“We believe that Cyber-Ark now has probably the most comprehensive Privileged Access Management suite in the market, and one that additionally offers easy integration with most existing identity provisioning solutions.”

- Martin Kuppinger,
Cyber-Ark Vendor Report:
© Kuppinger Cole,
Digital ID Analysis + Evaluation, 2010

Privileged Session Management Suite

Our patented Digital Vault provides premier security.
Learn More

Top Retail Company Enables Business Efficiencies with Remote Access for 3rd Party Vendors

Top Retail company chooses Cyber-Ark's Privileged Identity Management suite with Privileged Session Manager for managing, controlling, securing and monitoring all activities associated with Privileged Identities.

The Situation

With billions in annual revenues, one Retail company had two major challenges they were focused on improving. To enable secure remote access to 3rd party vendors, and to increase IT productivity and compliancy in the corporate network. The company has an outsourced IT center in India that requires secure remote access to the production servers. In addition, 3rd party technicians (like technicians that manage the corporate CISCO router remotely), need secure remote access to the network. Due to the sensitivity of network resources and different levels of trust between corporate employees and 3rd party vendors, the solution needs to meet the following challenges:

Enforce strong authentication before access to sensitive network resources
Provide access control on network resource that 3rd party vendors
Record and audit activities of all operations performed by 3rd parties
Never expose privileged credentials to 3rd parties

Moreover, the company was seeking a significant increase in IT productivity and compliancy across the corporate network. Payment Card Institute regulations require the company to provide a complete audit report on all the activities performed in sensitive networks (like the banking application network and PCI zone network). Generally speaking, audits should contain information on 'who' accessed the system (personalize the audit when accessing with shared accounts) as well as 'what' was done during the session.

Furthermore, when IT needed access to segmented sensitive networks, the security department had to open the enterprise firewall for native protocols (RDP and SSH) in order to enable access. The production workflow significantly delayed problem-handling on sensitive networks as well as reduce the network isolation (exposing compliance risks in the company). In order to provide simple and secure access to the sensitive network, the following challenges need to be met:

End-to-end auditing on network access
Personalize shared account access (who accessed?) and provide complete session recording (what was done?)
Enable users to connect to segmented network from a centralized portal with the need to manage privileged connection credentials and changing the network topology

The Solution

The company evaluated various options, and ultimately chose to deploy Cyber-Ark's Privileged Session Manager (PSM). With features including a secure PVWA portal, strong end user authentication, integrated with e corporate SSO product, and accessible through the corporate VPN network, PSM was the answer to this organization's challenges.

Once logged into the PVWA, the 3rd party vendor will see only the systems that he is entitled to access. When required, the 3rd party vendor will simply click the connect button of the relevant system and be transparently connected to the target system in a privileged session without divulging the privileged credentials (Privileged SSO). Furthermore, all the operations of the sessions are recorded in a DVR-like movie.

Moreover, PSM provides the following:

Privileged credentials managed and stored with the Enterprise Password Vault
When pressing "Connect":
- The user is redirected to the PSM server
- PSM server fetches the relevant privileged credentials on behalf of the user
- PSM server proxies the privileged connection to the target device
- PSM server records all the activities that are performed during the privileged session

Additionally, Cyber-Ark Software will help improve efficiencies in IT productivity and compliancy across their corporate network due to the following assets:

Privileged credentials are managed by the EPV
The only way to connect and initiate session to the sensitive network resources is by the PIM Suite portal (as it holds the keys of the kingdom). This is the power of PSM as part of the PIM Suite.
PSM servers can be located on segmented sensitive network. Access to PSM servers is done over the HTTPS protocol which ensures cross-network access without the need to open the firewall to native protocols (RDP, SSH).
When IT employee logs into the PVWA he gets access only to the systems he's entitled to.
Privileged SSO enables the IT to increase productivity and transparently connect to managed systems (with no need to write down / copy paste / know the privileged credentials).
If security policy requires session recording the user is transparently proxied through the PSM server to the target device to enforce the session recording.

Auditor Snapshot

The Privileged Session Manager (PSM) will also address complying with regulations highlighted by the auditor. These include:

PVWA portal to provide a centralized audit of all privileged activities
A detailed audit log report of who, when and what activities were performed for each accessed system (via online web access)
A free-text search enables auditors to reach session recording files and observe a DVR like playback of the privileged session
Digital Vaulting™ Technology serves as a tamper-proof secure repository that keeps the auditing information and session recordings according to regulation requirements

Today, the company uses PSM as a tool which provides multiple security layers of authentication to enable remote access for 3rd party vendors, as well as increase IT productivity and efficiencies in operational cost.