SailPoint and CyberArk integration

SailPoint integration with Privileged Access Management (PAM) solution, such as CyberArk, Xceedium

SailPoint Identity IQ is an Identity Management and Governance product that provides user provisioning and deprovisioning which can be automated with workflow based approval processes. On the other hand Privileged Access Management solutions, such as Xceedium, CyberArk, Beyond Trust etc, provide secure and policy based access to administrator or root/privileged accounts. In order to get full visibility and control of these privileged accounts one must integrate the Identity Management/Governance with the Privileged Access solution. 

This integration between SailPoint IIQ and CyberArk Privileged Management provides a centralized, policy driven governance for all identities in an enterprise including privileged users.
Here is video which shows the SailPoint and CyberArk integration. The demo shows access to Privileged Access Management from within the SailPoint.

 On left is a screenshot of the familiar SailPoint IIQ Quicklink. However, now it has an additional menu item for "Privileged Account Management", highlighted with red outline. This link will appear after you have installed and integrated the PAM module. The out of the box SailPoint Quicklink will not have this additional menu item for "Privileged Account Management".

Once you click on this "Privileged Account Management" link it will take you to the view for all the Safes that are being managed on the connected PAM endpoint, e.g. CyberArk in this case. So now you can view the Safes and its various permissions right from the SailPoint GUI.

This integration (between SailPoint IIQ and CyberArk) allows full access to the Identity life cycle for all users in the organization, both standard users and administrators of IT systems (or users who have elevated access privileges). In this case, the users with elevated access such as administrators are managed via CyberArk. If one does not integrate the two solutions, i.e. Identity Manager (e.g. SailPoint IIQ)and Privilege Access Manager (e.g. CyberArk), then these two components/solutions will be operating in their respective silos - you will be managing Privileged users with CyberArk and other users in the organization with SailPoint IIQ separately, thereby losing a centralized and holistic view of all users in the organization. Hence a centralized access and governance policy in the organization cannot be enforced. With the PAM module, access to CyberArk tool will be possible via the normal SailPoint IIQ GUI as shown above by clicking the "Privileged Account Management" link. Using this link (in the SailPoint GUI) you may run reports, run access certifications for various accounts of privileged or admin users in CyberArk.
Here is a video and demo of the CyberArk PAM module integration with SailPoint IIQ.


The Privileged Account Management (PAM) Module works directly with industry-leading PAM vendors including BeyondTrust, CyberArk, Lieberman Software, Osirum, and Thycotic.

Implementation of SailPoint and CyberArk integration
The integration between SailPoint IIQ and CyberArk PAS leverages the System for Cross-domain Identity Management (SCIM) server technology. SCIM provides an open standard for easy integration with other security and technology partners. The CyberArk SCIM server is a Java application conforming to the SCIM standard. This allows an Identity provider like SailPoint to query and modify Privileged Data (such as Users, Groups, Accounts, Safes, and Permissions) through a web services interface (REST API). The SCIM server uses PACLI (to query and update privileged data from the CyberArk Vault) and the AIM Credential Provider (to retrieve account and login information). See diagram below shows the flow of Privileged Account information into SailPoint Identity IQ via the SCIM server. The integration points are the PAM module within SailPoint which interrogates with the SCIM server to retrieve Privileged account information from CyberArk. This way the Identity Warehouse of SailPoint IIQ contains records for both unprivileged as well as Privileged user information. (the Privileged user info coming directly from CyberArk as shown below).
SailPoint IIQ and CyberArk integration for Privileged Accounts
Note: For this implementation, CyberArk Application Identity Manager (AIM) is also required. CyberArk Application Identity Manager is now part of the CyberArk Application Access Manager Solution.

In the above architecture, the flow of information is from CyberArk into SailPoint so SailPoint IIQ is reading from CyberArk. However, it is also possible to have the flow of information from SailPoint into CyberArk, i.e. SailPoint IIQ writing to CyberArk. Once again, the architecture above is showing SailPoint reading from CyberArk account status. This gives SailPoint view of the various Safes and Safe permissions in CyberArk.

Brief Summary of SailPoint IdentityIQ PAM module:  
The SailPoint IdentityIQ Privileged Account Management Module (PAM module) integration with CyberArk and other similar tools (Lieberman, Osirum, Thycotic) provides several benefits of applying Enterprise policy applied to all users, identities (non-privileged, privileged)
  • Establish complete visibility and governance across all privileged accounts,
  • Automate governance controls, providing a complete view of an identity’s access and its associated privileged accounts, eliminating over-entitled users,
  • Speed the delivery of provisioning and deprovisioning privileged access based on user role or lifecycle event changes, and
  • Rapidly deploy and integrate with their PAM vendor of choice, through a SCIM-based integration model; resulting in a greater return on existing PAM investments. (SCIM provides a REST API interface for users and groups.)
The basic idea of the integration of SailPoint IIQ and CyberArk PAS is to get all the accounts in an enterprise under the Identity Management and Governance tool. This way there is full visibility across all systems and devices which can be enforced via organization policies and audited for compliance. 

SailPoint IdentityIQ provides identity governance, operational efficiency in managing identity life cycle processes and compliance to enterprises with complex IT environments. 

CyberArk provides security for privileged users across Windows and Unix systems in an enterprise. It can be extended to network devices, such as Cisco and Juniper routers/switches and Database accounts.


References
https://www.sailpoint.com/news/sailpoint-introduces-privileged-account-management-module/
SCIM and PAM extension https://tools.ietf.org/html/draft-grizzle-scim-pam-ext-00 

Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Session Timeout in Oracle Access Manager

SOAPUI - import certificate