Patented Digital Vault Technology
CyberArk’s patented Digital Vault provides multiple security layers including traditional and well known such as VPN, file access control, encryption, authentication and a firewall. Cyber-Ark also provides Visual, Manual (dual control), and Geographical security to round out the layers. Each layer is highly integrated with other layers and has intimate knowledge of the other making the implementation proprietary. The layers themselves do not, by design, interact with other systems - increasing the overall security of a Vault. Additionally, some layers are uniquely crafted for increased performance and security. This is a patented implementation, which does not require separate management, and, thus, its proprietary nature does not cause enterprise integration issues.
Firewall & Code-Data Isolation: The Digital Vault resides on a dedicated computer, on which it is the only software installed. The Digital Vault's firewall allows only the Vault Protocol in and out of this computer. This is the only way the Digital Vault can assure its total control over the information stored inside it. Data in the Digital Vault is never manipulated or executed, ensuring that the data itself can't pose a security threat. This code/data isolation methodology creates a sterile environment on top of which other security layers can be built.
Authentication: Every connection to the Digital Vault has to be authenticated. It uses a strong two-way challenge and response authentication protocol (SRP). Users can be authenticated using passwords, RSA SecurID tokens, RADIUS, USB tokens (e.g. Aladdin's) or PKI digital certificates.
Access Control: Upon successful authentication, users are subject to the Digital Vault's access control mechanism. The Digital Vault is segmented into safes, where users are only aware of the safes they are allowed to access. Users may have different privileges for each safe (e.g. audit, read, write, control, etc)
VPN & Data Encryption: As part of the authentication process, the Digital Vault creates an encrypted session in which every user transaction and every server response is encrypted. Files are encrypted when stored inside the Digital Vault as well as when they are transmitted, using symmetric encryption with internal key management. When a file is stored inside the server, a unique encryption key is generated. This automatic key management scheme makes encryption completely transparent to the end user and requires no administrative intervention.
Content Inspection: Files that are placed inside the Digital Vault are optionally stripped of any potential code, whether it is a Microsoft Office macro, e-mail VB script or a plain executable. This "black and white" approach guarantees that files that are stored and shared are always virus free.
Secure Backup and Version Control: Since data is stored encrypted inside the Digital Vault, backups are encrypted as well. Additionally, when files are placed inside the Digital Vault, a new version is always created, never overwriting existing information. This guarantees protection against deliberate or unintentional data corruption as well as a version control mechanism that lets users revert to and/or examine older versions.
Visual Security: With Visual Security end-users can receive visual indications of when their information in the Digital Vault has been accessed and/or updated. Objects inside the Vault are marked with blue, red and green marks, indicating whether someone has accessed, updated or placed a new file inside the safe, respectively.
Manual Security: Manual Security technology forces limitations that provide ultimate control over data access, including dual control, delay , and time limitations.
Geographical Security: The Digital Vault can limit access to Safes to certain network locations; similarly, users can be permitted to log in only from limited areas. Thus the security assessment reports, for example, can only be accessed from certain rooms and not from the rest of the building.