The Cyber-Ark Network Vault is a consistent enterprise solution that has been designed to provide a secure, central repository for the storage and management of sensitive shared documents, as well as administrative or privileged passwords using defense-in-depth.
This product is certainly worth a look, especially if you have a need to store documents that must be fully protected from unauthorized modification and/or disclosure. It is also good for automatic version control tracking.
Cyber-Ark Network Vault implements the analogy of a physical vault containing individual "safes," assigned by the vault administrator to individual users or groups. A safe is a data object that authorized users can access. The granular access control properties of a safe are too numerous to list here but include read-only, write, delete, time-based access, access requiring one or more safe supervisors to confirm access requests, geography-based and group-based access permission, among others.
Network Vault uses the monolithic bastion host approach to protecting sensitive documents and passwords. Not only does this software product encrypt and store these objects, but it also hardens the host OS (Windows 2003), employs a VPN for remote access, firewall, authentication, access control, alerting, and a novel auditing system, termed Visual Security, which provides visual indication of access to protected administrative and privileged passwords and files.
Visual Security indicates various document or password file activity through the use of a colored icon scheme that mark individual files in its Explorer-like directory interface. During our testing we used this capability to provide an instant audit of the who, what, and where of any file protected by Network Vault.
The Password Vault, the application of the Network Vault for storing authentication credentials, is geared toward organizations that need a central and secure method to store, archive, and change administrative passwords for routers, Windows domain, UNIX root users, Oracle database, MS SQL database passwords objects, and Checkpoint firewall passwords, as well as other third-party passwords.
Another useful feature is the automatic password-change feature. This feature enables the Password Vault to generate and synchronize both the device whose passwords are being managed, as well as the password value stored in the safe. The user of the safe then accesses the password object in the safe to reveal the new password.
This provides an efficient way to manage the routine and repetitive task of complying with a security policy that requires frequent password changing.
Installing the product involves a three-step process that involves installing the password vault server, management GUI, and the central password manager. This approach is designed to separate the server interface from the storage engine. The vault server is installed on a dedicated machine that needs to be hardened by the customer. The management GUI is installed on a separate computer.
The central password management component can be installed either on the same server as the vault, or any other machine that is network accessible.
We found that installation time was relatively short – we completed the entire installation in less than an hour. The documentation included with the software was adequate for both the installation and the initial configuration.
Network Vault inserts a menu and toolbar into Microsoft Office applications, enabling access to safes directly from the application. Various reports can be generated to keep you informed of activity within the Vault. Reports include safe activity, user activity, safe owners, user list, and active/non-active users list. Reports can be generated into Microsoft Access or Excel, or saved as a text file.
Additionally, individual safes are isolated, so users of one safe cannot see the presence, nor access the contents of, another safe. The data contained in the safes is encrypted on the disk, along with the associated metadata information, (safe owner, access, logs,and so on).
Authentication methods include passwords, digital certificates, SecurID/USB tokens, or Windows.
Network Vault automatically tracks versions of the files it stores. If, say, the most recent version of a file is corrupted, previous versions are still available. Safe owners can configure the length of time that previous versions of a file are retained. Even files that have been deleted can be recovered based on the recoverability time configured for that safe.
Overall, the product functions as advertised. The protocol used between the client software and the vault is proprietary, providing access via a single enabled service on the host.
Another step forward would be the ability to send alerts and logging details into security information management schemes. This would increase the security of the vault by being able to see a more complete picture of attack attempts.