From Passwords to MFT, Cyber-Ark Has a Vault for That
February 2, 2010 Alex Woodie
There’s a school of thought that says open source development yields greater security because the heightened transparency ensures that problems are identified and fixed at a quicker pace. There’s another school of thought that says true security is obtained by building your own stuff and then concealing its existence. Cyber-Ark is an advocate of the second approach with its Digital Vault, which serves as the foundation for a series of security software products, ranging from privileged password management to managed file transfer (MFT).
Cyber-Ark was founded in 1999 by a group of security experts who were tired of security being an afterthought. Instead, they believed real, end-to-end security could only be obtained by making it a key design consideration from the beginning. This idea led to the creation of the Digital Vault, a proprietary Windows-based application that was designed to be an impenetrable silo of information.
Yes, the Digital Vault resides on a Windows OS (no snickering, please). But once it’s installed, the vault locks itself down and becomes nearly invisible to anybody around it. A built-in firewall shuts down all ports except those used to communicate with Cyber-Ark clients, using something called the “Vault Protocol.” No direct access to the vault is permitted. Instead, all information exchange is conducted through the Cyber-Ark clients, and access requires strong authentication. Every action is logged extensively. Information is always encrypted.
Roy Adar, vice president of product management for Cyber-Ark, likens the Digital Vault to a physical safe. “You’re the only one who can see that the safe exists and the only one who can access it,” he says. “In Windows and Unix, when you create a folder, perhaps you do not allow others to get the folder, but they can see that it exists. To be the most confidential when you create the safe with the Digital Vault, you don’t even allow people to know that the safe exists. Just the name of the safe can give away sensitive information.”
Once the safe is created in the Digital Vault, a user can decide what information to share and who to share it with. This is where the company’s MFT offering, called the Inter-Business Vault (IBV) comes into play.
IBV extends the Digital Vault with a series of capabilities that are common to MFT offerings. Secure ad-hoc file exchange involving two people can be accomplished as long as each has either the Cyber-Ark Windows client or access to a secure Web portal, both of which communicate with the Digital Vault using proprietary protocols. For back office situations, the software can automate the file transfer process with any server that supports FTP or SFTP (SSH-based FTP) through converters. Scripts that organizations have written to automate their FTP processes can be incorporated into IBV.
One of the advantages of using a solution like IBV is the data is always encrypted.
A shortcoming with traditional FTP and even encrypted FTP sessions is that after the data is done moving, it sits on the FTP or SFTP server in plain text. If that FTP or SFTP server is in the DMZ–as it most likely will be to allow business partners to connect to it– the data is at risk.
“Once the file hits the SFTP server, unless I do something about it, it resides in clear text on FTP server. That’s something that is not PCI compliant,” Adar says. “The main advantage of the vault is it provides you protection for data at rest. So as you communicate with an FTP server using the SFTP protocol converter behind the scenes, the information is stored in the highly secured vault. The information is not available unless you have permission to access that information.”
Cyber-Ark also leverages its secure vault as a repository for sensitive passwords for powerful user profiles. The company’s Privileged Information Management (PIM) suite is composed of several products, including the Enterprise Password Vault, the Privileged Session Manager, and the Application Identity Manager. In each case, the goal is similar: restrict access to potentially dangerous user profiles and log the heck out of each instance where one has to be used.
AS/400 shops use both the IBV and PIM suites to secure their files and powerful user profiles, Adar says. But typically, file access security is not as big a concern for servers that already sit behind a firewall, such as the AS/400.
Pricing for IBV starts at $18,000 for the Digital Vault and a community of 10 trading partners. Pricing for PIM starts at $14,000 for the Digital Vault and the capability to manage up to 200 privileged accounts. For more information, see www.cyber-ark.com.