Technology: Cyber-Ark's Patented Digital Vault™

The Challenge

Today, many companies continue to pour millions of dollars into traditional perimeter security solutions with limited effect. Security breaches and their financial impact continue to rise. Statistically, over 70% of all these network breaches originate from within. Instead of trying to protect every facet of an enterprise network, Cyber-Ark's vaulting solutions create safe havens-distinct areas for storing, protecting and sharing the most critical business information. Cyber-Ark's solution provides everything needed to protect and share information across the extended enterprise.

The Solution

Cyber-Ark's approach is much like that of a physical vault at a bank. We create an electronic vault, or safe haven, in the network. Regardless of the overall network or security surrounding it, the safe haven is extremely secure. At the same time, Cyber-Ark's unique approach makes this information more accessible-eliminating the traditional tradeoff between accessibility and security.

Cyber-Ark's patented Digital Vault™ protects data using multiple security layers, including Firewall, Data Access Control and End-to-End Encryption.

In addition, the Vault provides multiple security layers that are traditional and well known such as VPN, file access control, encryption, authentication and a firewall. Cyber-Ark also provides Visual, Manual (dual control), and Geographical security to round out the layers. Each layer is highly integrated with other layers and has intimate knowledge of the other making the implementation proprietary. The layers themselves do not, by design, interact with other systems - increasing the overall security of a Vault. Additionally, some layers are uniquely crafted for increased performance and security. This is a patented implementation, which does not require separate management, and, thus, its proprietary nature does not cause enterprise integration issues. Additional capabilities are listed below…

• Firewall & Code-Data Isolation: The Digital Vault™ resides on a dedicated computer, on which it is the only software installed. The Digital Vault's firewall allows only the Vault Protocol in and out of this computer. This is the only way the Digital Vault can assure its total control over the information stored inside it. Data in the Digital Vault is never manipulated or executed, ensuring that the data itself can't pose a security threat. This code/data isolation methodology creates a sterile environment on top of which other security layers can be built.
• Authentication: Every connection to the Digital Vault™ has to be authenticated. It uses a strong two-way challenge and response authentication protocol (SRP). Users can be authenticated using passwords, RSA SecurID tokens, RADIUS, USB tokens (e.g. Aladdin's) or PKI digital certificates.
• Access Control: Upon successful authentication, users are subject to the Digital Vault™'s access control mechanism. The Digital Vault is segmented into safes, where users are only aware of the safes they are allowed to access. Users may have different privileges for each safe (e.g. audit, read, write, control, etc)
• VPN & Data Encryption: As part of the authentication process, the Digital Vault creates an encrypted session in which every user transaction and every server response is encrypted. Files are encrypted when stored inside the Digital Vault™ as well as when they are transmitted, using symmetric encryption with internal key management. When a file is stored inside the server, a unique encryption key is generated. This automatic key management scheme makes encryption completely transparent to the end user and requires no administrative intervention.
• Content Inspection: Files that are placed inside the Digital Vault™ are optionally stripped of any potential code, whether it is a Microsoft Office macro, e-mail VB script or a plain executable. This "black and white" approach guarantees that files that are stored and shared are always virus free.
• Secure Backup and Version Control: Since data is stored encrypted inside the Digital Vault™, backups are encrypted as well. Additionally, when files are placed inside the Digital Vault, a new version is always created, never overwriting existing information. This guarantees protection against deliberate or unintentional data corruption as well as a version control mechanism that lets users revert to and/or examine older versions.
• Visual Security: With Visual Security end-users can receive visual indications of when their information in the Digital Vault™ has been accessed and/or updated. Objects inside the Vault are marked with blue, red and green marks, indicating whether someone has accessed, updated or placed a new file inside the safe, respectively.
• Manual Security: Manual Security technology forces limitations that provide ultimate control over data access, including:
  • Dual control - Dual confirmation may be required to open certain Safes inside a Vault, similar to the requirement for two keys to open a safe deposit box in a bank. When attempting to open such a Safe, a request for clearance will be sent to the Safe's supervisor(s). The Safe will only be opened after such access is confirmed.
  • Delay - A unique mechanism enables delaying the opening of a Safe for a predefined period of time, allowing supervisors to prevent unwanted access.
  • Time limitations - A Safe can be defined to allow access only within certain time frames such as during hours of operation.
• Geographical Security: The Digital Vault™ can limit access to Safes to certain network locations; similarly, users can be permitted to log in only from limited areas. Thus the security assessment reports, for example, can only be accessed from certain rooms and not from the rest of the building.