Enterprise Password Vault

What's new in EPV 4.5 for all Privileged IDs?

EPV 4.5 Enhancements for Privileged Identity Management (PIM)

• Policy Management
• New Supported Devices
• Audit and Monitoring
• Ticketing System Support
• Enterprise Integration

Policy Management

• Password Verification and Reconciliation

  Version 4.5 introduces additional tasks that can be performed by the Central Password Manager (CPM).
  
  Password Verification is the process of verifying that the credential details stored in the Vault match the credentials on the managed device. If a mismatch is detected, administrators can be notified immediately. The benefits of having periodic Verification eliminates scenarios where a password mismatch is detected only when someone needs to use it or when it is time to change it, which could be every 30 days, 60 days or longer. In addition, the administrator can perform immediate password verification by using the "Verify Now" action from the user-interface.
  
  Password Reconciliation is the ability of the CPM to take back control when the password of a target account becomes unsynchronized, and to re-set the password to a known value which will be stored in the Vault. Reconciliation is performed using another set of privileged credentials that are entitled to reset the lost account's password. Version 4.5 introduces an automated Reconciliation process which can be invoked by the system upon detection of a mismatch in password value, or alternatively, the system will only alert administrators about this situation and the administrator would have the option to invoke Reconciliation manually upon demand ("Reconcile Now" action).

• CPM Policy Flexibility

  The CPM in version 4.5 offers an increased wide range of capabilities that provides the flexibility to define the level of automation required for each set of managed systems. For example, when looking for full automation and reducing administrative overhead, a CPM Policy can be defined to automatically change passwords at a fixed interval, verify password content daily, and execute automatic reconciliation if a mismatch is detected. Or it can be configured for the CPM to only verify password content but not to change the password, and do so according to a predefined schedule. Since these settings are provided on a Password Policy basis, organizations can mix many types of tasks and levels of automation which best suits the business needs of different IT departments.

• Password and File Level Access Granularity

  In addition to the automatic access control settings defined per Safe, this version provides the ability to enhance this access control granularity down to the object level by enabling information owners to allow or prevent retrieve rights per object (for both file and password objects). This provides the flexibility to handle scenarios where a single password in a Safe will be shared with specific owners, while preventing other passwords or files to not be accessed by these owners. In addition, this also provides the option to enable Owners to share all passwords by default, but also define specific passwords in the Safes which certain Owners are not allowed to access. Such scenarios are common when a consultant or technician comes on-site and only requires access to a few systems which are managed in the same Safe.

• Improved Usability Options

  With ease of use in mind, the Password Vault Web-Access introduces several capabilities to enhance user experience and simplify common tasks. These include:
  • The ability to simply view all passwords a user can access to without the need for a search filter.
  • A new application window for users to see which passwords are locked by their user account, and to release multiple passwords in a single operation.
  • The ability to perform an operation on multiple objects with a single click such as password change, release from exclusive lock or re-enable.

New Supported Devices

Version 4.5 continues to expand Cyber-Ark's list of supported devices for CPM management which now includes dozens of systems, devices and network equipment. Cyber-Ark's unique and extensible architecture makes it possible to constantly introduce support for more devices between official EPV version releases. Below is the list of systems and devices that were added to the EPV solution in version 4.5, or click here to access the complete list of supported devices. As the list is constantly expanding, please contact Cyber-Ark for the complete and up-to-date list of supported devices:

• F5 Big-IP
• Fortinet FortiGate
• HP iLO
• SUN ALOM
• IBM HMC
• Alcatel Network Switch

Audit and Monitoring

• Dashboard Enhancements

  The EPV 4.5 Dashboard provides an improved look and feel which highlights policy violations, as well as showing alerts on Verification or Reconciliation activity. The updated Dashboard also includes information on the auto-detection option and facilitates quicker access to objects requiring administrators' attention, such as 'show all passwords that the CPM failed to change' or 'show all recently accessed passwords'

• Entitlement Report

  A very common auditing requirement is a simple report which lists users' entitlement rights. This is often required during PCI related audits, but it is also a very useful tool for internal monitoring of all user's entitlement.
  
  To ensure ease of use, the EPV Entitlement Report provides the flexibility to generate output based on various query filters such as the user, Safe, policy, target machine, target account or any other attribute. Information is clearly presented to reflect each user's effective access control and authorization level, such as read, write, delete and approve requests. This report is introduced in the Reports section of the Cyber-Ark Administrative Client.

Ticketing System Support

• Integrating Workflows with Ticketing Systems

  As many organizations use enterprise ticketing systems to control troubleshooting and emergency access to privileged accounts, EPV 4.5 introduces an open approach to integrating the password retrieval workflow to inputs and verifications from ticketing systems.
  
  This integration, which is part of the Password Vault Web Access (PVWA), enables users to add custom built user-exits into the password retrieval process.
  
  Specific workflows, checks and verifications with ticketing systems can easily be developed by the customer, based on user-exit code samples provided in Cyber-Ark's product documentation, or alternatively, can be developed by Cyber-Ark Professional Services.

• Transparent Ticket Creation

  In a similar fashion to the previous section, some enterprises follow a workflow in which tickets are automatically created for auditing and monitoring purposes whenever a user needs to access a privileged account. EPV 4.5 and the new user-exits for integration with ticketing systems provide a flexible method that simply and efficiently provides this level of integration. In this scenario, the user-exit would invoke the ticketing system API to create a ticket during the password retrieval process according to customer-specific ticketing system requirements.
  
  As in the previous section, any specific workflows can easily be developed by the customer, based on user-exit code samples provided in Cyber-Ark's product documentation or, alternatively, can be developed by Cyber-Ark Professional Services.

Enterprise Integration

• Transparent Connection to Managed Devices

  Version 4.5 targets ease of use and automation. The new transparent connection option, available for connecting to Windows based target systems, allows a direct "connect" operation from the Password Vault Web Access to the managed system. For example, a user who has found the administrator password of Windows server ABC can press the "Connect" button and a Remote Desktop session will automatically be opened for him on this target device with the user/password automatically injected to create the session.
  
  This capability dramatically improves ease of use and saves the user from the need to remember (or copy) the current password, launch a session to the target device, and then manually key in the username and password. Transparent connection saves time, eliminates human error and provides an extremely convenient user experience, all from the same EPV web interface. In addition, an option can prevent users from pressing the "show" or "copy" buttons can be disabled, allowing users to connect to the target device without exposing the password, thus preventing re-use, without first re-authenticating to the Enterprise Password Vault.

• New Authentication Options

  Enhanced PKI authentication support - A major advantage of Cyber-Ark's Enterprise Password Vault has always been its ability for seamless integration with enterprise authentication schemes and the ability to leverage many types and formats of enterprise authentication. EPV 4.5 introduces several additional enterprise authentication options including Password Vault Web Access (PVWA) support for both PKI authentication, as well as the combination of PKI with username and password.
  
  Support for Oracle SSO - In addition, the PVWA also provides built-in support for Oracle's Enterprise Single-Sign-On environment, and allows out of box support for Single-Sign-On to customers using this solution in conjunction with Oracle Internet Directory (OID), which is Oracle's LDAP server.

• Advanced Safe Sharing

  Version 4.5 introduces the concept of the Gateway Group to allow a convenient way to share multiple gateway accounts with a Safe. This greatly simplifies implementations that have multiple Password Vault Web Access (PVWA) servers, for example in high-availability or load-balancing scenarios, in which Safes need only be shared with a Gateway Group. Additional PVWA servers and their gateway account now only need to be added to the gateway group to become part of the implementation. Version 4.5 greatly simplifies the administrative effort for moves and changes in high-availability and load-balancing of the PVWA.

For more information or to schedule a demonstration of EPV 4.5, contact sales@cyber-ark.com today.