This post is trying to summarize some PAS solution’s design and deployment thoughts and notes.
Small/Medium Environment Design
Vault Design
- Cluster HA / DR
- Appliance / Virtual Machine
- Cloud / On-Prem
PVWA Design
- Multiple PVWA
- HA / Load balance
CPM Design
- Multiple CPM
- Load balance on different types of Safe, such as one for Windows, one for *nux/Cloud.
PSM Design
- Multiple PSM
- Load balance
- PSMP
PTA Design
- Licensing
- Integration
Safe Design
- Safe Name Convention
- Safe Access Mapping from Roles to Access Rights
- Safe Access Model : Share , Personal, Mix
Platform Design
- Name Convention
Account Design
- Account name length restriction
- Account name convention
- Personalized accounts, Shared accounts for different technologies (DB, Windows, *Nix, Networking, Cloud)
Traffic Flow Design
- Firewall Ports
- Traffic direction : one way or two way
- All components including integration with NTP, AD, DC, Target Servers, DBs, Cloud , SIEM, Ticket system, etc
Authentication
- MFA, 2FA
- First Factor
- Second Factor
- Non Web Client Authentication – All kinds of Native Clients
A phased approach for implementing PAS
CyberArk Brief: A phased approach for implementing a Privileged Access Security Program
1. Phase 0 – Identify
1.1 Crown of jewels – Most critical assets
PII
Credit Cards
etc
1.2 Accounts who can access those assets
OS accounts
DB accounts
applications accounts
1.3 Accounts
shared / role based privilege accounts – built-in administrator account and root account
personal privilege accounts : accounts with -adm, or $ at the end
Focus on shared / role based privilege accounts first will get you least push back from admins.
2. Phase 1
Load credentials into actual vaults
Set up automatic verification process to confirm those credentials are accurate
End user should be able to use connect to reach their targets to do their administration work
Choose selective subset accounts to change password. Start with change button to confirm the CPM process is working.
Automated changes to rotate credentials’ passwords.
2.2 Isolate –> Monitor –> Analyze
Remove show/copy buttons to require end users to connect to target.
PSM will provide connectivity and monitor/record the session without exposing credentials.
PTA component will detect / alert threat detected from multiple sources
3. Phase 2
Going wider: – expand the process to other end points we identified (Networking devices, databases, web applications, iol devices)
Going deeper: – non human id ( application accounts, iis app pool, registry keys )
Timeline for basic installation of PAS
This is basic sample implementation schedule to roll out a non-ha basic design PAS solution
Pre-implementation to collect following information;
1. network design diagram including firewall, domain controller, VM ip, dns, smtp, snmp , ntp, etc.
2. hardware / virtual machine information based on size evaluation
3. traffic flow diagram
4. firewall rule sets based on traffic flow diagram
5. Details of SMTP, DC, SNMP, NTP,
6. CA certificate
7. Download software copy and licenses.
8. Make sure hard copy of Master CD, Operator CD in safe hand.
• Onsite Implementation Day 1: Install and perform initial configuration of the Production including advanced Vault integration such as SNMP, SMTP, SYSLOG and any others the were agreed upon.
• Onsite Implementation Day 2: Install and perform initial configuration of the Central Policy Manager, Password Vault Web Access 1 and 2, Privileged Session Manager, Secure Replication Utility and the PrivateArk Client.
•Onsite Implementation Day 3 Perform advanced configuration for the CPM, PVWAs and PSM. Test CPM management on 3 5 types of the out of the box plug ins. Test PSM workflows on 3 5 types of the out of the box connectors.
• Onsite Implementation Day 4 Troubleshoot any issues discovered during the CPM testing and PSM workflows. Perform overview session with administrators. Go over and assist in documenting the Master Policy, Access Control Model data and permission structures. Set up and go over support access and procedures.
References
- Docs > Administration > Components > Privileged Session Manager > Architecture
from Blogger http://blog.51sec.org/2020/04/cyberark-deployment-suggestions.html