CyberArk Deployment in Banking for Privileged and Sensitive Accounts

Citrus Consulting FZ LLC had been engaged by one of leading Bank of Africa to Design & Implement Cyber-Ark Core-PAS Solution for both their Production and Dev sites with best practices as per industry standards to help them effectively monitor, secure extremely sensitive IT resources placed in their On-Prem and new AWS environment.

Along with project delivery, Citrus Consulting FZ LLC has also been the first and only choice since June,2018 for offering them Managed Support Services to effectively monitor, administer and manage their entire AWS environment of which implementing Cyber-Ark Core-PAS solution for the bank plays a major role in securing and monitoring privileged account activities and security auditing.

Citrus Consulting Services Empowers CyberArk deployment in on-premises datacenter for on-prem and AWS privileged accounts. This implementation help in securing and monitoring activities for privileged and sensitive accounts.

• Customer wished to have a solution that can monitor and audit their sensitive core banking resources and applications and privileged account activities on On-Premises and AWS Cloud.
• Faced daunting IT security and compliance challenges associated with its highly manual, time consuming approach to managing privileged passwords to its core banking systems.
• If anyone needed access to an application, server or necessary system, password requests were processed through a service center and issued by hand by the IT team.
• Simply needed to make this process smoother and more efficient.
• Additionally, password inventory was stored in an Excel file, audit reports were limited, and the process for manually resetting passwords after each use wasn’t efficient.
• Add an extra layer of security to its privileged accounts which could be accessed on having necessary permission from authorized approvers only.
• Needed to log reason for each session while accessing the privileged accounts by any user for crisp and clear auditing.
• Enforce zero-trust access policy and enable only authorized users to log on to authorized resources.
• Passwords to be encrypted and can only be seen to those who are authorized to use it.
• Periodic Auto-Password Rotation for all on-boarded privileged resources.
• Efficiency for having custom connections for certain applications which required custom auto-logon and auto privilege session management.
• A Solution which can support disaster recovery in times of disaster and heavy downtime to ensure business continuity.
• Monitoring, Password Access, Resource access logs could be pushed syslog for active monitoring and threat detection.
• A solution that offers Auto Threat Analytics for Privileged Account Activites

• Deployment of digital vault and all components.
• Hardening of digital vault and all components
• Gathered information for all privileged accounts and planned a roadmap to on-board the accounts to Cyber-Ark core-pas solution to meet audit requirements and compliance standards.
• Assigning a unique URL to PVWA web server, a web interface that can be only accessible from internal network to access the privileged resources securely.
• A full lifecycle solution for securing, managing, automatically changing and monitoring all activities associated with privileged accounts.
• Enabled organization to enforce an enterprise policy that protects their most critical systems, managing the entire lifecycle of shared and privileged accounts across data centers.
• Highly flexible, ability to scale with the organization.
• Power to streamline operations while improving organizations security posture and compliance capabilities.
• Integrated Entrust for MFA for users to authenticate to PVWA an interface to access permitted privileged account as per configuration.
• Configured object level access to implement granular access to resources.
• Configured Access only upon confirmation and authorized grantors to approve access requests for authorized users only.
• Ensure only authorized users can only fetch passwords and rest others can only access the resources without the need to view the passwords.
• Ensure periodic auto password rotation is configured and in line with company policies as per customer requirement.
• Custom Connectors scripting and deployment for unusual and rare platforms to be on-boarded on Pas Solution for Auto-Logon, Password Resets and auto privilege session management.
• Deployment of DR site in events of disaster and heavy downtime to ensure business continuity at all-times
• Integrating SIEM with Vault which can parse all activity and session logs.
• Deploying PTA( Preventive Threat Analytics ) which offers robust preventive measures such disabling the users creating backdoors and manage unmanaged accounts through its auto account discovery feature.

• Best industry standards solution that catered requirement for seamless monitoring and auditing the access to their sensitive resources.
• Enabling customer to continue accessing resources securely and meeting compliances in the event of disaster and solution outage.
• Auto management and rotation of passwords as per in-line policy of the company and meeting the compliance standards.
• Enforced zero-trust access policy and advanced privileged threat analytics.
• Hardened Vault and Component that securely communicated between them on a proprietary cyber-ark protocol for managing, exchanging credentials and isolated session monitoring and management
• A unique web interface to access privileged accounts only via secure internal network.
• IT team enabled with dual-control (request and approve) mechanism so each operational group can access its own safes without external approval. Fully automated password management from requests to resets for better authentication and audit capabilities.
• All excel sheets were transferred to an electronic virtual vault as part of Privileged Account Security Solution.
• All user accounts integrated with CyberArk Pas Solution’s Central Repository including MSSQL, Oracle, Windows admins, Unix root and admins, ATM’s, routers, swift users, firewall and Cisco user accounts with session recording capabilities.