CyberArk is proud to announce the next version of Privileged Access Manager (PAM) Self-Hosted, version 12.6. This version is designated as long-term support (LTS). Customers who install this version will continue receiving security updates and critical bug fixes, per our policy.
Version 12.6 introduces a new user interface to simplify safe management, enhancements to the CyberArk Telemetry tool, expanded REST APIs, and new capabilities for session management and threat analytics. CyberArk also announced several patches for Privileged Session Manager (PSM) components in previous versions. See below for more information.
PAM Self-Hosted v12.6 introduces security updates and enhancements within credential management, session management and threat analytics.
New Security Capabilities
For credential management, we’ve updated the CyberArk Digital Vault’s hardening script to reach over 90% alignment with Center for Internet Security (CIS) guidelines for defending IT systems. The Vault’s support has also been expanded for Hardware Security Modules (HSMs), strengthening PAKeyGen capability for integrating with HSMs using a 64bit PKCS#11 library or a personal identification number (PIN).
Meanwhile, the CyberArk web portal (PVWA) now offers enhanced authentication to validate that certificates are being used by the proper identities, allowing PAM administrators to configure valid issuers for PKI/PKIPN authentication. Finally, our AWS STS connector for enabling temporary, isolated and monitored AWS console sessions has been enhanced to support sessions through Google Chrome.
Session management enhancements include network-based access control to ad hoc PSM for Windows sessions, where customers can now apply subnet-based rules to control end users’ ability to access specific target systems via PSM. Organizations enforcing dual control policies can also now enforce time-bound sessions.
Additionally, PSM for SSH now supports auditing of user put and get activities and file information for secure file transfer protocol session recordings. Finally, SSH tunneling in PSM for SSH can now be configured for specific systems.
Lastly, we’ve enhanced Privileged Threat Analytics with detection of risky commands now extending to accounts in Google Cloud.
Simplification and Usability
PAM Self-Hosted v12.6 simplifies many areas of the PAM user experience. This release includes a new safe management user interface and enhancements to our Telemetry tool for increased visibility and operational efficiency of PAM programs.
Another enhancement is the ability to set the next password value within Central Policy Manager.
When updating an account’s credentials, PAM administrators often want to provide a specific password. They can now do this from the CyberArk Web Portal using the default UI, addressing a common enhancement request from Privileged Access Manager users.
The CyberArk Web Portal now has a cleaner, more modern user interface for managing safes in the CyberArk Vault. This new UI includes a wizard that provides suggestions to simplify end-to-end safe management. This update enables operational efficiencies for PAM administrators by streamlining the experience of creating and managing safes as well as the users who must access those safes. Please watch this video for a detailed walk-through of this update.
The CyberArk Telemetry tool—which provides user-friendly dashboards to help customers track deployment status, including PSM utilization by platform, compliance status of managed credentials, and license utilization for PAM deployments—now reports on new metrics, including the number of IT platforms configured for:
- Periodic verification of credential compliance
- Automatic reconciliation of non-compliant passwords
- Periodic credential changes
CyberArk has enabled improved management of users with updates to the user management APIs. Specifically, customers can enable and/or disable a user in the Vault and retrieve the details of a single user group. Also, we’ve updated the GET Accounts REST APIs to filter the returned list of accounts according to predefined criteria, such as accounts that have been deleted, disabled or scheduled for credential reconciliation. Returned accounts include timestamps showing when they were deleted.
Lastly, we’ve enhanced many Privileged Threat Analytics (PTA) configurations to include a simplified installation and upgrade, Improvements include an upgraded MongoDB database embedded in PTA, the ability to exclude specific users from PTA, and indications of PTA component health displayed on the Web Portal System Health Page.
Find more information on the 12.6 release at CyberArk Docs.