Luna HSM: TalkingTrust Video Series

Luna HSM: TalkingTrust Video Series

Secure your devices, identities and transactions with
Thales Luna HSMs and ecosystem partners – the foundation of digital trust

TalkingTrust with Thales and CyberArk - PAM

TalkingTrust with HashiCorp and Thales – DevSecOpsIn this discussion, join experts from CyberArk and Thales to discuss why Identity Security and Privileged Access Management have converged to be a top priority for any organization looking to tangibly reduce risk. You’ll learn how CyberArk and Thales work together to secure the keys to the kingdom using the integrated solution to secure privileged access for all types of users and identities.




Join experts from CyberArk and Thales as they discuss the importance of securing privileged access accounts, and how they work together to secure the “keys to the kingdom” for all types of users and identities.

Blair Canavan, Director of Business Development at Thales
Andrew Silberman, Sr Product Marketing Manager at CyberArk

Review all integrations and supporting documents for Thales with CyberArk.
Thales Technology Partner:

Partner website:


Video Transcript

Talking Trust Series - CyberArk - PAM


00:10 Welcome everybody.

00:11 My name is Blair Canavan and I'm with Thales group, based out of  

00:15 freezing cold Ottawa, Canada. Today with me on the  

00:20 Talking Trust Video Series is my partner in crime

00:23 Andrew Silberman. Hi Andrew. Hey Blair, how are you?

00:27 Great, thank you. I know we're both

00:29 suffering through a little bit of the

00:30 cold weather, so hopefully this will

00:31 brighten our day just a little bit.

00:33 I just want to thank you again for joining our 2021

00:37 Talking Trust Video Series to chat about

00:41 how our two companies are partnering to

00:43 deliver a very comprehensive and highly trusted

00:47 Privileged Access Management or PAM

00:49 solution to the market.

00:50 So, just between you and I, this is just a

00:52 friendly chat. We'll try and keep this light

00:55 as everybody seems to prefer that type of  

00:58 format these days. I'm really looking

01:00 forward to just hearing what your

01:02 thoughts are on this. So

01:03 with that, I'd be more than happy to give you the

01:06 the baton and you can advance the slides

01:08 as you see fit and then we'll try and

01:10 answer a couple of each other's

01:12 questions throughout. Sound good?

01:14 Sounds good Blair. Thanks so much for

01:15 having me, looking forward to the discussion today.

01:18 As you can see, I think what

01:22 we wanted to do first is really set the stage and talk

01:24 first about the expansion of privileged identities.

01:28 Up until several years ago we mostly thought of IT

01:31 Admins as your sort of typical privileged user.

01:35 In today's environment really almost any

01:37 identity can be privileged under certain conditions.

01:40 This can be a Developer or DevOps Engineer who has

01:43 access to source code or DevOps pipeline and tools.

01:46 These are all things that can easily

01:48 impact the organization

01:50 environment and therefore they represent

01:52 high risk. As you know with any sort of typical

01:55 IT system, it can also be in the form of an application

01:59 or robotic process automation bot that

02:02 needs high privileges in order to access

02:04 corporate resources to perform various business tasks.

02:07 These privileged identities can also be

02:09 third-party or external vendors

02:11 that need to access corporate resources

02:13 from really anywhere in the world.

02:16 And it can also be a workforce team

02:19 member that you know needs to access

02:21 a financial system

02:22 with high privileges based on their role or responsibility.

02:25 The common layer here is that all

02:27 these types of privileged access

02:30 represents high risk to the organization, therefore

02:33 it requires a high level of security controls.

02:36 Privilege is really now everywhere and

02:38 so are the risks associated with it.

02:40 Privilege exists across the entire IT

02:42 stack including the data.

02:44 The applications endpoint the network

02:46 across hybrid infrastructure

02:48 all the way to hybrid cloud. So a privileged user,

02:51 or within that sort of identity

02:53 space; a privileged user is any user that

02:56 has the ability to change,

02:57 alter, or impact the operational service of

03:00 a business process.

03:02 This includes not only system admins,

03:05 but also users that you may not

03:08 typically be considered as privileged.

03:09 Like me and you Blair, you know marketing

03:11 people or business developers.

03:14 You know privileged access 

03:16 extends to non-human or machine users as

03:18 well, such as apps or service accounts.

03:20 And things like the move to the cloud

03:23 and digital transformation and this

03:25 increased use of automation,

03:26 they all dramatically expand this attack

03:28 surface and each step forward

03:30 it creates new doors that need to be locked. 

03:34 That's a theme we're going to talk a lot

03:35 about today is keys and locks and doors.

03:37 So try to bear with us. When we

03:39 take a step back it seems like an

03:41 insurmountable challenge.

03:42 How do we do this without boiling

03:44 the ocean and more importantly

03:46 how do we do this without slowing things

03:48 down?  We can't slow the speed of our

03:50 digital transformation in the sake of security

03:52 and vice versa. We can't sacrifice

03:54 security for the sake of digital transformation.

03:57 So you know Blair, obviously we're

03:59 both doing this from home today. I have

04:00 to imagine you're seeing a

04:01 a mass proliferation of the

04:03 workforce right across all different places.

04:06 Absolutely, and we take it for granted  

04:09 you know. We're just users. But it's not

04:10 just the users that you just mentioned

04:12 you mentioned. It's  

04:14 users, it's machines, it's apps, it's everything.

04:17 That all was under the same cloud per se.

04:21 Definitely. That's again sort of under this theme of

04:24 privileges everywhere, and so with that

04:26 introducing the CyberArc Identity

04:28 Security Platform which focuses on three main pillars.

04:32 One of which, I'll dive into a little

04:33 bit further detail than the other. The

04:35 first one being privilege.

04:37 But the other being just as important with access,

04:40 as well as DevSecOps, which you

04:42 know is continuing to emerge.

04:44 A quick background…

04:48 I know we're on the Thales side

04:49 but a quick scoop on how the

04:51 solution access works.

04:52 To access the privileged account, a

04:54 user first enters the CyberArk web portal,

04:57 and checks out an account

04:59 which they have access to

05:01 and the Cyborg Digital Vault, which is

05:03 protected by multiple layers of security,

05:05 then provides the user with that credential.

05:08 The vault retrieves the credential for

05:10 the user and the user can then go on and

05:12 access their target system whether it

05:14 exists, as you said, in a hybrid

05:15 or a cloud environment. CyberArk provides

05:19 powerful capabilities to automatically

05:21 discover and onboard privileged accounts

05:23 and credentials into the vault, and once

05:26 these accounts have been centrally secured

05:28 they're rotated automatically either at

05:30 a regular cadence determined by organizational policy,

05:33 or through regulatory requirements after each use

05:36 or on demand as necessary. The automated

05:39 password rotation helps to strengthen security

05:42 and address audit requirements, all while

05:44 eliminating time-intensity

05:46 and manual processes for the IT teams.

05:49 We talked earlier on the slide prior

05:51 about not sacrificing

05:52 operational efficiency for the sake of

05:54 security and vice versa,

05:56 but to further ensure that authorized users

06:01 are always able to access privileged

06:02 accounts when needed,

06:04 the CyberArk vault proactively checks

06:06 that account passwords are synchronized

06:07 between target systems and the vault

06:09 and any conflicts are automatically

06:11 resolved, or the administrator can go in

06:13 and do it themselves.

06:14 The vault also offers centralized

06:16 policy management which allows admins to

06:18 set policies for password length

06:21 and strength, and the frequency of password rotations

06:24 which users may access which

06:27 safes. For instance, Blair might have

06:28 access to a different set of

06:30 accounts and systems than I would, and

06:33 which account credentials

06:34 exist in each safe. Finally I

06:37 want to break this up a bit, but you know

06:38 we also there's an Active Directory integration

06:41 which helps to simplify the policy

06:43 creation process. That enables you as

06:46 a Cyborg customer to set policies based on

06:48 80 user groups. Based on your security

06:51 needs you can opt to

06:53 show the user the password or copy that password

06:56 and hiding the characters of the

06:58 password but enabling it to be copied

07:00 into a needed application or a direct connect.

07:03 This sets off a workflow to seamlessly

07:05 establish a session

07:07 on a target system without allowing the

07:08 user to see or copy the password.

07:11 To put this into context, Blair have you ever  

07:14 maybe shamefully or not ever reused a password across

07:17 different applications or accounts of your own just in your own

07:20 sort of personal space?

07:23 I'm going to say in quotes

07:26 no question mark, but I think we all

07:29 agree that that is fundamentally one of the biggest

07:32 challenges is that we do what we got to

07:34 do to get through the day and oftentimes

07:36 we repeat what we're used to and what we're

07:38 comfortable with remembering or

07:39 or following the password

07:44 specifics in terms of format and so

07:46 on. I think we're all guilty

07:48 definitely and we've done a study

07:51 recently that showed sort of the

07:52 percentage of people that are reusing

07:54 passwords across different applications

07:55 and it's something to certainly

07:58 think about. It's human nature as you said

08:00 and there's not much that we can do to avoid that. 

08:03 There's only so much room in everyone's

08:05 brains to figure that out.

08:06 But the next component that's really

08:09 critical within the Cyborg solution is

08:10 this concept of session isolation monitoring and recording.

08:16 The Cyborg solution acts as a secure

08:18 IP server which isolates privileged user sessions

08:22 and it establishes a single point of

08:23 control from which security

08:25 and audit teams can then monitor, record,

08:27 suspend, and terminate sessions.

08:30 Here's how it works and

08:31 I'll do a little click through here.

08:33 A user would log in to

08:35 CyberArk to the Cyborg web portal like

08:37 they were on the prior slide and then

08:38 select their needed account

08:40 to access their AWS cloud management console.

08:43 Their privileged session to this

08:45 console is isolated via proxy server

08:47 and their behavior is recorded. To

08:50 accommodate SysAdmin’s preferred tools

08:52 and workflows, we also

08:54 offer native session management to Linux

08:56 systems through our native command line.

08:58 SSH connectivity. This is also applicable

09:01 for native access through

09:02 windows clients like RDP or SSMS.

09:06 Upon selecting or defining the needed account

09:11 our solution validates the

09:13 user's permissions. It retrieves the

09:15 privileged password or SSH key from the digital vault

09:18 and sends it directly to the target

09:20 system for authentication.

09:22 CyberArk then establishes this

09:24 secured, isolated remote session

09:26 and records all this activity during the session. 

09:30 These recordings are then securely stored in

09:32 the Cyborg vault

09:33 so that users are unable to edit their

09:35 audit histories and the vault also

09:37 provides the credential and user to the system.

09:40 This has really two additional

09:44 purposes. First, because the user is

09:47 never actually directly connecting two target systems

09:50 and the target system is locked

09:52 down any potential malware that might reach the

09:55 the end user's workstation, in this animation, a laptop.

09:59 It can't you know be used to jump

10:01 onto the critical system

10:03 and second credentials are retrieved

10:05 by the solution and sent directly to the target system.

10:07 Neither the end user nor the machine

10:09 is exposed to the credential.

10:11 This is really critical. We see endpoints

10:13 being the weak point in the attack chain

10:16 all over the place today. This is a

10:17 really critical thing that 

10:19 all organizations should be

10:21 implementing in regards to privileged

10:23 access management.

10:25 Now to get into this a little bit more and

10:29 and in terms of talking about why are we

10:31 talking today is what's the CyberArk plus

10:34 Thales story. It's all about securing

10:36 the keys to the kingdom, right Blair?

10:38 Absolutely, and we all talk

10:40 about keys as if everybody's following

10:43 succinctly with every use of or what

10:45 they are, but I think what we're trying to talk about are

10:48 from the digital key point of view, the

10:50 SSL key pairs that

10:51 most of us are fundamentally

10:54 comfortable talking a little bit about.

10:56 I'd be curious as to how critical are these keys

10:59 within a PAM infrastructure? Maybe you

11:02 could describe a little bit about

11:03 the keys to the kingdom per se?

11:05 Definitely. as sort of alluded to, privileged account

11:10 credentials are really the keys to the

11:11 IT kingdom as you said.

11:13 External attackers and malicious insiders know

11:16 that by gaining access to a privileged

11:18 account or privileged account credential,

11:20 this is really their most effective

11:22 way to gain access to your critical data.

11:24 Safely generating and storing the

11:26 keys used for these access credentials

11:28 is a really, really critical part of the security solution.

11:32 Together with Cyborg, Thales offers two

11:34 solutions that can actually generate and

11:35 store the server keys

11:37 providing private key protection and

11:39 strong entropy for cool generation

11:41 for the Cyborg Privileged Access Manager.

11:44 So Blair, did you want to talk a little bit

11:46 more here about Luna?

11:49 Yeah absolutely. You know Luna has

11:51 been around for decades and

11:53 and for some people Luna fundamentally means

11:57 root of trust. It's the hardware security module that

12:01 that keeps the keys to the kingdom in

12:04 a tamper-resistant hardware appliance.

12:06 This is FIPS 140-2 Level 3 Validated

12:10 which gives comfort but also compliance and

12:14 regulatory support for implementing your infrastructure

12:18 such that all keys at all times never leave,

12:22 stay in the same place and are managed

12:25 according to that type of

12:26 of validation. For a lot of us who

12:30 again, take that sort of thing for

12:31 granted, it's generally because it's

12:34 transparent.  It sits in the back, you

12:35 don't see it, feel it, touch it,

12:36 other than when you generate for the

12:38 first time or when the operational requirements

12:41 push some type of application or request

12:44 to have some key signed or some object signed.

12:48 That's really where these boxes silently do their job

12:52 and because they're network connected

12:53 devices you can point multiple

12:56 devices and multiple applications at the

12:59 same time to the same device that sits

13:01 in the network environment.

13:02 So again, these are very simple

13:06 solutions, but very complex

13:08 architecturally from a cryptographic

13:09 point of view to make sure that again

13:11 those keys are sort of the safest place imaginable.

13:17 Absolutely. So within that and as we were

13:20 talking to put this together some

13:22 concept that came up to me that I

13:23 wasn't as familiar with and maybe

13:25 you know people listening as well.

13:27 Random number generation is really

13:29 something that I like to think most people don't know

13:31 about. Our HSM’s are better suited to

13:34 provide that random number generation.

13:37 Yeah, it's a simple component but a very

13:39 essential component of generating keys.

13:41 RNG as it's often called, is something

13:44 that is under intense scrutiny these days primarily

13:48 because just the whole scope of

13:49 of a cloud environment and the sheer span of the internet.

13:53 So more than ever RNG means that a good

13:56 key must be random.

13:58 When keys are generated in these devices,

14:02 the key and use policies in force and

14:04 the system's more resistant to this type

14:06 of attack by using again hardware based entropy creation.

14:10 This is the seed that's

14:11 necessary to generate the SSL key pair.

14:14 Again, HSM protects it

14:16 and stores this in the root of trust.

14:18 Another element of of cryptography not a lot of

14:21 people care or talk about, but

14:23 when someone asks you that question

14:25 about RNG, it simply asks we've got an HSM.

14:28 It's FIPS Validated Level-3 and it's

14:29 the highest level of RNG available in the market.

14:32 They're isolated from the host environment and  

14:35 again these keys don't need the device

14:37 under any circumstances.

14:39 I think we've covered most of

14:41 that. I've covered the FIPS

14:43 the boundary, and of course, I should

14:44 mention the life cycle hardware key management.

14:47 Any time that there is

14:50 a key rollover or changes or exchanges

14:52 the HSM is in step and

14:55 maintains that continuity from a key

14:57 management point of view.

15:00 So you know, I've talked a little bit

15:03 about what our stuff does but

15:05 from your perspective, I'd like to

15:07 hear from you Andrew.

15:08 What do you think the risks are? What

15:12 risks are introduced, I should say when

15:13 when you store keys just in software alone?

15:17 Isn't software good enough? It's a

15:19 good question, and it's one that that I

15:21 think a lot of organizations sort of

15:22 grapple with, but the

15:23 the challenge with this is that keys 

15:25 used to secure credentials that control

15:27 access to privileged accounts,

15:28 they're vulnerable frankly if

15:30 stored in software or it's not

15:32 as secure as it maybe should be.

15:34 Individual password and accounts

15:36 stored each have their own unique

15:38 file key, it's an AES-256

15:40 encryption key while the passwords are stored in safes,

15:44 which have their own individual key, the server key.

15:47 If the attacker is able to actually

15:49 break AES-256 for one file or one password

15:53 that only works for one password and one file

15:56 and by having the HSM level three compliant module

15:59 that generates the key which never leaves the HSM.

16:02 Now, what we've done is that we have

16:04 top level cryptographic keys that's

16:06 under the strictest controls

16:08 which protects the password vault from

16:10 brute force, or really any other

16:12 type of attack out there. The HSM integrates

16:15 with Cyborg to protect fiber arc itself

16:18 with top level encryption so

16:20 no key is exposed to any user at any time.

16:23 Attackers who gain access to these keys and software

16:27 have access to the keys to the

16:28 kingdom and obviously we want to

16:30 prevent that at all costs and we do

16:33 so by protecting keys within HSM boundaries.

16:36 I guess and Blair feel free to chime in here, but

16:40 to summarize it, you can see some of the

16:42 points written on the right side here

16:43 but together the solution really does help

16:48 to securely store keys to ensure that

16:50 only authorized users

16:52 are accessing your vault similar to a

16:53 bank vault. You only want the authorized users

16:56 accessing their own safes. Same goes for

16:59 cyber security, same goes for the IT kingdom.

17:02 And what this out of the box

17:03 integration does, it enhances security,

17:05 reduces risk.  That's what we're all about.

17:08 It provides all the bells and whistles along with it for

17:11 reporting for audit. It's flexible, scalable

17:14 and it integrates with all sorts of different workflows.

17:18 But Blair I can pass things over to

17:20 you if there's anything on top of that

17:22 that you wanted to add.

17:23 Definitely. I welcome that sort of insight, but

17:27 other than that, I think we can maybe

17:28 talk about some next steps here.

17:31 Thank you very much Andrew. 

17:33 I think we've walked through in pretty good specifics the

17:38 the overall value of our two solutions coming together.

17:41 We have the CyberArk Privileged Access

17:43 Management piece which on its own has

17:45 its merits, and absolute

17:47 capabilities in the PAM space.

17:50 Combine that with leading HSM technology from Thales.

17:54 And to your point, no compromise

17:56 required when you get these two products

17:58 and solutions together. They offer a very

17:59 comprehensive, very simple

18:01 implementation which requires very little

18:05 care and feeding at the end of the

18:07 day. I just wanted to say that I think

18:09 you did a great job of walking us

18:10 through the value and certainly the way

18:12 that we work together as two companies

18:14 in the marketplace speaks volumes

18:16 to again the acceptance of this type of

18:18 solution as a standard

18:20 implementation throughout the industry.

18:22 I'll say that the last thing I think

18:24 from an agenda point of view is that

18:25 we've got a bunch of resources

18:29 available to those who are

18:31 interested in looking a little bit further.

18:34 We've got our solution briefs,

18:36 we've got our integration guides.

18:38 These are very good resources in terms of

18:42 simplicity as I mentioned and for anyone

18:45 who's embarking upon this on the first time.

18:48 It's quite surprisingly

18:51 simple for something as complex from a

18:53 implementation point of view so I don't

18:55 know if I've covered everything?

18:57 Oh excuse me, I almost forgot about

18:58, the marketplace

19:01 if you can't get it from CyberArk you can get it from

19:04 Thales and that's what we do is we

19:07 we co-brand each other's solutions on

19:09 our partner pages and just want to point

19:11 out that you can get it from

19:13 either directly through myself or

19:14 yourself but I would say the best bet is

19:16 just go straight to our website get those resources.

19:20 Again, thanks for having me on the talk today.  I hope it

19:23 was informative. I think it went pretty well and  

19:26 hopefully we can talk soon. I look forward to it Andrew. 

19:29 Again thanks a lot for your time today. It was a

19:31 pleasure having you on the

19:32 Talking Trust Video series. My pleasure.

19:35 Thank you.

CyberArk Privileged Access Security Solution with Thales HSMs - Solution Brief

CyberArk Privileged Access Security Solution with Thales HSMs - Solution Brief

Protecting privileged access management credentials presents one of the largest security risks an organization faces today. These access accounts allow control of an organization’s resources, disable security systems, and enable access to vast amounts of sensitive data....

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...

Luna Network HSM

Luna Network HSM - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...

CyberArk Digital Vault with Thales Luna HSM and Luna Cloud HSM - Integration Guide

CyberArk Digital Vault with Thales Luna HSM and Luna Cloud HSM - Integration Guide

This document guides security administrators through the steps for integrating a CyberArk Digital Vault with SafeNet Luna HSM or HSM on Demand Service. SafeNet HSMs come as on-premise hardware HSMs widely known as SafeNet Luna HSM and a cloud offering HSM on Demand Service ...