Password Management for Okta Administrators using CyberArk PVWA 

  • Introduction
  • Pre-Requisites
  • Use case Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction: 

As Organizations continue to adopt cloud-based identity and access management solutions like Okta, securing administrative access to these platforms has become a top priority. Okta administrators possess elevated privilege allowing them to manage user identities, configure security policies, and access sensitive data. However, this also makes them a prime target for attackers seeking to exploit these privileges. 

To mitigate this risk, it is essential to implement a robust password management solution that can securely store, manage, and rotate administrative credentials. Okta manages password in cloud and the organization desires to manage passwords on-premises using CyberArk Password Vault

To address the integration challenge, we will implement a comprehensive solution that integrates Okta with CyberArk PVWA using SAML 2.0. This integration will enable secure and automated management of Okta admin account passwords, reducing the risk of password-related security incidents and ensuring compliance with regulatory requirements. As part of this solution, two admin accounts will be created in Okta: one non-privileged account to access Okta user dashboard, and a second one Privileged account which will be linked to CyberArk PVWA. The Privileged account will receive a password generated by CyberArk, which will be used for authentication. Using SAML 2.0, the admin will log in to Okta using the privileged account credentials, with the password provided by CyberArk. This will ensure secure and compliant access management and password management processes, streamlining administrative tasks and reducing the risk of security breaches.

Pre-requisites: 

  • Okta tenant, CyberArk PVWA tenant and Active Directory with a Domain. 
  •  Active Directory must be integrated with CyberArk and Okta. 

Use case Overview:

Please refer to the below video to have an understanding about Okta & the use case around integrating CyberArk Password Vault with Okta.

Technical Demonstration:

Here’s the technical walkthrough on the integration between CyberArk Password Vault & Okta.

Conclusion: 

The integration of Okta with CyberArk PVWA provides a comprehensive solution for managing Okta administrator passwords, enhancing security, and improving compliance. By automating password rotation, expiration, and compliance, organizations can reduce administrative burdens and minimize the risk of password-related security incidents. With real-time visibility and control over password management, organizations can respond swiftly on security incidents and ensure the integrity of their identity and access management systems. Overall, this integration provides a robust and scalable solution for securing Okta administrator passwords and protecting sensitive resources and applications. 

Reference Links:

Setup SSO | Okta 

SAML authentication | CyberArk Docs 

CyberArk PAM Master Policy

Managing and securing privileged access across diverse IT environments is complex and prone to vulnerabilities. Without a centralized approach, inconsistencies in policy enforcement can lead to security breaches and compliance issues.

Using CyberArk’s PAM Master Policy helps standardize and enforce security and compliance policies consistently across all platforms, reducing the risk of unauthorized access and enhancing overall security.

CyberArk’s PAM Master Policy offers a simple and intuitive way to manage an organization’s security policy.

The Master Policy enables us to configure the security and compliance policy of privileged accounts in an organization from a single pane of glass. It allows us to configure compliance-driven rules, which will be defined as the baseline for the organization.

The Master policy is divided into four higher-level and compliance-driven policy sections, such as:

  1. Privileged Access Workflows
  2. Password Management
  3. Session Management
  4. Audit

Each of the above sections has a set of rules and offers better visibility and control over policy configurations and enforcement.

Master policy rules
Image: Rules of the Master Policy

Master policy settings, when configured, can be applied to most privileged accounts in the organization. However, a few privileged accounts may need to deviate from these global settings for various reasons. We can create exceptions for the accounts that need to deviate from the configured global settings.

The following video will explain CyberArk PAM’s Master Policy and it’s rules in detail. Below are the topics covered as part of this video:

  • The Master Policy
  • Master Policy: Main Concepts
  • Master Policy: Rules
  • Master Policy: Configuring a Rule
  • Privileged Access Workflows
  • Password Management
  • Session Management
  • Audit
  • Exceptions
  • Combining Privileged Access Workflows
CyberArk PAM Master Policy: Technical Presentation

The following video will provide a detailed technical demonstration on configuring the Master Policy:

CyberArk PAM Master Policy: Technical Demonstration

In conclusion, managing privileged access across diverse IT environments is complex and prone to vulnerabilities. The CyberArk’s PAM Master Policy standardizes and enforces security and compliance policies, reducing the risk of unauthorized access. 

ENH iSecure plays a crucial role in this ecosystem by providing comprehensive support and expertise in implementing and managing CyberArk’s PAM Master Policy. With ENH iSecure, organizations can ensure that their privileged access management is not only effective but also aligned with industry best practices and compliance requirements.

Integrating CyberArk with SailPoint using SCIM

Privileged accounts are considered to be “keys to the kingdom” in any IT Infrastructure. Almost every cyber attack that has ever happened involved compromises at the privileged account level. PAM Solutions usually help in managing such accounts, keys or files that would lead to escalated access.

CyberArk is the global leader in PAM solutions with a holistic approach towards privileged account management. It covers not only traditional PAM problems but also extends its capabilities with various features like managing hard-coded application credentials, analytics, on-demand privileges escalation and managing end-user devices like desktops.

Securing and streamlining identity and privileges data present with such solutions is of very high importance.

In the following presentation, we provide a detailed overview of CyberArk integration with SailPoint by integrating Cyberark as a SailPoint’s application.

In the following video, we provide a detailed demo of this integration.

CyberArk Privileged Account Security Architecture

Privileged accounts on a system possess higher authorizations and control. These accounts pose a higher risk if they are compromised. Privileged Identity Management solutions aim to address this by providing security and control over these accounts. CyberArk is a major provider that offers privileged account security and is backed by a patented vaulting technology. CyberArk enables organizations to secure, provision, manage, control and monitor activities associated with privileged accounts.

The following presentation describes privileged account security and the architecture of a CyberArk implementation. The various components of the CyberArk architecture and their functionalities are also discussed.

 

Integrating CyberArk’s PAS Solution With DUO’s 2FA

CyberArk’s PAS solution uses the Password Vault Web Access System which provides the method by which users request passwords and high-level administrators approve the requests. Access to this system should be as secure as possible. Integrating with a multi-factor authentication system like Duo would make the login process more secure by authenticating the user based on LDAP password as well as the response received by the Duo Authentication Proxy using Duo Push setup on the user’s mobile device.

In the current demo, an LDAP user with the name “testuser” is created on the Active Directory Domain Controller as well as the DUO instance.

Once the accounts have been created, the DUO Authentication Proxy is setup and is configured as the primary LDAP host for authentication.

The Duo Authentication Proxy is a service that runs either on Windows or Linux. It is configured by using the file authproxy.cfg 

The details of the Duo instance and the details of the LDAP server which is being used for primary authentication are configured in authproxy.cfg

The firewall must allow outbound traffic to the Duo instance using HTTPS.

Only on successful primary and secondary authentication, access to the PVWA is granted.

Split Brain Scenario in CyberArk

In high availability clustering, split-brain is a problem scenario that can occur when one of the nodes fails. Within a CyberArk implementation with disaster recovery enabled, a split-brain condition might arise if high availability is not configured as per the recommendations.

The following presentation discusses split-brain scenario in a CyberArk implementation and how it can be resolved:

Securing IIQ SPAdmin Account Using CyberArk PAM

In an enterprise, a large number of privileged accounts are spread over various applications and systems. These accounts have higher authorizations and hence need to be handled with higher security. CyberArk‘s Privileged Account Management solution is targeted at achieving this.

In SailPoint IdentityIQ, accounts can have the highest privilege in form of the ‘System Administrator’ capability. The ‘spadmin’ account that comes out-of-the-box is configured to have this privileged access. This account, if managed by the CyberArk PAM solution, improves safety of the IdentityIQ environment.

 

The following presentation discusses this use case and how it can be implemented using CyberArk PAM:

The following video demonstrates the use-case in action for verifying and changing spadmin password from CyberArk and initiating privileged sessions:

https://www.youtube.com/watch?v=4qRujyxiUBM