Lock down your organization’s security
A challenge that most organizations face is how to best protect sensitive data. Obviously, securing your network and servers is your first step, but you also need to implement some form of data encryption. Unfortunately, data-encryption solutions can be awkward to use (e.g., pretty good privacy—PGP) or lacking in customization options (e.g., Windows 2000’s Encrypting File System—EFS). Cyber-Ark Software’s PrivateArk 1.41, which uses a series of encrypted vaults and safes to provide strong data encryption and file-security management, offers a level of data security that you probably haven’t encountered before. Like products such as WatchGuard’s ServerLock and Authentica’s MailVault, PrivateArk is dedicated to providing strong data security; however, PrivateArk is unique in its customizable features and management options.
I installed PrivateArk on my 450MHz Pentium II system, which had 256MB of RAM and Win2K Server Service Pack 1 (SP1) installed. (Cyber-Ark recommends—but doesn’t require—Win2K SP1. Under Windows NT 4.0, PrivateArk requires SP5 or later.) PrivateArk Server requires a Pentium processor or better, with a recommended 128MB of RAM. PrivateArk’s client software requires a Pentium processor or better and 32MB of RAM.
The PrivateArk installation is straightforward, requiring simple installations of two pieces of software: the server and client components. During the server software installation, you’ll need an operating master key, which you’ll find on the CD-ROM included in the product’s package. During the installation, PrivateArk uses the operating master key to generate a key for the server package. If you don’t have the generated key when PrivateArk attempts to start, the service will fail and you’ll need to restart the service with the CD-ROM in the CD-ROM drive. After the service starts, however, you can remove the CD-ROM and store it in a safe place. This feature limits the possibility of an intruder rebooting the system and attempting to gain access by bypassing authentication with an administrative password. The server front end is simple, letting you configure which IP address the server will use, where the safes folder will exist, and where the server service’s Start and Stop buttons will reside. As Figure 1 shows, the server’s Central Administration window, displays information about the server’s activity, including error messages and occurrences of server startup and shutdown.
My only complaint about the installation process involves configuration changes that you must make to your server. PrivateArk essentially operates as a firewalled system, allowing only PrivateArk Client requests to access specified ports on the server. (Cyber-Ark recommends that you dedicate a server to PrivateArk Server. You can place this hardened, dedicated system in your company’s demilitarized zone—DMZ—if the need arises.) The software requires that you make several configuration changes to the server’s registry, services, and other system components. For example, you need to limit activity on nearly every system port—except the ports that PrivateArk uses. I would prefer that the software automatically perform these time-consuming changes during the installation process.
The client component offers two levels of organization: vaults and safes. A vault, which typically represents a particular geographical organization or department, contains safes. After you create a vault—a simple process that requires only a name for the vault, the server’s IP address, and a unique system port—you create safes, which can contain further categorical division. The structure is entirely up to you. First-time setup of vaults and safes involves setting many user-management options. Although these steps aren’t difficult, they are numerous. The printed User’s Guide, although vague, is essential reading. During this setup process, you’ll probably need to contact Cyber-Ark’s knowledgeable and helpful technical support at least once.
To access a vault that contains the safe you want, simply double-click the vault and enter a username and password (based on the security options that you configured while creating the vault). Your security options include basic user account and password, SecurID, NT’s public key infrastructure (PKI) authorization—assuming you have PKI implemented—and PrivateArk authentication. If you select NT’s PKI authorization, you can import user accounts from your NT domain controller (DC), thereby eliminating the need for users to log on a second time. (After a user properly authenticates with NT, PrivateArk lets that user access the files to which he or she has permissions.) This feature requires that you perform a simple installation of the included PrivateArk NT authentication client on the DC and each client machine. A caveat: If you use NT authentication, your overall security implementation will be inherently weaker and more vulnerable to attack.
Previous
