METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION

Transcription

1 METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION

2 Publishing Information Software version Document version 4 Publication date August 22, 2017

3 1 INTRODUCTION Integrating CyberArk Application Identity Manager (AIM) with Varonis Metadata Framework and DataPrivilege leverages the assurance that only the right people have access to the right data at all times. This robust integrative solution provides the tools to monitor usage and alert on abuse. Varonis is a data security platform that protects your file and servers from cyber attacks and insider threats. Varonis analyzes the behavior of the people and machines that access your data, alerts on misbehavior, and enforces a least privilege model. CyberArk s Application Identity Management (AIM) solution uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts, or configuration files. It allows these highly sensitive passwords to be centrally stored, logged, and managed within the CyberArk vault. This unique approach enables organizations to comply with internal and regulatory compliance requirements of periodic password replacement. Organizations can monitor all activities associated with all types of Privileged Identities whether on-premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices, and more. The integration between CyberArk's Application Identity Manager and Varonis and DataPrivilege provides the ability to manage privileged accounts used by and DataPrivilege within CyberArk's vault. The integration facilitates periodic password replacements for these privileged identities in a manner transparent to the functionality of Varonis products, eliminating the need for manual configuration, as previously required. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 1

4 2 METADATA FRAMEWORK AND AIM INTEGRATION DIAGRAM The following diagram illustrates the integration of the Varonis Metadata Framework and CyberArk Application Identity Manager: A dedicated IDU job retrieves the credentials from the CyberArk vault. The job then updates the passwords of the Varonis users in different components within the set of supported tasks (see Supported Varonis Tasks). The list of users to be polled is configurable in a CSV file read by the job. There are no changes in the installation or configuration. Passwords will still be required. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 2

5 3 SUPPORTED VARONIS TASKS The following table lists the supported Varonis tasks: Product Task FileWalk Share detection DCF Working share ADWalk Volumes Probe Proxy SHS scopes DFS roots DataPrivilege Working share DataPrivilege ADWalk DataPrivilege FileWalk and commit DataPrivilege AD commit METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 3

6 4 AIM INSTALLATION The AIM installation requires installing the CyberArk Credential Provider. For detailed instructions, refer to the CyberArk Credential Provider and ASCP Implementation Guide. The Credential Provider needs to be installed on the IDU machine. The following sections describe the specific steps to configure the AIM Provider with Varonis. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 4

7 5 AIM CONFIGURATION This section describes the steps required to configure the CyberArk Application Identity Manager: Defining the Application ID and Authentication Details Provisioning Accounts and Setting Permissions for Application Access Defining the Application ID and Authentication Details You need to define the Varonis application in the CyberArk AIM application. The AppID is used by different Varonis components to retrieve credentials from the CyberArk vault. To manually define the Varonis application via CyberArk s Password Vault Web Access (PVWA) interface: 1. Log in with user permissions to managed applications. This requires Manage Users authorization. 2. In the Applications tab, click Add Application. The Add Application window is displayed. 3. Specify the following information: a. In the Name field, specify the unique name (ID) of the application ("VaronisApplication" is the Varonis AppID). b. In the Description field, specify a short description of the application that will help you identify it. c. In the Business owner area, specify contact information about the application s Business owner. d. In the Location area, specify the location of the application in the vault hierarchy. If the location is not specified, the application will be added in the same location as the user who is creating this application. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 5

8 Chapter 5 AIM CONFIGURATION 4. Click Add. The application is added and is displayed in the Application Details window. 5. Select the Allowing extended authentication restrictions checkbox (at the bottom of the Application Details window). This enables you to specify an unlimited number of machines and Windows domain OS users for a single application. The integration supports usage of any of the extended authentication restrictions. 6. Specify the application s Authentication details. This information enables the Credential Provider to check certain application characteristics before retrieving the application password. a. In the Authentication tab, click Add. A drop-down list of authentication characteristics is displayed. b. Select the authentication characteristic to specify. 7. Specify the OS user: a. From the Add drop-down list in the Authentication tab of the Application Details window, select OS user. The Add Operating System User Authentication window is displayed. b. Specify the name of the OS user who will run the application, and click Add. The OS user is listed in the Authentication tab. This sets the user running the Varonis IDU Service on the IDU machine, which is by default, Local System. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 6

9 Chapter 5 AIM CONFIGURATION 8. Specify the application path: a. From the Add drop-down list in the Authentication tab of the Application Details window, select Path. The Add Path Authentication window is displayed. b. Specify the path where the application will run: C:\Program Files (x86)\varonis \\IDU Server\VaultIntegration. c. To indicate that the specified path is a folder, select the Path is folder checkbox. d. To allow internal scripts to retrieve the application password for this application, select Allow internal scripts to request credentials on behalf of this application ID. e. Click Add. The Path is added as an authentication characteristic with the information that you specified. 9. Specify a hash: a. From the Add drop-down list in the Authentication tab of the Application Details window, select Hash. b. Run the AIMGetAppInfo utility to calculate the application s unique hash. c. Copy the hash value that is returned by the utility. d. In the PVWA, select Hash. The Add Hash window is displayed. e. In the Hash text box, paste the application s unique hash value, or specify multiple hash values with a semi-colon. You can add additional information in a comment after each hash value specified for an application by specifying # after the hash value, followed by the comment. For example, OE883B7OD5B6E3EE37D C9507C8383DB6 #app2 METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 7

10 Chapter 5 AIM CONFIGURATION Note: The comment must not include a colon or a semicolon. f. Click Add. The Hash is added as an authentication characteristic with the information that you specified. 10. Specify the application s Allowed Machines. This information enables the Credential Provider to make sure that only applications that run from specified machines can access their passwords. a. In the Allowed Machines tab, click Add. The Add Allowed Machine window is displayed. b. Specify the IP/hostname/DNS of the Varonis IDU machine where the application will run and will request passwords, then click Add. The IP address is listed in the Allowed machines tab. Make sure the servers allowed include all mid-tier servers or all endpoints where the AIM Credential Providers were installed. The Allowed Machines tab displays the IP address: The Authentication tab displays the hash and path authentication details: METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 8

11 Chapter 5 AIM CONFIGURATION Provisioning Accounts and Setting Permissions for Application Access Varonis needs to acquire the passwords from the CyberrArk vault in order to be able to perform operations. The accounts will continue to work in Varonis, even when the password is changed. If you are using an account that is managed by CyberArk, you need to configure it both in the Varonis safe maintained in the AIM, and in the Vault Integration tool. For more information about adding and managing privileged accounts, see the CyberArk Privileged Account Security Implementation Guide. To provision accounts and set permissions for application access in AIM: 1. In the Password Safe, provision the privileged accounts that will be required by the CyberArk AIM application. You can do this in either of the following ways: Manually Add accounts manually one at a time, and specify all the account details. Automatically Add multiple accounts automatically using the Password Upload feature. For this, you require the Add accounts authorization in the Password Safe. For more information about adding and managing privileged accounts, see the CyberArk Privileged Account Security Implementation Guide. 2. Add the Credential Provider and application users as members of the Password Safes where the application passwords are stored. This can be done either manually in the Safes tab, or by specifying the Safe names in the CSV file for adding multiple applications. 3. Add the Provider user as a Safe Member with the following authorizations: Retrieve accounts List accounts View Safe Members Note: When installing multiple Providers for this integration, it is recommended to create a group for them, and add the group to the Safe with the above authorization. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 9

12 Chapter 5 AIM CONFIGURATION 4. Add the application (APPID) as a Safe Member with the following authorizations: Retrieve accounts 5. If your environment is configured for dual control: a. In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from authorized users before passwords can be retrieved, give the Provider user and the application the following permission: Access Safe without Confirmation. b. In Privileged Account Security solutions (v8.0 and higher), when working with dual control, the Provider user can always access without confirmation, thus, it is not necessary to set this permission. 6. If the Safe is configured for object level access, make sure that both the Provider user and the application have access to the password(s) to retrieve. For more information about configuring Safe Members, see the CyberArk Privileged Account Security Implementation Guide. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 10

13 6 CONFIGURING THE VARONIS METADATA FRAMEWORK FOR AIM INTEGRATION This section describes the steps required to configure the integration of the Metadata Framework. For more information about how to install Varonis products, see the Metadata Framework Installation Guide. To configure the Varonis Metadata Framework for integration with the CyberArk AIM application: 1. Open C:\Program Files (x86)\varonis\\idu Server \VaultIntegration. 2. Open Varonis.VaultIntegration.UI.exe to configure the safe name holding the Varonis users, the AppId and the path to the CSV. 3. Inside the folder VaultIntegration, find the file VaultUsers.csv. METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 11

14 Chapter 6 CONFIGURING THE VARONIS METADATA FRAMEWORK FOR AIM INTEGRATION This file contains the mapping between the CyberArk vault object name and the Varonis user name. 4. Edit the file and add a mapping for each user that you want to be updated by the vault. The format is the user name as is stored in the Varonis DB, and the object name of the user as is stored in the CyberArk vault. Note: "Varonis/userA", "usera@varonis.com," and "Varonis.com/userA" are not the same. It is therefore recommended to insert two entries in the CSV file for the user, one with the NetBIOS domain name, and one with the FQDN. For the Unix local user, use the following syntax: [UnixHost]\[LocalUser] for Example: Centos5.8\root 5. You may change the frequency of the polling job via the Management Console: METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION 12