Posts tagged ‘Cyber-Ark’

Cyber-Ark / Qualys Integration

October 16, 2011, 9:18 pm

Last year at about this time, Qualys and Cyber-Ark announced a new integration.   I implemented this last week.

Most companies have password policies requiring the expiration of passwords.   Yet these policies hardly ever get applied to service and application accounts only users.   Many times these service passwords even predate the implementation of strong password requirements.  This is one of the ways Cyber-Ark can help.   In addition to being a strong Vault to store your passwords, Cyber-Ark can manage your passwords in accordance with your password policy.   

But what happens when Cyber-Ark can’t manage both parts of a password.   For example the vulnerability scanner Qualys can perform authenticated scans.   I have a qualys account on my Unix servers.   But if I update the password on the Unix machines, I need to update them in Qualys as well.   It is just as likely the accounts will be set to never expire, and the password will never be changed.

Now with this integration, I give Qualys an account to access Cyber-Ark vault.   It can then check out the existing password and use it for the scan.   Cyber-Ark is able to change the Unix account password and Qualys always has access to the current password.     

To perform the integration, I used info in the Cyber-Ark knowledge base and the Qualys online help.   That and some preexisting knowledge of the products will get you 85% of the way there.   My two issues were 1)  Not knowing how to label the folder correctly in Qualys config for the safe and 2) in Cyber-Ark, I accidently removed the PAPI rights for the user.   Read what is on the screen.   Qualys’ error messages were helpful, but it was unfortunate I had to run a full scan to find out if it worked or not.   A test button would be helpful.

A few less static passwords is a victory I’m excited about, but I don’t imagine many others would feel the same way.

 

Tags: , ,
Category: General  |  Comment

Cyber-Ark Password Vault

September 1, 2010, 8:31 am

We bought Cyber-Ark’s Enterprise Password Vault product last year to provide an enterprise-grade method of protecting passwords.   Administrator passwords to corporate systems are essentially corporate assets and its a big hassle when the password is forgotten or held hostage.   (no hostage taking here, but I have seen issues caused by forgotten passwords). 

Passwords are often kept in text files or excel files (hopefully encrypted).  Most admins here are using a consumer grade password safe installed on their local computer.   This can have issues in cases of sudden staff turnover or when the passwords aren’t adequately backed up.   For Disaster Recovery purposes passwords are stored in a safe in a sealed/signed envelope.   There isn’t adequate access control and logging on the use of those passwords.

Cyber-Ark is extremely complicated to implement.   It’s so complicated that you really need professional services.   Since the product isn’t cheap to begin with, that seemed like an insult.   I typically prefer products that are either straight forward enough to work  without professional services, or products that once implemented during the evaluation are ready to go.    I decided to bypass professional services.   Unfortunately for various reasons the virtual environment we had set up during the evaluation was deleted so I had to start from scratch.   Just over a year after buying the product, I ate crow and purchased four days of professional services.   Even now, I find implementing Enterprise Password Vault is so complicated that I wont be getting everything I’d like out of the vault right away.   And more $$$ for professional services may be needed.

There is a lot you can do with Cyber-Ark but its better to start out slow.  If I think it’s of interest, I”ll blog about what I’m doing as it moves from proof of concept to full implementation.

Cyber-Ark is really expensive and excessively complicated in my opinion.   However, the potential is there to do great things.   I’ve also enjoyed my dealings with sales (now gone from the company), the pre-sales engineer, and professional services.   I only hope I find support as cool when I end up having to work with them.

Tags: ,
Category: General  |  5 Comments