the ‘brains’ to the Cloud helped solve other challenges and reduce prerequisites:
- No need to deploy a load balancer: Providing high availability and load balancing to the DPA connectors is done from the CyberArk Cloud service.
- No need for dedicated GPOs or AppLocker rules for the DPA connector host. Organizations can use their hardening according to their standards.
- No need for Microsoft RDS licenses for the connector.
- No need for frequent connector upgrades to gain new capabilities or security fixes.
- The deployment of the DPA connector takes minutes. The upgrade is with a click of a button in a central connector management view.
Secure Access to Databases and Kubernetes with Minimal Friction
CyberArk’s session management capabilities have included native access capabilities for a long time for RDP and SSH based access. The notion in mind was always that users prefer using their access clients and connection managers, and we should provide them security solutions that do not cause ’friction’ in their day-to-day work, so they should integrate with any access clients they use. Databases and Kubernetes users are not different as they also need session management capabilities to be as native as possible.
So, we extended our native access capabilities beyond Linux and Windows to Databases and Kubernetes, allowing Database admins and developers to ’bring their own tool’ and connect with a proxied connection to the Database and Kubernetes cluster. We started with SQL Server, MySQL, PostgreSQL, MariaDB, Oracle and DB2, and we are adding more. Access to databases can be done with vaulted credentials or with ZSP, using ephemeral users with elevated privileges. Sessions are isolated and with a full audit trail of SQL queries and kubectl commands that were run.
Beyond the frictionless security layer that helps increase user adoption, native access helps reduce the PAM administrator’s overhead. They no longer need to deploy and maintain the various database software on PSM servers since the software runs on the users’ desktops. This also means less compute resources needed from the customer since database software can often become ’resources hungry’.
Protect Access to all Asset Types
A common question is – ‘I need access to all kinds of infrastructure and services. What component should I use?’ Good news - these updates are additive. While leveraging PSM for RDP, SSH, and Database connectivity with vaulted credentials is still possible, the DPA connector offers lower TCO and a streamlined experience in these very common platforms.
- Leverage the DPA connector for RDP, SSH, Database, and Kubernetes sessions.
- Use PSM for thick clients, highly custom applications, and complete customizability.
- For Cloud console and services with ZSP, use the Secure Cloud Access solution.
- For privileged web applications, use PSM. We will soon introduce an enhanced experience using Workforce Password Manager, which will connect users to the website with vaulted credentials and the additional protection layer of Secure Web Sessions.
How it all combines:
In the diagram, we see how organizations can take an environment that previously required six large (32 cores) PSM servers, two PSM for SSH Linux servers, and load balancers and reduce it to two lightweight (four cores) DPA connectors that cover all infrastructure access and two small PSM servers for other assets.
Improved Security
We kept the basic principles of session management: strong authentication, granular authorization, and access control; a proxied session that provides isolation between users’ workstations and targets and makes sure that users and their workstations are never exposed to privileged secrets and session audits. But there are added security benefits with the new architecture and capabilities:
- It is now easier to protect more user communities beyond IT. DB admins, developers, DevOps and others benefit from better user experience, which increases adoption.
- It is easier to promote the ZSP approach with a single solution that provides both access with vaulted credentials, and with ZSP.
- We added IDP-based authentication for native access which removed a blocker from organizations that mandate that all authentication is with their IDP.
- Getting Security fixes is much easier since most are provided by CyberArk directly to the Cloud service. The simple upgrade of the customer-hosted connector also improves the ability to consume security fixes.
- Reduced dependency on VPN solution for remote access since the solution provides VPN-less access.
A Glimpse into the Future
In addition to the capabilities provided, we have great plans:
Providing these capabilities to our PAM Self-Hosted customers: ZSP access to Windows, Linux and databases can already be utilized by our PAM Self-Hosted customers or even customers with no PAM. We plan to also provide access with vaulted credentials fetched from the PAM Self-Hosted Vault so that customers can gain from the new session management architecture and capabilities.
Unified user portal: While we invest a lot in native and frictionless user experience, some users feel more comfortable accessing their assets from a portal. Access via the new session management architecture is currently available only when using native clients. We plan to provide a user portal that will unify all the user’s access needs, no matter what the underlying service providing the access, including Windows, Linux, databases, Kubernetes, Cloud services, web applications, and more.
Unified administration with the CyberArk Identity Security Platform shared services: We are unifying administrative controls to streamline the ISP administrator experience. The existing Connector Management service, which today deploys components like the Privilege Cloud connector is also planned to deploy the DPA connector, a cloud onboarding service that will create all the needed trust with the cloud workspaces for all services, unified access control policies for all asset types and access types and more.
Threat analytics and mitigation: We plan on using our Identity Security Intelligence (ISI) to analyze user activity in sessions. Whether they use the new architecture or the PSM connector, we will assign risk to them and provide risk mitigation to those sessions.
To learn more about these features, please visit:
Demo videos of database access
Note: CyberArk believes the information in this publication is accurate as of its publication date. The information is provided for informational purposes only and represents CyberArk's current view of its product and product direction. It is not a commitment or an obligation to deliver any feature or functionality. The development, release, and timing of any future features or functionality for our products remains at CyberArk's sole discretion.
The information is provided without any express, statutory, or implied warranties.
