Overview

CyberArk’s Application Identity Management solution uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the Vault. This unique approach enables organizations to comply with internal and regulatory compliance requirements of periodic password replacement, and monitor all activities associated with all types of Privileged Identities whether on-premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices, and more.

The integration between UCMDB and CyberArk's Application Identity Management allows Universal Discovery administrators to configure credentials for supported Universal Discovery protocols, which enables administrators to manage the credentials in a secure and easy way.

Instead of storing the passwords themselves in UCMDB/UD, this integration involves storing only references (in the CyberArk Enterprise Password Vault part of the Privileged Account Security Solution) to the passwords, and retrieving (using CyberArk’s AIM SDK) the passwords when they are needed from the digital vault using the stored references.

Note As the CyberArk integration enables the discovery of content but does not actually perform data collection, no MDR integration license is required for the use of this capability.

Deployment

The following diagram illustrates the overall deployment.

How the CyberArk Integration Works

The CyberArk integration enables UCMDB/UD to retrieve usernames and passwords from the CyberArk Enterprise Password Vault as follows:

  1. Administrators to create a Safe, Application, and Account on the CyberArk Server, including username, password, and unique reference ID.

  2. Universal Discovery administrators to create a credential on UCMDB Server, using the same CyberArk Safe, Application, and Account values created in step 1 as reference ID in the following format: <Safe_Name>\<Folder_Path>\<Reference_ID>

  3. The CyberArk integration synchronizes the CyberArk references to Data Flow Probes. No password information contained.

  4. Universal Discovery administrators to run discovery jobs using the unique referenceID to retrieve username and password from CyberArk.