SailPoint and CyberArk integration

SailPoint integration with Privileged Access Management (PAM) solution, such as CyberArk, Xceedium

SailPoint Identity IQ is an Identity Management and Governance product that provides user provisioning and deprovisioning which can be automated with workflow based approval processes. On the other hand Privileged Access Management solutions, such as Xceedium, CyberArk, Beyond Trust etc, provide secure and policy based access to administrator or root/privileged accounts. In order to get full visibility and control of these privileged accounts one must integrate the Identity Management/Governance with the Privileged Access solution. 

 This integration between SailPoint IIQ and CyberArk Privileged Management provides a centralized, policy driven governance for all identities in an enterprise including privileged users.
Here is video which shows the SailPoint and CyberArk integration. The demo shows access to Privileged Access Management from within the SailPoint.

  On left is a screenshot of the familiar SailPoint IIQ Quicklink. However, now it has an additional menu item for "Privileged Account Management", highlighted with red outline. This link will appear after you have installed and integrated the PAM module. The out of the box SailPoint Quicklink will not have this additional menu item for "Privileged Account Management".

 Once you click on this "Privileged Account Management" link it will take you to the view for all the Safes that are being managed on the connected PAM endpoint, e.g. CyberArk in this case. So now you can view the Safes and its various permissions right from the SailPoint GUI.

 This integration (between SailPoint IIQ and CyberArk) allows full access to the Identity life cycle for all users in the organization, both standard users and administrators of IT systems (or users who have elevated access privileges). In this case, the users with elevated access such as administrators are managed via CyberArk. If one does not integrate the two solutions, i.e. Identity Manager (e.g. SailPoint IIQ)and Privilege Access Manager (e.g. CyberArk), then these two components/solutions will be operating in their respective silos - you will be managing Privileged users with CyberArk and other users in the organization with SailPoint IIQ separately, thereby losing a centralized and holistic view of all users in the organization. Hence a centralized access and governance policy in the organization cannot be enforced. With the PAM module, access to CyberArk tool will be possible via the normal SailPoint IIQ GUI as shown above by clicking the "Privileged Account Management" link. Using this link (in the SailPoint GUI) you may run reports, run access certifications for various accounts of privileged or admin users in CyberArk.
Here is a video and demo of the CyberArk PAM module integration with SailPoint IIQ.
The Privileged Account Management (PAM) Module works directly with industry-leading PAM vendors including BeyondTrust, CyberArk, Lieberman Software, Osirum, and Thycotic.

 Implementation of SailPoint and CyberArk integration
The integration between SailPoint IIQ and CyberArk PAS leverages the System for Cross-domain Identity Management (SCIM) server technology. SCIM provides an open standard for easy integration with other security and technology partners. The CyberArk SCIM server is a Java application conforming to the SCIM standard. This allows an Identity provider like SailPoint to query and modify Privileged Data (such as Users, Groups, Accounts, Safes, and Permissions) through a web services interface (REST API). The SCIM server uses PACLI (to query and update privileged data from the CyberArk Vault) and the AIM Credential Provider (to retrieve account and login information). See diagram below shows the flow of Privileged Account information into SailPoint Identity IQ via the SCIM server. The integration points are the PAM module within SailPoint which interrogates with the SCIM server to retrieve Privileged account information from CyberArk. This way the Identity Warehouse of SailPoint IIQ contains records for both unprivileged as well as Privileged user information. (the Privileged user info coming directly from CyberArk as shown below).
SailPoint IIQ and CyberArk integration for Privileged Accounts
Note: For this implementation, CyberArk Application Identity Manager (AIM) is also required. CyberArk Application Identity Manager is now part of the CyberArk Application Access Manager Solution.

In the above architecture, the flow of information is from CyberArk into SailPoint so SailPoint IIQ is reading from CyberArk. However, it is also possible to have the flow of information from SailPoint into CyberArk, i.e. SailPoint IIQ writing to CyberArk. Once again, the architecture above is showing SailPoint reading from CyberArk account status. This gives SailPoint view of the various Safes and Safe permissions in CyberArk.

 Brief Summary of SailPoint IdentityIQ PAM module:  
The SailPoint IdentityIQ Privileged Account Management Module (PAM module) integration with CyberArk and other similar tools (Lieberman, Osirum, Thycotic) provides several benefits of applying Enterprise policy applied to all users, identities (non-privileged, privileged)
  • Establish complete visibility and governance across all privileged accounts,
  • Automate governance controls, providing a complete view of an identity’s access and its associated privileged accounts, eliminating over-entitled users,
  • Speed the delivery of provisioning and deprovisioning privileged access based on user role or lifecycle event changes, and
  • Rapidly deploy and integrate with their PAM vendor of choice, through a SCIM-based integration model; resulting in a greater return on existing PAM investments. (SCIM provides a REST API interface for users and groups.)
The basic idea of the integration of SailPoint IIQ and CyberArk PAS is to get all the accounts in an enterprise under the Identity Management and Governance tool. This way there is full visibility across all systems and devices which can be enforced via organization policies and audited for compliance. 

 SailPoint IdentityIQ provides identity governance, operational efficiency in managing identity life cycle processes and compliance to enterprises with complex IT environments. 

CyberArk provides security for privileged users across Windows and Unix systems in an enterprise. It can be extended to network devices, such as Cisco and Juniper routers/switches and Database accounts.


 References
https://www.sailpoint.com/news/sailpoint-introduces-privileged-account-management-module/
SCIM and PAM extension https://tools.ietf.org/html/draft-grizzle-scim-pam-ext-00 

Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Image
Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
Read more