TalkingTrust with Thales and CyberArk - PAM
In this discussion, join experts from CyberArk and Thales to discuss why Identity Security and Privileged Access Management have converged to be a top priority for any organization looking to tangibly reduce risk. You’ll learn how CyberArk and Thales work together to secure the keys to the kingdom using the integrated solution to secure privileged access for all types of users and identities.
Join experts from CyberArk and Thales as they discuss the importance of securing privileged access accounts, and how they work together to secure the “keys to the kingdom” for all types of users and identities.
Blair Canavan, Director of Business Development at Thales
Andrew Silberman, Sr Product Marketing Manager at CyberArk
Review all integrations and supporting documents for Thales with CyberArk.
Thales Technology Partner: cpl.thalesgroup.com/partners/cyberark
Partner website: www.cyberark.com
Talking Trust Series - CyberArk - PAM
00:10 Welcome everybody.
00:11 My name is Blair Canavan and I'm with Thales group, based out of
00:15 freezing cold Ottawa, Canada. Today with me on the
00:20 Talking Trust Video Series is my partner in crime
00:23 Andrew Silberman. Hi Andrew. Hey Blair, how are you?
00:27 Great, thank you. I know we're both
00:29 suffering through a little bit of the
00:30 cold weather, so hopefully this will
00:31 brighten our day just a little bit.
00:33 I just want to thank you again for joining our 2021
00:37 Talking Trust Video Series to chat about
00:41 how our two companies are partnering to
00:43 deliver a very comprehensive and highly trusted
00:47 Privileged Access Management or PAM
00:49 solution to the market.
00:50 So, just between you and I, this is just a
00:52 friendly chat. We'll try and keep this light
00:55 as everybody seems to prefer that type of
00:58 format these days. I'm really looking
01:00 forward to just hearing what your
01:02 thoughts are on this. So
01:03 with that, I'd be more than happy to give you the
01:06 the baton and you can advance the slides
01:08 as you see fit and then we'll try and
01:10 answer a couple of each other's
01:12 questions throughout. Sound good?
01:14 Sounds good Blair. Thanks so much for
01:15 having me, looking forward to the discussion today.
01:18 As you can see, I think what
01:22 we wanted to do first is really set the stage and talk
01:24 first about the expansion of privileged identities.
01:28 Up until several years ago we mostly thought of IT
01:31 Admins as your sort of typical privileged user.
01:35 In today's environment really almost any
01:37 identity can be privileged under certain conditions.
01:40 This can be a Developer or DevOps Engineer who has
01:43 access to source code or DevOps pipeline and tools.
01:46 These are all things that can easily
01:48 impact the organization
01:50 environment and therefore they represent
01:52 high risk. As you know with any sort of typical
01:55 IT system, it can also be in the form of an application
01:59 or robotic process automation bot that
02:02 needs high privileges in order to access
02:04 corporate resources to perform various business tasks.
02:07 These privileged identities can also be
02:09 third-party or external vendors
02:11 that need to access corporate resources
02:13 from really anywhere in the world.
02:16 And it can also be a workforce team
02:19 member that you know needs to access
02:21 a financial system
02:22 with high privileges based on their role or responsibility.
02:25 The common layer here is that all
02:27 these types of privileged access
02:30 represents high risk to the organization, therefore
02:33 it requires a high level of security controls.
02:36 Privilege is really now everywhere and
02:38 so are the risks associated with it.
02:40 Privilege exists across the entire IT
02:42 stack including the data.
02:44 The applications endpoint the network
02:46 across hybrid infrastructure
02:48 all the way to hybrid cloud. So a privileged user,
02:51 or within that sort of identity
02:53 space; a privileged user is any user that
02:56 has the ability to change,
02:57 alter, or impact the operational service of
03:00 a business process.
03:02 This includes not only system admins,
03:05 but also users that you may not
03:08 typically be considered as privileged.
03:09 Like me and you Blair, you know marketing
03:11 people or business developers.
03:14 You know privileged access
03:16 extends to non-human or machine users as
03:18 well, such as apps or service accounts.
03:20 And things like the move to the cloud
03:23 and digital transformation and this
03:25 increased use of automation,
03:26 they all dramatically expand this attack
03:28 surface and each step forward
03:30 it creates new doors that need to be locked.
03:34 That's a theme we're going to talk a lot
03:35 about today is keys and locks and doors.
03:37 So try to bear with us. When we
03:39 take a step back it seems like an
03:41 insurmountable challenge.
03:42 How do we do this without boiling
03:44 the ocean and more importantly
03:46 how do we do this without slowing things
03:48 down? We can't slow the speed of our
03:50 digital transformation in the sake of security
03:52 and vice versa. We can't sacrifice
03:54 security for the sake of digital transformation.
03:57 So you know Blair, obviously we're
03:59 both doing this from home today. I have
04:00 to imagine you're seeing a
04:01 a mass proliferation of the
04:03 workforce right across all different places.
04:06 Absolutely, and we take it for granted
04:09 you know. We're just users. But it's not
04:10 just the users that you just mentioned
04:12 you mentioned. It's
04:14 users, it's machines, it's apps, it's everything.
04:17 That all was under the same cloud per se.
04:21 Definitely. That's again sort of under this theme of
04:24 privileges everywhere, and so with that
04:26 introducing the CyberArc Identity
04:28 Security Platform which focuses on three main pillars.
04:32 One of which, I'll dive into a little
04:33 bit further detail than the other. The
04:35 first one being privilege.
04:37 But the other being just as important with access,
04:40 as well as DevSecOps, which you
04:42 know is continuing to emerge.
04:44 A quick background…
04:48 I know we're on the Thales side
04:49 but a quick scoop on how the
04:51 solution access works.
04:52 To access the privileged account, a
04:54 user first enters the CyberArk web portal,
04:57 and checks out an account
04:59 which they have access to
05:01 and the Cyborg Digital Vault, which is
05:03 protected by multiple layers of security,
05:05 then provides the user with that credential.
05:08 The vault retrieves the credential for
05:10 the user and the user can then go on and
05:12 access their target system whether it
05:14 exists, as you said, in a hybrid
05:15 or a cloud environment. CyberArk provides
05:19 powerful capabilities to automatically
05:21 discover and onboard privileged accounts
05:23 and credentials into the vault, and once
05:26 these accounts have been centrally secured
05:28 they're rotated automatically either at
05:30 a regular cadence determined by organizational policy,
05:33 or through regulatory requirements after each use
05:36 or on demand as necessary. The automated
05:39 password rotation helps to strengthen security
05:42 and address audit requirements, all while
05:44 eliminating time-intensity
05:46 and manual processes for the IT teams.
05:49 We talked earlier on the slide prior
05:51 about not sacrificing
05:52 operational efficiency for the sake of
05:54 security and vice versa,
05:56 but to further ensure that authorized users
06:01 are always able to access privileged
06:02 accounts when needed,
06:04 the CyberArk vault proactively checks
06:06 that account passwords are synchronized
06:07 between target systems and the vault
06:09 and any conflicts are automatically
06:11 resolved, or the administrator can go in
06:13 and do it themselves.
06:14 The vault also offers centralized
06:16 policy management which allows admins to
06:18 set policies for password length
06:21 and strength, and the frequency of password rotations
06:24 which users may access which
06:27 safes. For instance, Blair might have
06:28 access to a different set of
06:30 accounts and systems than I would, and
06:33 which account credentials
06:34 exist in each safe. Finally I
06:37 want to break this up a bit, but you know
06:38 we also there's an Active Directory integration
06:41 which helps to simplify the policy
06:43 creation process. That enables you as
06:46 a Cyborg customer to set policies based on
06:48 80 user groups. Based on your security
06:51 needs you can opt to
06:53 show the user the password or copy that password
06:56 and hiding the characters of the
06:58 password but enabling it to be copied
07:00 into a needed application or a direct connect.
07:03 This sets off a workflow to seamlessly
07:05 establish a session
07:07 on a target system without allowing the
07:08 user to see or copy the password.
07:11 To put this into context, Blair have you ever
07:14 maybe shamefully or not ever reused a password across
07:17 different applications or accounts of your own just in your own
07:20 sort of personal space?
07:23 I'm going to say in quotes
07:26 no question mark, but I think we all
07:29 agree that that is fundamentally one of the biggest
07:32 challenges is that we do what we got to
07:34 do to get through the day and oftentimes
07:36 we repeat what we're used to and what we're
07:38 comfortable with remembering or
07:39 or following the password
07:44 specifics in terms of format and so
07:46 on. I think we're all guilty
07:48 definitely and we've done a study
07:51 recently that showed sort of the
07:52 percentage of people that are reusing
07:54 passwords across different applications
07:55 and it's something to certainly
07:58 think about. It's human nature as you said
08:00 and there's not much that we can do to avoid that.
08:03 There's only so much room in everyone's
08:05 brains to figure that out.
08:06 But the next component that's really
08:09 critical within the Cyborg solution is
08:10 this concept of session isolation monitoring and recording.
08:16 The Cyborg solution acts as a secure
08:18 IP server which isolates privileged user sessions
08:22 and it establishes a single point of
08:23 control from which security
08:25 and audit teams can then monitor, record,
08:27 suspend, and terminate sessions.
08:30 Here's how it works and
08:31 I'll do a little click through here.
08:33 A user would log in to
08:35 CyberArk to the Cyborg web portal like
08:37 they were on the prior slide and then
08:38 select their needed account
08:40 to access their AWS cloud management console.
08:43 Their privileged session to this
08:45 console is isolated via proxy server
08:47 and their behavior is recorded. To
08:50 accommodate SysAdmin’s preferred tools
08:52 and workflows, we also
08:54 offer native session management to Linux
08:56 systems through our native command line.
08:58 SSH connectivity. This is also applicable
09:01 for native access through
09:02 windows clients like RDP or SSMS.
09:06 Upon selecting or defining the needed account
09:11 our solution validates the
09:13 user's permissions. It retrieves the
09:15 privileged password or SSH key from the digital vault
09:18 and sends it directly to the target
09:20 system for authentication.
09:22 CyberArk then establishes this
09:24 secured, isolated remote session
09:26 and records all this activity during the session.
09:30 These recordings are then securely stored in
09:32 the Cyborg vault
09:33 so that users are unable to edit their
09:35 audit histories and the vault also
09:37 provides the credential and user to the system.
09:40 This has really two additional
09:44 purposes. First, because the user is
09:47 never actually directly connecting two target systems
09:50 and the target system is locked
09:52 down any potential malware that might reach the
09:55 the end user's workstation, in this animation, a laptop.
09:59 It can't you know be used to jump
10:01 onto the critical system
10:03 and second credentials are retrieved
10:05 by the solution and sent directly to the target system.
10:07 Neither the end user nor the machine
10:09 is exposed to the credential.
10:11 This is really critical. We see endpoints
10:13 being the weak point in the attack chain
10:16 all over the place today. This is a
10:17 really critical thing that
10:19 all organizations should be
10:21 implementing in regards to privileged
10:23 access management.
10:25 Now to get into this a little bit more and
10:29 and in terms of talking about why are we
10:31 talking today is what's the CyberArk plus
10:34 Thales story. It's all about securing
10:36 the keys to the kingdom, right Blair?
10:38 Absolutely, and we all talk
10:40 about keys as if everybody's following
10:43 succinctly with every use of or what
10:45 they are, but I think what we're trying to talk about are
10:48 from the digital key point of view, the
10:50 SSL key pairs that
10:51 most of us are fundamentally
10:54 comfortable talking a little bit about.
10:56 I'd be curious as to how critical are these keys
10:59 within a PAM infrastructure? Maybe you
11:02 could describe a little bit about
11:03 the keys to the kingdom per se?
11:05 Definitely. as sort of alluded to, privileged account
11:10 credentials are really the keys to the
11:11 IT kingdom as you said.
11:13 External attackers and malicious insiders know
11:16 that by gaining access to a privileged
11:18 account or privileged account credential,
11:20 this is really their most effective
11:22 way to gain access to your critical data.
11:24 Safely generating and storing the
11:26 keys used for these access credentials
11:28 is a really, really critical part of the security solution.
11:32 Together with Cyborg, Thales offers two
11:34 solutions that can actually generate and
11:35 store the server keys
11:37 providing private key protection and
11:39 strong entropy for cool generation
11:41 for the Cyborg Privileged Access Manager.
11:44 So Blair, did you want to talk a little bit
11:46 more here about Luna?
11:49 Yeah absolutely. You know Luna has
11:51 been around for decades and
11:53 and for some people Luna fundamentally means
11:57 root of trust. It's the hardware security module that
12:01 that keeps the keys to the kingdom in
12:04 a tamper-resistant hardware appliance.
12:06 This is FIPS 140-2 Level 3 Validated
12:10 which gives comfort but also compliance and
12:14 regulatory support for implementing your infrastructure
12:18 such that all keys at all times never leave,
12:22 stay in the same place and are managed
12:25 according to that type of
12:26 of validation. For a lot of us who
12:30 again, take that sort of thing for
12:31 granted, it's generally because it's
12:34 transparent. It sits in the back, you
12:35 don't see it, feel it, touch it,
12:36 other than when you generate for the
12:38 first time or when the operational requirements
12:41 push some type of application or request
12:44 to have some key signed or some object signed.
12:48 That's really where these boxes silently do their job
12:52 and because they're network connected
12:53 devices you can point multiple
12:56 devices and multiple applications at the
12:59 same time to the same device that sits
13:01 in the network environment.
13:02 So again, these are very simple
13:06 solutions, but very complex
13:08 architecturally from a cryptographic
13:09 point of view to make sure that again
13:11 those keys are sort of the safest place imaginable.
13:17 Absolutely. So within that and as we were
13:20 talking to put this together some
13:22 concept that came up to me that I
13:23 wasn't as familiar with and maybe
13:25 you know people listening as well.
13:27 Random number generation is really
13:29 something that I like to think most people don't know
13:31 about. Our HSM’s are better suited to
13:34 provide that random number generation.
13:37 Yeah, it's a simple component but a very
13:39 essential component of generating keys.
13:41 RNG as it's often called, is something
13:44 that is under intense scrutiny these days primarily
13:48 because just the whole scope of
13:49 of a cloud environment and the sheer span of the internet.
13:53 So more than ever RNG means that a good
13:56 key must be random.
13:58 When keys are generated in these devices,
14:02 the key and use policies in force and
14:04 the system's more resistant to this type
14:06 of attack by using again hardware based entropy creation.
14:10 This is the seed that's
14:11 necessary to generate the SSL key pair.
14:14 Again, HSM protects it
14:16 and stores this in the root of trust.
14:18 Another element of of cryptography not a lot of
14:21 people care or talk about, but
14:23 when someone asks you that question
14:25 about RNG, it simply asks we've got an HSM.
14:28 It's FIPS Validated Level-3 and it's
14:29 the highest level of RNG available in the market.
14:32 They're isolated from the host environment and
14:35 again these keys don't need the device
14:37 under any circumstances.
14:39 I think we've covered most of
14:41 that. I've covered the FIPS
14:43 the boundary, and of course, I should
14:44 mention the life cycle hardware key management.
14:47 Any time that there is
14:50 a key rollover or changes or exchanges
14:52 the HSM is in step and
14:55 maintains that continuity from a key
14:57 management point of view.
15:00 So you know, I've talked a little bit
15:03 about what our stuff does but
15:05 from your perspective, I'd like to
15:07 hear from you Andrew.
15:08 What do you think the risks are? What
15:12 risks are introduced, I should say when
15:13 when you store keys just in software alone?
15:17 Isn't software good enough? It's a
15:19 good question, and it's one that that I
15:21 think a lot of organizations sort of
15:22 grapple with, but the
15:23 the challenge with this is that keys
15:25 used to secure credentials that control
15:27 access to privileged accounts,
15:28 they're vulnerable frankly if
15:30 stored in software or it's not
15:32 as secure as it maybe should be.
15:34 Individual password and accounts
15:36 stored each have their own unique
15:38 file key, it's an AES-256
15:40 encryption key while the passwords are stored in safes,
15:44 which have their own individual key, the server key.
15:47 If the attacker is able to actually
15:49 break AES-256 for one file or one password
15:53 that only works for one password and one file
15:56 and by having the HSM level three compliant module
15:59 that generates the key which never leaves the HSM.
16:02 Now, what we've done is that we have
16:04 top level cryptographic keys that's
16:06 under the strictest controls
16:08 which protects the password vault from
16:10 brute force, or really any other
16:12 type of attack out there. The HSM integrates
16:15 with Cyborg to protect fiber arc itself
16:18 with top level encryption so
16:20 no key is exposed to any user at any time.
16:23 Attackers who gain access to these keys and software
16:27 have access to the keys to the
16:28 kingdom and obviously we want to
16:30 prevent that at all costs and we do
16:33 so by protecting keys within HSM boundaries.
16:36 I guess and Blair feel free to chime in here, but
16:40 to summarize it, you can see some of the
16:42 points written on the right side here
16:43 but together the solution really does help
16:48 to securely store keys to ensure that
16:50 only authorized users
16:52 are accessing your vault similar to a
16:53 bank vault. You only want the authorized users
16:56 accessing their own safes. Same goes for
16:59 cyber security, same goes for the IT kingdom.
17:02 And what this out of the box
17:03 integration does, it enhances security,
17:05 reduces risk. That's what we're all about.
17:08 It provides all the bells and whistles along with it for
17:11 reporting for audit. It's flexible, scalable
17:14 and it integrates with all sorts of different workflows.
17:18 But Blair I can pass things over to
17:20 you if there's anything on top of that
17:22 that you wanted to add.
17:23 Definitely. I welcome that sort of insight, but
17:27 other than that, I think we can maybe
17:28 talk about some next steps here.
17:31 Thank you very much Andrew.
17:33 I think we've walked through in pretty good specifics the
17:38 the overall value of our two solutions coming together.
17:41 We have the CyberArk Privileged Access
17:43 Management piece which on its own has
17:45 its merits, and absolute
17:47 capabilities in the PAM space.
17:50 Combine that with leading HSM technology from Thales.
17:54 And to your point, no compromise
17:56 required when you get these two products
17:58 and solutions together. They offer a very
17:59 comprehensive, very simple
18:01 implementation which requires very little
18:05 care and feeding at the end of the
18:07 day. I just wanted to say that I think
18:09 you did a great job of walking us
18:10 through the value and certainly the way
18:12 that we work together as two companies
18:14 in the marketplace speaks volumes
18:16 to again the acceptance of this type of
18:18 solution as a standard
18:20 implementation throughout the industry.
18:22 I'll say that the last thing I think
18:24 from an agenda point of view is that
18:25 we've got a bunch of resources
18:29 available to those who are
18:31 interested in looking a little bit further.
18:34 We've got our solution briefs,
18:36 we've got our integration guides.
18:38 These are very good resources in terms of
18:42 simplicity as I mentioned and for anyone
18:45 who's embarking upon this on the first time.
18:48 It's quite surprisingly
18:51 simple for something as complex from a
18:53 implementation point of view so I don't
18:55 know if I've covered everything?
18:57 Oh excuse me, I almost forgot about
18:58 cyberark.com, the marketplace
19:01 if you can't get it from CyberArk you can get it from
19:04 Thales and that's what we do is we
19:07 we co-brand each other's solutions on
19:09 our partner pages and just want to point
19:11 out that you can get it from
19:13 either directly through myself or
19:14 yourself but I would say the best bet is
19:16 just go straight to our website get those resources.
19:20 Again, thanks for having me on the talk today. I hope it
19:23 was informative. I think it went pretty well and
19:26 hopefully we can talk soon. I look forward to it Andrew.
19:29 Again thanks a lot for your time today. It was a
19:31 pleasure having you on the
19:32 Talking Trust Video series. My pleasure.
19:35 Thank you.
CyberArk Privileged Access Security Solution with Thales HSMs - Solution Brief
Protecting privileged access management credentials presents one of the largest security risks an organization faces today. These access accounts allow control of an organization’s resources, disable security systems, and enable access to vast amounts of sensitive data....
Securing Emerging Technologies with Thales Luna HSMs - Solution Brief
In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...
Thales Luna Network HSM - Product Brief
Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance.
CyberArk Digital Vault with Thales Luna HSM and Luna Cloud HSM - Integration Guide
This document guides security administrators through the steps for integrating a CyberArk Digital Vault with SafeNet Luna HSM or HSM on Demand Service. SafeNet HSMs come as on-premise hardware HSMs widely known as SafeNet Luna HSM and a cloud offering HSM on Demand Service ...