Copying Credentials from CyberArk SaaS to Azure Key Vault

Step-by-Step Guide for Specific Safes and Unencrypted Credential Handling

Highlights

Selective Synchronization: Focus on specific safes and define custom sync policies.
Configuration and Integration: Use CyberArk Secrets Hub, Azure Key Vault access policies, and specialized commands such as Update-AzKV.
Handling Unencrypted Credentials: Manage credential handling carefully since Key Vault encrypts data at rest by default.

Overview

Integrating CyberArk SaaS Privileged Cloud with Azure Key Vault for selective safe synchronization requires detailed planning and configuration. This guide explains the process of copying credentials from CyberArk to Azure Key Vault, while targeting only specific safes. Additionally, it covers the unique requirement of having the credentials stored unencrypted in Azure Key Vault by addressing operational practices. While Azure Key Vault automatically encrypts secrets at rest for enhanced security, you can manage access and decryption at the application level to utilize the secrets in an unencrypted form.

Preparatory Steps and Prerequisites

CyberArk Requirements

Before initiating the synchronization process, verify that your CyberArk environment is set up properly:

Identifying Specific Safes

Firstly, determine which safe(s) will have their credentials transferred to Azure Key Vault. This selection helps target only the required resources, reducing unnecessary exposures and ensuring compliance with organizational policies.

CyberArk Secrets Hub Configuration

CyberArk incorporates a Secrets Hub service that is designed to facilitate the synchronization of secrets between CyberArk and external systems like Azure Key Vault. Ensure that:

The Secrets Hub user is granted access to the desired safes.
Custom TEXT type File Categories, such as "KeyVaultName" and "SecretName", are created in CyberArk’s PrivateArk Client configuration. This helps in marking and identifying the appropriate credentials.
An integration plugin or usage entry (such as Update-AzKV) is appropriately configured in CyberArk’s platform settings.

Azure Requirements

In Azure, the following prerequisites need to be met:

Azure Key Vault Setup

Create or identify an Azure Key Vault instance that will store the secrets. Even though Azure Key Vault encrypts secrets by default, you plan to manage the credentials' unencrypted utilization at the application level or via custom processes. Ensure you have:

An active Azure subscription with necessary permissions.
Configuration of access policies that include the CyberArk-provisioned Azure AD account which has both "Secret Get" and "Secret Set" permissions.

Azure Az PowerShell Module

Install and update the Azure Az PowerShell Module. This tool plays a key role when executing commands like Update-AzKV for pushing or updating secrets from CyberArk to Azure Key Vault.

Step-by-Step Guide

Step 1: Configuring CyberArk for Selective Safes

Identifying and Tagging Specific Safes

Begin by reviewing and identifying the specific safes containing the credentials that need to be synchronized. You can manage this within CyberArk by tagging or specifying the safe names. This helps you limit the scope solely to those credentials relevant to your operations.

Adding Usage Options and Custom Categories

To facilitate synchronization, add new TEXT type File Categories (like "KeyVaultName" and "SecretName") to the account configurations in CyberArk. This informs CyberArk which Azure Key Vault instance and secret name to target during the synchronization process.

Then, modify the platform settings to include a new usage option. Often labeled as Update-AzKV, this command directs the system to push credentials from the specified safe to the Azure Key Vault. Set the "SearchForUsage" parameter to “Yes” to enable automatic association of credentials during CyberArk's password management cycles.

Step 2: Configuring Azure Key Vault

Establishing the Key Vault Environment

In Azure, if you do not already have a Key Vault created, establish one. Assign the correct network restrictions and access policies to ensure only authorized actions occur. To achieve the integration:

Create or verify the Azure Key Vault.
Assign the Azure AD account that CyberArk uses (linked with its secrets synchronization process) proper permissions.

Access Policy Configuration

Add access policies specifically for updating, reading, and setting secrets in the Key Vault. This account will act as the intermediary that ensures CyberArk is allowed to push and update credentials. It is essential to test these permissions by manually pushing a test secret using PowerShell commands.

Step 3: Synchronizing Credentials Between Platforms

Using the Secrets Hub Sync Policy

CyberArk’s Secrets Hub offers the ability to define a sync policy – a set of rules which determine which safe’s secrets get synchronized to the Azure Key Vault. Steps to configure include:

Log into the CyberArk Privilege Cloud interface.
Navigate to the Secrets Hub configuration section.
Create or edit a sync policy that lists the specific safes. Only the safes included in this policy will have their secrets synchronized to the Key Vault.
Ensure any dynamic updates, such as password rotations, automatically trigger an update using the configured usage.

Automatic vs. Manual Synchronization

You have the option of automating synchronization using CyberArk’s native workflow combined with PowerShell scripts or designated plugins. Notably, the Update-AzKV command can push updates immediately after a password change. Manual verification at the initial stages is crucial to validate the configuration.

Step 4: Handling Unencrypted Credentials in Azure Key Vault

Understanding Azure Key Vault’s Encryption

Azure Key Vault is engineered to store secrets in an encrypted format by default. Encryption at rest is a built-in security measure and cannot be disabled at the Key Vault level. However, you can retrieve and handle the secrets in unencrypted form within your application. In other words, while the secret is physically encrypted in Key Vault storage, the decryption is handled automatically upon retrieval.

Application-Level Decryption for Unencrypted Use

If your requirement mandates that the credentials be available in an unencrypted form after retrieval, configure your application logic accordingly. Follow these steps:

Ensure that when your application retrieves a secret from Azure Key Vault, it invokes the decryption process automatically provided by the Key Vault API.
Store the secret in the application’s memory or configuration in plaintext as needed, taking care to implement robust and secure handling procedures.
Maintain strict access control to your application environment to mitigate the risks associated with storing unencrypted secrets.

Note that while you can work with unencrypted credentials after retrieval, doing so introduces security vulnerabilities. It is paramount to assess the compliance risks and secure your application environment vigorously.

Implementation Example and Table Overview

Example PowerShell Script

An example PowerShell script can serve as a starting template for the synchronization process. Below is a sample snippet for interacting with Azure Key Vault. You will need to incorporate CyberArk API calls or plugin integrations in your actual script:


    # Install the Azure Az.KeyVault module, if not already installed
    Install-Module -Name Az.KeyVault -Force
    
    # Define your Azure Key Vault information
    $keyVaultName = "YourKeyVaultName"
    $resourceGroupName = "YourResourceGroupName"
    
    # Retrieve the Key Vault object
    $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName
    
    # Example: Setting a secret in the Key Vault
    # This would be executed after retrieving the credential from CyberArk
    Set-AzKeyVaultSecret -VaultName $keyVaultName -Name "YourSecretName" -SecretValue (ConvertTo-SecureString "YourSecretValue" -AsPlainText -Force)
    
    # Further integration logic with CyberArk would be implemented here.

Overview Table of Key Configuration Components

Component	Purpose	Key Configurations
CyberArk Safe Selection	Identify and tag the specific safes for synchronization	Custom TEXT categories (e.g., "KeyVaultName", "SecretName")
Secrets Hub Sync Policy	Define which safes’ secrets are synchronized	Policy includes target safes and usage flag (SearchForUsage)
Update-AzKV Command	Trigger credential push from CyberArk to Azure Key Vault	Usage configuration and association with an Azure AD account
Azure Key Vault Access	Secure storage of secrets with default encryption	Key Vault instance with configured access policies
Application Logic	Handle secret decryption for unencrypted usage	Secure retrieval and processing of secrets post-decryption

Additional Considerations and Best Practices

Security Implications

Although the process of transferring credentials from CyberArk to Azure Key Vault can be implemented to functionally output unencrypted values to applications, it is essential to appreciate that:

Azure Key Vault’s encryption at rest is a robust security feature designed to protect secrets from unauthorized access. Altering the flow to use unencrypted credentials must be balanced with rigorous controls in the hosting environment.
If the retrieval process exposes secrets in unencrypted form, ensure that the application’s runtime environment is secured through strict access policies, logging, and monitoring.
Consult your organization’s security policies and compliance guidelines before proceeding, especially when handling sensitive credentials in plaintext.

Automation and Monitoring

Automate regular synchronization and perform constant monitoring:

Set up logging and alerts within CyberArk and Azure to detect any discrepancies during synchronization.
Test updates with a particular safe initially, verify correct handling, and gradually roll out to additional safes.
Consider using dedicated scripts or third-party solutions that continuously poll for credential changes and update Azure Key Vault accordingly.

Third-Party Tools and Plugins

Many organizations leverage third-party tools designed specifically for this integration. For instance, a GitHub-hosted plugin can automate the password synchronization process between CyberArk and Azure Key Vault. Such tools provide:

An interface for configuring the synchronization of selected safes.
Error handling and logging capabilities that aid in production support.
Simplified configuration for cyclical password updates based on CyberArk’s credential management rules.

Implementation Workflow Summary

The implementation of copying credentials from CyberArk to Azure Key Vault, especially targeting specific safes, follows a disciplined workflow:

Planning & Identification: Determine which safes are critical and tag these appropriately in CyberArk.
CyberArk Configuration: Configure Secrets Hub, add necessary custom fields, and set up usage policies (like Update-AzKV) for targeted safes.
Azure Configuration: Create and secure your Azure Key Vault, ensuring the CyberArk-associated Azure AD account has adequate permissions.
Synchronization & Testing: Set up the sync policy to push credentials, execute test transfers using a script or plugin, and verify that credentials are accessed in an unencrypted form via your application logic.
Deployment & Monitoring: Roll out the configuration across the organization after thorough testing, supplemented with logging and monitoring strategies.