Cyber-Ark / Qualys Integration

Last year at about this time, Qualys and Cyber-Ark announced a new integration.   I implemented this last week.

Most companies have password policies requiring the expiration of passwords.   Yet these policies hardly ever get applied to service and application accounts only users.   Many times these service passwords even predate the implementation of strong password requirements.  This is one of the ways Cyber-Ark can help.   In addition to being a strong Vault to store your passwords, Cyber-Ark can manage your passwords in accordance with your password policy.   

But what happens when Cyber-Ark can’t manage both parts of a password.   For example the vulnerability scanner Qualys can perform authenticated scans.   I have a qualys account on my Unix servers.   But if I update the password on the Unix machines, I need to update them in Qualys as well.   It is just as likely the accounts will be set to never expire, and the password will never be changed.

Now with this integration, I give Qualys an account to access Cyber-Ark vault.   It can then check out the existing password and use it for the scan.   Cyber-Ark is able to change the Unix account password and Qualys always has access to the current password.     

To perform the integration, I used info in the Cyber-Ark knowledge base and the Qualys online help.   That and some preexisting knowledge of the products will get you 85% of the way there.   My two issues were 1)  Not knowing how to label the folder correctly in Qualys config for the safe and 2) in Cyber-Ark, I accidently removed the PAPI rights for the user.   Read what is on the screen.   Qualys’ error messages were helpful, but it was unfortunate I had to run a full scan to find out if it worked or not.   A test button would be helpful.

A few less static passwords is a victory I’m excited about, but I don’t imagine many others would feel the same way.