A large number of applications on SailPointIdentityIQ rely on using service accounts to communicate with the application targets. These accounts have the authorizations to perform identity management tasks and should be treated as privileged accounts. When a privileged account management solution like CyberArk or BeyondTrust is used in the organisation, the credentials of the privileged account would be stored on the PAM solution and retrieved by IdentityIQ whenever required. The feature of credential cycling introduced in IdentityIQ 7.3 allows this to be configured with ease.
The following presentation discusses the need for credential cycling and how it works:
The following demonstration illustrates a use case where credential cycling is configured with the CyberArk PAM solution:
The next video demonstrates credential cycling when configured with the Thycotic Secret Server PAM solution:
CyberArk is the global leader in PAM solutions with a holistic approach towards privileged account management. It covers not only traditional PAM problems but also extends its capabilities with various features like managing hard-coded application credentials, analytics, on-demand privileges escalation and managing end-user devices like desktops.
Privileged accounts on a system possess higher authorizations and control. These accounts pose a higher risk if they are compromised. Privileged Identity Management solutions aim to address this by providing security and control over these accounts. CyberArk is a major provider that offers privileged account security and is backed by a patented vaulting technology. CyberArk enables organizations to secure, provision, manage, control and monitor activities associated with privileged accounts.
The following presentation describes privileged account security and the architecture of a CyberArk implementation. The various components of the CyberArk architecture and their functionalities are also discussed.
CyberArk’s PAS solution uses the Password Vault Web Access System which provides the method by which users request passwords and high-level administrators approve the requests. Access to this system should be as secure as possible. Integrating with a multi-factor authentication system like Duo would make the login process more secure by authenticating the user based on LDAP password as well as the response received by the Duo Authentication Proxy using Duo Push setup on the user’s mobile device.
In the current demo, an LDAP user with the name “testuser” is created on the Active Directory Domain Controller as well as the DUO instance.
Once the accounts have been created, the DUO Authentication Proxy is setup and is configured as the primary LDAP host for authentication.
The Duo Authentication Proxy is a service that runs either on Windows or Linux. It is configured by using the file authproxy.cfg
The details of the Duo instance and the details of the LDAP server which is being used for primary authentication are configured in authproxy.cfg
The firewall must allow outbound traffic to the Duo instance using HTTPS.
Only on successful primary and secondary authentication, access to the PVWA is granted.
In high availability clustering, split-brain is a problem scenario that can occur when one of the nodes fails. Within a CyberArk implementation with disaster recovery enabled, a split-brain condition might arise if high availability is not configured as per the recommendations.
The following presentation discusses split-brain scenario in a CyberArk implementation and how it can be resolved:
In an enterprise, a large number of privileged accounts are spread over various applications and systems. These accounts have higher authorizations and hence need to be handled with higher security. CyberArk‘s Privileged Account Management solution is targeted at achieving this.
In SailPointIdentityIQ, accounts can have the highest privilege in form of the ‘System Administrator’ capability. The ‘spadmin’ account that comes out-of-the-box is configured to have this privileged access. This account, if managed by the CyberArk PAM solution, improves safety of the IdentityIQ environment.
The following presentation discusses this use case and how it can be implemented using CyberArk PAM:
The following video demonstrates the use-case in action for verifying and changing spadmin password from CyberArk and initiating privileged sessions: