CyberArk Vaulting, Rotation, and Native Access Control Demonstration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

cool so let's do a quick demonstration now I mentioned that you can use the web portal at the old-school way not bad school just old school so what I'll do here is someone who authenticated into cyber-ark as a user called John now you saw a whole bunch of different authentication methods earlier I talked about the concept of inherited multi-factor this comes in really handy with things like mainframes brenston so don't lend themselves so well to mfa but john logs in then based on who he is he has access to a number of those accounts that are vaulting and rotating if he wants to say connect with say a domain admin one he finds it presses the connect button maybe goes through an approval process if we want him to this one's more open tells us why he needs it but then tells us where he wants to go it's a one-to-many account so you can either a let users select or B lock it down can only go to this target or that target or that target but John clicks go well then start that session creation process right so we didn't see what the password was we programmatically connect him through cyber-ark so our jump server reach up grab the secret internally seize notified he's being recorded and I have this in a window but most users will prefer it to be maximized I I did this because we were presenting at a and an organization that only had a 1024 by 768 projector which still does happen but he's connected as that admin account didn't see the password could be 90 characters long no big deal of course have isolated him we're also monitoring what he's doing and can apply analytics but I'll talk more about the analytics in a future session what I'll do though is I'm gonna do something nice and just turn on the Windows Firewall profile what you'll see in a bit is I can actually tell you it was John who did this operation login click connect go cat go yes sir so John's logged in and the Machine he's idle for a little bit and the screen locks itself sure he comes back Oh enter your password so a couple of options the first is we can instantiate session max time so if he's idle for a little while we'll go ahead and disconnect him second is if he needed say if it was locked or he needed to reallocate or for whatever reason he just wanted to reconnect simply close access again the real that ocation will cancel any screen timeouts or anything like that for him yes sir but say I'm on a support call with Microsoft or whatever vendor and they want to hop on to my computer and also let's see what I'm doing do you block somehow block that access or disallow them to use some sort of remote control because I don't see it be there any logging from that point so good question if I have an over-the-shoulder type of use case I'm not gonna block that from occurring right the user is authenticated successfully through cyber-ark using whatever a process we've set i trust the user enough to leverage that account now it is within the realm of possibility to be able to allow a user to connect but also be doing endpoint controls to block specific remote connectivity clients so they couldn't do something like this but most of our customers will instantiate control here and allow the user to make a decision of leveraging something like Microsoft over the shoulder or something like that but it is definitely possible even though we do see it on the rare side of things remote connections like that work fabulously when they work but sometimes a user will have to see a password so for us that means allowing it if you choose but also doing things like one-time use as I mentioned earlier so John tries to use this admin account we change it after an hour I'm on East Coast time here that's why you're seeing the the difference in in time zone there but will actually rotate that secret after John uses it or after he checks it back in so that exclusive access is also possible here too we mentioned ServiceNow so maybe in order to show that password use it John have to actually put a ticket into your ticketing system as long as that ticketing system has an API you can do that we can validate if the ticket exists if it set the correct priority if it's been approved if the user specified the color blue whatever logical parameters we choose are possible through this you have an auto perspective to enforce that ServiceNow was that you have an enforcement mechanism to enforce that for something like ServiceNow yep so you actually tell us this account this flow needs to be approved within ServiceNow we then reach out via API check and validate and then you choose you can either a put more approval flows on cyber-ark afterwards or be just you servicenow is the element driver yes so you have the validation piece but do you also have like non-validated reason so say you just want to report back there was and why somebody is accessing definitely and this also includes emergency access as well there are cases where putting in a ticket is gonna take way too long so emergency flows those break glass red button type flows are also supported through this process so the four I saw in there when it had the reason was optional t of the ability from an audit point of view to make that required oh yeah or or have a specific set of reasons that need to be entered through a drop-down list it's all possible okay is there you say it like him in the system I'm just trying to think of like compliance questions at the moment because important and I'm just thinking like is there for the password policies and the requirements is there a way to like align with this framework or that framework or is it something you manually choose what needs to be the requirement for the passwords great question so within in terms of password management we don't have like a compliance drop-down we do for reporting capabilities for our endpoint stuff but the typical flow will be we'll set a baseline compliance policy passwords must rotate every 180 days then for specific platforms which can be duplicated we may have a PCI platform that has this rotation requirement a non PCI platform that has another but that is specified when you're actually setting up the block and then and then the other question I had was for so I guess it's you kind of answered that so when you're setting up the platform's wherever you can set up like the really silly platforms that decide you can't have over this mouth character length or something like that so I guess you would customize that when you're setting it up and absolutely I'm character length we can only detect using these clients is there is there like in the dashboard kind of view however it looks is there like a way that says kind of prioritizes like these ones are secure and it allows us to obviously follow these standards but these ones on other they're not as care but the reason is because of the restrictions of like can you kind of mention that in in your dashboard I'm just trying to think of how it's done in two areas there's a there's a comment on the actual secrets themselves but there's also a report that comes back the compliance status showing you based on the specifics of this platform ninety days rotation versus your company's you know 180 yeah here the things that are out of compliance for that particularly neat actually that we're really good like overview for especially for the compliance officers and are especially I'm thinking like gdpr and the data protection officers and all those from the people and GDP are specifically there are cases where these these recordings that session you saw it makes its way back to the vaults what should it should it leave the country immunity where it was recorded and head back to the vault but some people say no so we can actually store them locally to the recorded environment versus always having the pipe them back oh yeah there are requirements what we can't do that so that makes sense interesting okay like it let's switch gears windows be connected let's let's show a different type of account really quick and we won't we won't spend too long on it but I have a root account manage but this could be enable this could be assist DB account on on Oracle it could be a sis account on a mainframe but going through the browser John clicks the connect button we let him know he's being recorded down there in the bottom and drop him into a putty session and it's kind of hard to read there because it's not John's putty session it's one that we're presenting back to him now as part of the flow we actually performed a suit to route and authenticate it automatically so if you can't get there as route because you block that by corporate policy we simply handle that for the user now the reason why this is kind of suspect in my opinion is even though it allows for things like exporting for your Oracle administrators it isn't very native UNIX right we connected through a browser open up an RDP file and yeah it was automatic but then we dropped John into a putty session that isn't his own for me I would say no no no no there are so many areas of sacrilege sness there that I want to do it so I mentioned native access earlier it simply has to exist now while John may have been ok with that flow maybe Bob wasn't so if Bob wants to connect right from his terminal all he needs to do is modify his SSH connection string to say hi my name is Bob I want to connect as the root account for this system so he's actually pulling it from cyber-ark now I want to go through this intermediary sorry SSH proxy here Bob is asked to authenticate Bob is also configured for multi-factor I'm actually gonna have it sent to Bob's phone which I have conveniently stolen here before my authentication Bob gets connected through almost as is he if he was going through the browser without having to leave his console in the recording the input as well as the output is recorded absolutely and you'll see a quick example of this when we look at the audit side of things now we developed this functionality around five years ago and UNIX users and network admins were like yeah this is fantastic and then Windows users and everybody else said on what about us I am happy to say this flow is supported through any remote desktop aggregator so as long as you can launch a graphical session through a modified Star program string we connect a user through get them connected go cat go right from something like MST SC or RTC m yes sir about PowerShell Windows PowerShell yep so the question is is PowerShell operating in a human capacity or non human if it's human we can authenticate them through the proxy from save remote desktop aggregators and drop them in to a powershell session if it's a non human process the user does have the ability to programmatically pull a secret from cyber-ark for a more native experience and I'll show you that pull in our next session okay it was sorry this looks like it's a not only just an authentication proxy but an actual proxy because you connect from your cyber are content so all connections look like they come from from the vault not from the host machine mm-hm yep so we'll pass through information about the host IP for connections but the actual connection itself is made from whatever intermediary we're connecting through the jump server we've seen customers use this for adding additional network level authentication controls into regulated environments so you can only connect if you're coming from jump server one two three four five six seven or whatever it may be now I do want to show you because I know there was there was a little bit of interest I want to show you the the native approach so actually just authenticate here to a to a hosted environment looks like it logged me out I think I got the right one I did not get the right one we'll try the other one but for my user now what would you prefer in the room AWS Twitter is a major portion choose as your any preference so let's say I want to leverage say either a vaulted root account or maybe a privilege I am user I could go through the browser and do the exact same flow I showed you before but why in this case I'm using my own users browser here let me maximize that so it looks a little better all I need to do is modify my username syntax here so I'm gonna say my name is Anita I would like to use a vaulted and rotating in this case I am account called PSM cloud now Nita has to type in her cyber-ark password here so she's authenticating back to the cyber-ark solution itself types it in we actually pull that PSM cloud account from cyber are get her logged in with it without her needing to see her know what that password was this is our privilege session manager for cloud proxy to add to the native access of the user he had a question definitely Ken yes so multi-factor authentication cannon should be placed in front of these authentication flows if you rely only on say Active Directory LDAP trust and that trust is broken you've now also broken your trust the cipher our platform to so I cannot recommend highly enough put MFA in front of cyber-ark as the first thing you do after deployment so you support Amazon in this instance but we're questionable as far as a sure or GCP is coming here in the next couple weeks to a month GCP while it is quickly coming most of our customers are on AWS or Azure sure but yes there are plans to support Google cloud platform with the same flow and this is all the native access but you can go through the browser and get to whatever Sat space platform you want without necessarily using the super native flow that I've shown you here yes sir so is was AWS querying the the vault like in an s3 bucket somewhere or had a debt where was the vault stored when you did that good question so we're actually connecting through a proxy here so the users browser in this case is using a pack file to route ok AWS through cyber-ark so we're intercepting it at the proxy layer there's no with AWS control ok now the cool part about that and I know you've got a question I'll address in the moment of Zen ok same question cool the cool thing about that is it gives us the ability to also perform access controls or application shaping so for instance if a guy uses my by a vaulted twitter account I'll go ahead and type in my password correctly same flow as before but you can actually track to see what tweets he likes so for instance who doesn't like who doesn't like happy little puppies what that what folks he follows but also do things like prevent certain things from being tweeted for instance my password is don't look you can actually intercept that traffic stop the tweet from containing password from actually being say does it do yep so at the moment this doesn't support the app flow it's simply for browser-based access to so if you're using an app that is something we're looking into but not something that simple is all just Roxie bass yep so proxy base yes so does this also work with like third power third-party web apps like TweetDeck or or is it just the native electrical intercom just the native today but we are looking into third parties things like that again we don't want to control all twitter access but the privileged stuff to the company Twitter account that can cause the most reputational damage here so back to like another auditor question for this when you're talking about being able to track who follows what it likes what intercept traffic to prevent passwords where does how far does that know a tracking mechanism go for you know - it's always point of GDP our GDP our talks about being able to track access and the reasoning for access to certain data elements how does how does that work with either maybe a different type of sim or in a gradient integration with something maybe like a Splunk is as far as the auditing capabilities go completely user-defined because we choose how long we'd like to retain the information within cyber-ark and whether or not we want to afford this on to say a Splunk or another similar syslog solution so there's no theoretical limit to cyber-ark it's simply based on whatever policies we choose to set upon the implementation and after the implementation - okay do you see a lot of people using cyber-ark to address some of those compliance concerns with the new privacy X coming up absolutely that's very very common is there um I think it's a roundel question but I've seen it so often on Twitter I just can't stop laughing but I'm is there any like him bill she just read like basically I've seen a lot of like credit card details and bank details of people on Twitter and driver's license that is there anyway so like limits are or is it simply kind of only text okay so at the moment we're looking at read texts we're actually scraping the input but it can also be things like for instance in in AWS stopping an ec2 instance it doesn't say well you know stop it we don't pull that we actually pull the action itself so because we're intercepting the traffic there are some neat things we can do however it's something that's still I think currently being worked on so the answer is yes it is within the realm of possibility and any suggestions from both the room as well as out there please send them to us and we're always looking for new ways to instantiate this new technology and then the I saw on the c3 alliance you have Splunk and do you have an app that integrates with Splunk to send the data or do you have to send it over like and syslog in a sorcerer it's done primarily by a syslog but there's special dashboards things like that that exists in Splunk enterprise ah can actually correlate the end yeah the other element of integration is and you'll see this in a little bit I hope we'll be able we actually pull information in from Splunk to apply to our analytics it's multi-directional and that's that's true of most of the big sim vendors so you arcsight your logarithm log Lodge Explorer looks like and so for setting it up for Splunk and I'm just I'm just trying to picture that so is it still quite hands-on we do you need a spunk architect to be able to configure it properly once we're once we're piping in this is log information if we're using say the the dashboard that's available we instantiate it we're good to go now providing additional correlation performing any piping multiple sins I would recommend having someone at the company who's familiar with Splunk to help you sell that for integration we just need to know where to send it and what format the Saturday alright and you hopped over to AWS and you hopped back out really quick I was hoping you're going to get there can you talk about ephemeral instances and secret control Alonso's sure so if we're looking at ephemeral ec2 one of the biggest issues that we have is well how I know when it boots into being and when it poops out of being so what we've done is through it we've actually open source disintegration to we integrate with cloud watch so we have a lambda function that when it detects a new instance that pops up we programmatically vault and rotate the SSH key initially okay if it poops down we can of course instantiate automation archival flows the concept of delete does not exist within cyber-ark we will not remove a secret until after the audit retention policy has expired so when you click delete it puts it into an archive state until the appropriate amount of time has passed I learned that the hard way in the very beginning of my cyber-ark employment where I am I did some silly things and thought I could just erase the audit log I could not the the instance and perception of the jump box is limited to a single box or does it can it be instantiated from multiple different box so maybe jump boxes very very few of our customers will deploy with one unless they have the world's flattest environment when they start with one two but even then we want to make sure with load balancing as well as Wells now and I bought versus two versus thousands and stuff like that the kind of the direction I go and that is let's say we're doing the SSH we're connecting and we're running commands such like that then I'm gonna do an SCP I want to transfer some data using that mechanism for and that was suddenly dark trace and other AI machine learn systems are saying you're doing a lot of acceleration of data that's going from this jump box out to really it doesn't necessarily know because doesn't have the insight into that unless you also have a kind of integration point where you kind of draw the line separate and it doesn't just see everything going from the jump box going to everywhere else good questions we want to make sure we're using encrypted protocols whenever possible least on the front end sometimes we have to connect to mainframes using telnet and it makes me cringe every time we also want to make sure that the jump boxes themselves we look at is tier zero security appliances and access appliances too so both cyber-ark analytics as well as additional analytics and security must be placed on these jump servers to whenever we concentrate access across the thousand systems down to access potentially coming from ten we simply have to keep those ten visible so I definitely agree that because they're more visible because they're centralized we need to perform additional security controls on time yes the load balancing part is that something you provide or do you work with someone like f5 to provide a load bouncing good questions so many of our customers will leverage external load balancing through five or NetScaler for instance some will choose to use things like remote desktop app connection pooling so cyber-ark does provide recommendations but we actually leave it open enough to where we can use whatever model exists in the company today but most people though will use an external load balancer I guess I just have another thing about accessing the authentication so I know that you can set it up where we explained earlier where and you can assign access to certain shared credentials based on like pour season that is there is there any restriction of like this these credentials are only available to that user even if like even if somebody has full admin access they still can't see them is there any yeah and actually while while we were chatting I logged into cyber-ark as a user called Brandon and in my environment he's me so of course he advances to a ton of stuff yeah not such a good idea so we're firm advocates of distributing that administration where my vault admin should be responsible for maybe the care and feeding in the vault the initial security policy settings but shouldn't be able to access every single credential within those safes I mentioned earlier you can have different users and grooves with administrative rights there versus having one super all-powerful you know built for compromised user that should they win the lottery now we lost all that admin level access kind of kind of pair it out just thinking of like if an organization is going to deploy this for example a lot of times one thing that's really attractive right now is an organization that for example password manager can give their employees access to it to use for both personal and corporate but obviously the personal means that even if you leave the company I'll delete it but I never have access to it right that would be quite neat I like I like those restriction also I think there's I don't know if that counts as personal information hundred gdpr but there are definitely restrictions where you shouldn't have access to certain things sure so single user safes are incredibly common where as an administrator I might know that it exists I have access to nothing then very common platform kept okay so just to kind of to put a put I guess a cherry on top of the session here this user Brandon has access to some of the audit information that went through the platform remember John connected earlier as a domain admin account and perform some tasks here I can see that that occurred where he went I can view the recorded session if I'd like to skip identical frames head to the part that I care about so available should we have access to performing some of these audit capabilities it's just the replay within that window it's so anything that's happening outside of it you're discarding the question we actually record all of the user windows but it is blanked out so only the active element is recorded but should they move the session to their second third fourth fifth monitor will actually keep recording and users have the ability to zoom in to the action so they don't have this little string of stuff they have to try and peace out but we want to make sure that if users are moving stuff we're still able to audit that so in that context though the fourth and fifth screens will also have all the data being collected but technically blacked out they just they just look like the exam so it's black but is it actually blacked out it is so what's happening is we're recording at the at the jump server layer so I have no knowledge of what's happening on the end-user system past the application that's being presented to that end user so we're not tracking you know what they're doing in in notepad or sublime or whatever else it's just what element is being presented to them through that session okay remove not redacted not even in this case it's not even yeah that was the confusion I was have not even pull so when let's say we're recording a session from an admin account and they are they have something on-screen that would be considered classified as PII of some sort sure or maybe even a PCI card that sessions recorded is that in that sent to the jump box how is that just done through HTTP it's actually done through through cyber arcs proprietary encrypted protocol so we're transferring the information back using an encrypted challenge in response process storing it in an encrypted state using that hierarchical model that I mentioned earlier now the question becomes if users are actually typing in PII maybe a database administrator should we do keystroke logging probably not so in areas where we've got incredibly critical information we don't have to do the full audit payload we can pare that back a little bit even choose to not our it at all simply use it for the isolation capability you pull up the SSH session that you were Annalee obvious curious is that just a log or is that actually that's just a log yeah so what I can do is this was the one I went through with a proxy we can actually recompile the standard in and out to actually make it look to the end user or the administrator like a video so I've got the keystroke log we can also present it in a more video ich state if the user prefers that so going back to that if you're saying you know we don't have to record the keystrokes but we're still recording the screen so if they're typing in a sensitive data and obviously the new CCPA is extending what PII mean so that can be very troubling with admin accounts when you're recording or what-have-you so now your screen capture would be considered sensitive and protected underneath a regulation like CCP a well another challenge with that would now be it has to be discoverable so if the you're asked to provide what data you have on that user now the screen capture comes into play as discoverable and you know something you have to report on what what kind of chance you that or what what is cyber-ark doing to assist with that that challenge I mentioned the concept of a platform earlier these platforms also handle information like what's recorded potentially what clients people can use so during the initial implementation will say ok what sort of regulation and we dealing with here what considerations should we make so now we've got it labeled to where if we do have the reporting requirement it's less of a needle in the haystack type operation and I can say show me Brandon's access on all PCI for instance related systems are all in compliant related systems to the other element of that is he mentioned video we could just have something like keystroke logging without video but again if a user is entering in a password I want to be able to parse that out so for a number of platforms we actually do have logic that will automatically redact that information if you choose to enable it like a user entering in a password over SSH so that has the ability to see that that's a password field and pull it out okay so we're in California so the California Privacy Act talks to names full names being PII on its own so do you have the ability to do the same thing so now you can block out that screen recording so if you go into that tool and say I need to find a screen recording that someone's typing in a name you have the ability to report out on that kind of granularity that's actually that's that's a good thought no as it stands if the user just puts in a plain text name like Brandon if I'm not looking at a field or a database table or something like that we would just be doing a text search however if there's any kind of identifying element name that exists in users underscore names table then then I could potentially pull that if we're tracking the appropriate information okay but one of the things is we do this agentless lis so we are relying on the information going through the proxy it is possible to get more granular with the agent full elements of the solution as it stands with this we would need to rely on some other identifying metric okay so you could identify a database as customer data a and you could go through the process of identifying what those fields may be to to help with that reporting aspect and you'll catch the database from the connection flow normally when you connect to a database host you have to specify the database so I'll know that info so if there's a names database or a PI database well now I've completely isolated the area I want to look then it's a matter of performing searches not watching every video unless you absolutely have a mechanism for post redaction if necessary if somebody data was actually identified yep so while it isn't possible to modify the recordings because they are immutable it is possible to perform protection or even archival of the recordings to redaction in a lot of cases if we do have critical information is handled through permissioning immutable but deletable so the delete of say an account itself can be done recordings themselves they're not deleted until they're expired so after a certain amount of time say you're retaining 480 days then we're done the only existence of that recording will be in the backup so you can't really provide delete or expire on a band based on clear expire just this more than how does that work us gdpr and the right to be forgotten if you've got information on there you can't delete it so a good question there a lot of cases and we're looking at GDP our specific requirements these are not personal accounts so we're accessing corporate data with potentially a shared account - so while it is possible to look at off lining or offloading the GDP are stored recordings at the site of record that still is information about shared accounts we're dealing with if users are going through the proxy without leveraging a vaulted credential or it is personal a lot of folks with gdpr compliance will not store session recordings in that case they'll simply leverage us as a proxy alone now there are a number of different nuances that I didn't touch on there but that's the gist we want to make sure that if we are under something specifically GDP our compliance we're making sure to do the appropriate level of consulting before deploying rather than needing to look at remediation after the fact this is a situation where you really need to hire an expert to deploy properly and this is actually something that cyber-ark offers so we perform the consulting as well as the implementation to something similar to an Splunk where it's like you can do the Splunk architecture certification so then you can then go and deploy it in other places but do it cyber yeah tears of cyber-ark certifications from just being kind of familiar and friendly with the concept actually being able to deploy the solution itself all that's handled through our formal certification process which they won't let cyber-ark internal employees take what they just told me I couldn't take it in any case it's definitely something that is held in very high regard for us for sure are you preventing is some algorithms compression mechanisms for the videos you know we are because most of other solutions require huge storages and they're kind of that for that cost only for the compliance oh yeah yeah so we do implement compression your typical windows session will tend to run around 250 to 300 kilobytes per minute the UNIX session you saw it's negligible it's 3 K so typically what we'll do in the beginning is we'll look at the amount of sessions numbers per day will then generate a formula to determine storage I can say the largest deployment I've scoped I recommended to them 5 terabytes of storage and we were talking about tons of sessions with a very long retention policy this also means that you will have to have a codec to play them outside of cyber-ark if you have download rights but we provide the codec and really with B and C things like that or VLC rather you don't really necessarily need the codec but yes we do perform compression we also drop identical frames so we account for them in terms of time but not for space and you can send it off to like an off-site type of repository or shared storage NFS or some other type of protocol or absolutely so there is the option to store them locally at the vaults or by a network attached storage or locally to the jump server if we're dealing with gdpr and that's where you can accidentally delete things I only have so much oversight for the tyranny of formation is inside the video right yep so time information actually part of the metadata stored with the requirements actually see all that information here I'm also these events right there all time-stamped - as they're sent over - whatever is this logging we're doing and how long are these videos stored are they stored indefinitely or is it on a per customer basis it's based on the group of systems but it's whatever the customer decides so we default something like I think it's a hundred eighty days but that can be changed depending on what we're dealing with change it on a per machine basis it can be per machine will typically see it done via groups of machine generally the policy but I like oh these other ones are more important I need ten years on this but I only need 90 days on that he hasn't asked internal liner with a retention schedule absolutely yeah so yes you you keep saying I keep hearing the words out of your mouth proprietary code cyber-ark proprietary protocols yes if you roll your own cryptography or do you are you using standard cryptography to secure connections when you're transmitting these secrets so what is standard crypto so it's not cyber our proprietary crypto it's simply a cyber our proprietary method for leveraging the crypto so for instance most vaults exists a AES 256-bit encrypted when we're dealing with cyber-ark traffic to and from we leverage the same encryption stack or if users want cyber are components to communicate over TLS it can be changed the proprietary part is the challenge response process that goes into authenticating so every cyber art component has a rotating credential it uses to authenticate and leveraging the API for the transfers and things like that so not proprietary encryption we're using industry standards just want to create a method for implementing that including the standard TLS handshake when when there's a connection but the responses is the proprietary part exactly in the share of the secret are secretly generated by the software itself or you have a standard so secrets for intermediate intermediate connections or can't regenerate by the software itself the initial vault encryption secrets while they can be generated by cyber-ark before the install most of our customers will perform a recon of encrypting process upon deployment to ensure that there are no copies of that encryption key and stack existing anywhere outside of that deployment okay so you do you do and the first installation the initial initial seed the generation like from four SS engine and while and while we will generate a random seed for them initially most of our customers still want to make the extra level of control to do it upon implementation we don't run into any weird export problems so the weirdest export problem is let's say they've they've lost the the initial recovery key they don't know I'm talking about the encryption algorithm type in export problems problem soon obviously anything was within the scope of being but it's not something we encounter on the day-to-day we do have a number of services that can help with things like malformed data things like forgotten keys stuff like that but it is used very sparingly as cyber-ark is considered a tier zero system so we want a lot of oversight well I meant specifically government types before trying to bring this into Iran bring this into certain countries where now I'll do certain work that that kind of export yes all good answers don't each of the parts leading up to that well I can't speak on the policies of individual countries I can say there are kind of policies in place for places that we are allowed to do business with that may be something along the lines of say for a specific municipality data can't leave a data container a segmented environment just for something that environment versus a shared global architecture so yes there are considerations but these are things we encounter with it's not as often but with great confidence behind some of the processes we put in place to handle it before so like in a multi master distributed model where you're doing this internationally and such and you've got jump boxes for these certain Geo's or you want to connect to a certain asset and it's driven in a different Geo what's the replication mechanism between those those master vaults and isolated vaults as necessary or such like that so it's either everything or certain what we call safes so it doesn't have to be all the stuff but it happens over a port one eighty five eight that's our kind of secret sauce port the encryption is based on either a inline right so if I'm connecting to a system that exists another continent because as I've got kind of a network pipe over I can replicate things like secrets and audit information as they Kirk or bigger stuff that just takes a little while but it's all done over that same one port one protocol that's the frequency of that replication 60 minutes if we're looking at the the asynchronous replication everybody can always be changed now I know there's additional questions but what I do want to do is I want to talk a little bit about applications we'll do that in the next session so so we will move on with the time we've had left but in summary vaulting the rotation isolation monitoring native access as well as analytics we talked about that on the top end but being able to take action on these events as they occur be able to notify of weird activities or terminate sessions these are all part of the core cyber-ark platform

Info

Channel: Tech Field Day

Views: 13,253

Rating: 4.6853933 out of 5

Keywords: Tech Field Day, TFD, Security Field Day, XFD, XFD1, CyberArk, Privileged Access Management, PAM, Passwords, Hashes, Reuse

Id: K5ZGzRjFbdc

Channel Id: undefined

Length: 38min 35sec (2315 seconds)

Published: Wed Dec 12 2018