Therefore, their user population is still primarily on an enterprise network and can be routed through the VPN or Direct Connect connection to access CyberArk components servicing cloud resources. This model applies to clients who still operate predominantly on-premise, but are shifting certain workloads to the cloud.
Extending the On-Prem deployment to cloud resources The common denominator of the following three reference models is that the Vault is installed on the corporate on-prem datacenter, and the rest or some of the components are deployed on AWS. Each diagram is targeted at two different corporate Cloud strategies. The following diagrams represent the recommended architecture for deploying PAM - Self-Hosted on AWS to support hybrid connectivity. The administrative VPC is peered with other CyberArk VPCs and is the only route for administrative access to the instances hosting CyberArk’s components. CyberArk administrators must establish a VPN connected to this zone (with two-factor authentication). The administrative VPC provides an isolated Central Policy Manager and Privileged Session Manager for administering the Digital Vault and other CyberArk components. The Digital Vault uses an AES 256 bit KMS key in GCM authenticated encryption mode to encrypt the Vault Server key. Dedicated tenancy allocates reserved physical host infrastructure, enhancing the separation of your ‘keys to the kingdom’ from the processing of other workloads. CyberArk also recommends requiring ‘Dedicated Tenancy’ for the Digital Vault. This establishes stronger isolation for the Digital Vault. To improve security, create a separate AWS account for the Digital Vault network. Digital Vault Subnets are protected also with a Network Access Control List (NACL) to improve isolation. CyberArk components are isolated and placed in separate availability zones within the same region to provide redundancy and high availability.Ĭonnection between CyberArk components is available within the VPC and is limited to each component Security Group's Ingress and Egress rules. PAM - Self-Hosted VPC is an isolated network containing only CyberArk instances. This reference architecture presumes the existence of shared services VPCs rather than infrastructure dedicated to CyberArk. The ingress and transit VPCs can be the same VPC.Ĭore services, like Active Directory, RADIUS, logging, HSM, SIEM, and many others, are often centralized into their own VPC(s) to provide a common infrastructure across all applications. The ‘transit VPC’ is a shared VPC providing a common VPN infrastructure for inter-VPC connectivity. The ‘ingress VPC’ is an often-shared web-application firewall or a unified threat management infrastructure to protect inbound access from the internet. While not directly a part of the CyberArk PAM - Self-Hosted deployment, these VPCs provide essential functions. The reference architecture contains transit VPCs.
0 kommentar(er)
