SOLUTION BRIEF

THE CYBERARK DIGITAL VAULT:

BUILT FOR SECURITY

Introduction
Privileged account security solutions are tasked with safeguarding an organization’s most sensitive assets: the keys that unlock access to
sensitive data, business-critical applications, mission-critical systems and the operating systems that keep IT infrastructure running. As such,
it’s imperative that privileged account security software be purposefully designed and the infrastructure upon which the software runs
be hardened in order to help maximize the security of the solution itself. Without adequate controls for the privileged account security
infrastructure or effective security features within the software, attackers may be able to gain access to the solution and all sensitive privileged
account information stored inside.

CyberArk has invested heavily in designing and building security measures directly into our products. In addition, CyberArk has published a
Digital Vault Security Standard defining policies and configurations to help customers minimize attack surfaces. By leveraging built-in security
capabilities and adhering to the CyberArk Digital Vault Security Standard, CyberArk customers can significantly strengthen the security of
their Privileged Account Security Solution to mitigate the risk of a system compromise. This solution brief highlights the security measures and
capabilities that are built directly into the CyberArk Privileged Account Security Solution.

Built-in Security Measures

Hierarchical Encryption of Data at Rest
At the core of the CyberArk Privileged Account Security Solution is the CyberArk Digital Vault, which contains a highly secure database that stores
privileged account credentials, access control policies, credential management policies and audit information. To protect both the Digital Vault
database itself and the data stored within the database, CyberArk has designed a multi-layered encryption hierarchy that uses FIPS 140-2 compliant
encryption. Symmetric encryption is completed using an AES-256 key, and asymmetric encryption is completed using an RSA-2048 key pair.

Each individual file and safe within the Digital Vault database is uniquely encrypted using a randomly generated encryption key. At the top of
the key hierarchy, CyberArk utilizes a unique server key and a unique recovery key. The server key is required to start the Digital Vault, and in
accordance with the CyberArk Digital Vault Security Standard, this encryption key should be stored within a hardware security module (HSM).
The recovery key is a unique private key that is required only in the event of a system recovery. This key should be stored in a physical safe.

CyberArk solutions integrate with any PKCS #11-compliant HSM, such as Thales nShield, SafeNet Hardware Security Modules and Utimaco
CryptoServer.

Session Encryption for Data in Transit

As sensitive data is transmitted between systems, it can potentially be exposed to attackers who are eavesdropping inside the network.
To prevent these attackers from capturing privileged account credentials from intercepted traffic, CyberArk ensures all data to and from
the Digital Vault is encrypted in transit.

Digital Vault employs a proprietary protocol to secure sensitive privileged account information as it is transmitted between CyberArk
components. The proprietary session encryption mechanism uses a unique AES-256 session key and is FIPS 140-2 compliant. With this level
of encryption in place, attackers inside the network may be able to see traffic flowing between CyberArk components, but the traffic will be
undecipherable and thus useless to the attacker.

www.cyberark.com Page 1 of 3
 CYBER ARK SOLUTION BRIEF

Digital Vault Server Hardening

The server on which the Digital Vault software will run must be hardened as much as possible to reduce its attack surface. CyberArk has
conducted extensive security research and testing on the Digital Vault’s potential attack vectors, as well on potential functionality implications
associated with hardening the Digital Vault server. Based on this research, CyberArk has developed a series of configurations that harden the
Digital Vault server in a way that reduces the attack surface without compromising the software’s functionality. To ensure that all customers
accurately apply these configurations and eliminate the risk of human error, the Digital Vault software is designed to automatically harden its
host server to CyberArk specifications during the installation process.

The Digital Vault software installation package includes operating system (OS) hardening processes that are based on the Microsoft Security
Compliance Manager (SCM) server hardening recommendations. The Digital Vault software then applies additional system configurations
that further harden the OS to comply with the CyberArk Digital Vault Server Security Standard. These configurations disable all unnecessary
services, restrict access to the server and restrict access to the Digital Vault file system. Combined, these OS hardening processes and system
configurations help to reduce the attack surface of the Digital Vault server to better protect the highly sensitive privileged account information
that is stored on this machine.

In addition to the Digital Vault server hardening configurations, CyberArk also provides hardening configurations for the other less critical
components of the Privileged Account Security Solution. These configurations help to reduce the attack surface of CyberArk components
that have trusted relationships with the Digital Vault. These component-hardening procedures help to further reduce the attack surface of the
Digital Vault itself.

Firewall Configuration
In addition to locking down the server OS, it is also critical to restrict traffic to and from the Digital Vault server. Sophisticated attackers often
look for any possible way to reach a target system and exfiltrate data, and unnecessary open ports only increase the attack surface of the Digital
Vault server. To mitigate this risk, the Digital Vault software takes advantage of the host machine’s built-in Windows Firewall and automatically
configures its policies.

The Digital Vault software configures its host’s Windows Firewall to verify and permit only traffic that is sent to the Digital Vault service, which
listens on TCP port 1858 (by default), and to block all other traffic. All traffic that is transmitted to and from this service is encrypted using a
proprietary CyberArk protocol, thus ensuring that all permitted traffic is also secured.

This firewall policy is intentionally restrictive, dramatically reduces the attack surface of the Digital Vault server, and has been proven to
eliminate many attack vectors. Notably, the CyberArk research and development teams closely track Microsoft Security Bulletins to stay up to
date on new potential vulnerabilities and risks, and they regularly test the Digital Vault server against these newly disclosed risks. Due in large
part to the strict firewall configurations, most risks disclosed in the monthly Microsoft Security Bulletins do no impact the Digital Vault server,
as the existing firewall configurations already block many of the attack vectors.

Access Control Mechanisms

Segregation of Duties
For security reasons, some organizations prefer to fully segregate duties between the individuals responsible for maintaining the Digital Vault
server and the individuals responsible for the systems whose account information is secured within the Digital Vault. CyberArk recommends
that customers segregate administrative duties. However, customers are empowered to decide if these strict policies will be optimal and
acceptable for their unique organizations.
During deployment of the Privileged Account Security Solution, administrators are able to configure their access control model in accordance
with their organization’s security and/or compliance needs. When the solution is configured to strictly segregate administrative duties, vault
administrators who manage the Digital Vault server are not able to access the credentials or audit data stored within the vault safes. Additional
configurable access controls within the vault itself help vault administrators segregate duties between safe owners and end users to mitigate the
risks associated with unnecessary and unauthorized account access.

www.cyberark.com Page 2 of 3
 CYBER ARK SOLUTION BRIEF

Tamper-Resistant Audit
One of the major benefits associated with securing and monitoring privileged accounts is the ability to see exactly which user accessed what account
and what was done during the privileged session. Yet, this information is only valuable if organizations can ensure the integrity of the audit trail.

Privileged account audit logs and session recordings are stored within the Digital Vault’s built-in database, which is designed with strict controls in
place to limit both access and actions. Information stored within the Digital Vault’s database can only be viewed by specific, authorized users, and
the information cannot be modified or deleted, even by a CyberArk administrator. Because of these controls, even if an IT administrator deletes or
tampers with an audit trail on a target system, the CyberArk solution is able to maintain a complete, accurate record of what actions occurred.

Support for Authentication Technologies

When putting the keys to the IT kingdom in one central repository, it’s imperative to tightly control access to that repository. Each user of the Digital
Vault must be authenticated, and CyberArk strongly recommends that all access to the Digital Vault be protected with multi-factor authentication.

The CyberArk Privileged Account Security Solution is designed to integrate out-of-the-box with a wide variety of authentication mechanisms,
including LDAP, RADIUS, PKI, RSA SecurID, Duo Security 2FA and SecureAuth IdP. By protecting the CyberArk solution with multi-factor
authentication, organizations can not only protect access to the sensitive information stored within the Digital Vault but also centrally extend multi-
factor authentication to all accounts – on- premises, in the cloud or in DevOps environments – whose credentials are stored within the Digital Vault.

Digital Vault Server Monitoring

As with any mission critical infrastructure, it’s imperative that organizations monitor the system both for general health and to detect suspicious
activity. In accordance with the Digital Vault Server Security Standard, CyberArk strongly recommends that customers not use third-party
monitoring software on the Digital Vault server. The installation of third-party software often requires that security policies on the Digital Vault
server be loosened, and loosened security policies can increase the attack surface of the system.

To enable system monitoring without altering the Digital Vault server security policies, CyberArk provides its own comprehensive monitoring
solution based on SNMP notifications, as well as a command line utility that enables customers to query the Digital Vault server to obtain data
necessary to monitor the system.

To enable security event monitoring, the Digital Vault is designed to enable the export of audit logs over the syslog protocol and integrate out of
the box with leading SIEM solutions, including but not limited to HPE ArcSight SIEM Platform, RSA Security Analytics and Splunk. In addition,
CyberArk privileged analytics and threat detection capabilities can be used to monitor access to privileged accounts on the Digital Vault server,
including administrative OS accounts and vault administrator accounts, to quickly detect and be alerted to potential threats.

Conclusion
CyberArk is first and foremost a security company, and as such, we design our products with a “security-first” mindset. The Digital Vault
software is intentionally designed with a number of security features and configurations that help to minimize the attack surface of its host
server, thus helping to maximize the security of privilege account information. To help customers maintain a strong security posture following
installation, CyberArk has also created the Digital Vault server Security Standard document, which defines what policies and configurations are
required to maintain a small attack surface.

In addition to internal vetting and testing, CyberArk also submits its products to external organizations for independent testing and security
validation. Through this process, the CyberArk Privileged Account Security Solution has achieved ISO 9001, Common Criteria and United
States Department of Defense UC APL certifications.

To learn more about these certifications or the CyberArk Digital Vault Security Standard, please contact your CyberArk representative or
contact us at [email protected].

©Cyber-Ark Software Ltd. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk Software.
CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions.
Any other trade and service names are the property of their respective owners. U.S., 02.18. Doc. 108. 213603721

CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject
to change without notice.
www.cyberark.com Page 3 of 3