CyberArk announced its new Privileged Session Manager for Cloud offering on Oct. 15, providing its customers with capabilities for managing and monitoring privileged cloud access.
Privileged Session Manager for Cloud has its roots in technology that CyberArk gained via the acquisition of cloud security provider Vaultive on March 12. What CyberArk has done is combine its privileged account security capabilities with Vaultive's cloud access insights to create a new product.
"CyberArk Privileged Session Manager for Cloud is a new offering that deepens and extends capabilities of the CyberArk Privileged Session Manager specifically to privileged business users and cloud administrators," Ben Matzkel, Vaultive founder and CTO and currently R&D group manager at CyberArk, told eWEEK. "We’re introducing a brand new way to manage, isolate and control those users’ access to cloud platforms and web applications—a way that allows us to improve security for our customers without changing the way these users work."
Vaultive's core product prior to the acquisition fit into the category known as Cloud Access Security Broker (CASB). CASB is a wide category that includes many different security solutions including discovery and visibility, data protection and access control, according to Matzkel.
"Vaultive’s approach to CASB was unique—we were focusing more on encryption of sensitive data assets and less on traditional CASB discovery and visibility controls," he said. "Our technology was an enterprise-grade multipurpose platform that understood cloud applications and how they work."
Matzkel added that there isn't any direct link to a CASB solution with the new CyberArk Privileged Session Manager for Cloud offering. He said CyberArk took the Vaultive CASB platform and leveraged it together with the CyberArk Privileged Access Security Solution to provide a more secure and usable solution for modern web applications.
How It Works
CyberArk Privileged Session Manager for Cloud is part of the core CyberArk Privileged Access Security Solution. Additionally, Privileged Session Manager for Cloud is fully integrated with the CyberArk Digital Vault to ensure secure connections without exposing credentials to users or their endpoints.
"The monitoring and audit trail created by the Privileged Session Manager for Cloud is fed into the unified CyberArk Privileged Access Security Solution Web interface, providing the deepest visibility and holistic view across the customer’s entire environment," Matzkel said. "CyberArk’s risk detection capabilities are extended to flag risks within user sessions monitored by Privileged Session Manager for Cloud."
From an authentication perspective, Matzkel explained that CyberArk Privileged Session Manager for Cloud can both work with existing SAML authentication and provide alternative authentication and authorization mechanisms that make use of CyberArk's Vaulting technology. He added that IaaS/PaaS/SaaS administrative consoles and application credentials can be fully managed by CyberArk, enforcing access control and activity auditing policies to authorized users and groups in addition to the ones introduced by cloud provider platforms.
Isolated Privileged Sessions
One of the capabilities of CyberArk Privileged Session Manager for Cloud is that it can enable isolated privileged sessions. Matzkel said that when an administrative, privileged user is accessing the target application via CyberArk Privileged Session Manager for Cloud, they never know the actual administrative password.
"The password is securely stored in a CyberArk Vault, and only after the administrator has authenticated using their personal credentials [do] we embed the correct password and provide it to the target application, without the user ever being exposed to it," Matzkel said. "During the session, activity is monitored and alerts may be triggered, and because the real credentials are never exposed, privileged access cannot take place without oversight."
The session monitoring is further enhanced with CyberArk's privileged session risk scoring capability. Matzkel said that the risk scoring is enabled by integration with CyberArk’s privileged threat analytics technology to enable organizations to identify high-risk privileged sessions in real time.
"This capability is enabled through a combination of powerful statistical, deterministic algorithms, machine learning and behavioral analytics," he said. "Customizable risk scoring can be assigned to privileged sessions based on predefined, high-risk commands and activities."
Looking forward, Matzkel said that the plan is to continue to build out the technology to support customers’ digital transformation strategies.
"This could include support for additional web-based business applications and enhanced access controls for sensitive user activities, and the ability to enforce user privileges and detect risks at a much more granular level beyond what cloud platform and web application providers are able to do today," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.