Security professionals are adopting the principle of separation of duties and adhere to stricter standards for accessing endpoints, in accordance with roles and responsibilities. More organizations are shifting from using basic authentication to vaulted authentication for password management.
Improper implementations can lead to leaving the API endpoints vulnerable by not securing the vaults. The credentials can be exposed by clicking on the link that points to the vault. This is clearly a security risk as passwords are actually displayed in cleartext.
Here are two simple things you can do to secure your vault:
- Create Access Control-Lists(ACL’s) for only users who need to access those vaults. By doing this, only specific individuals, who need access to the vaults, will be granted access. Therefore, any unauthorized user, who attempts to access the vault, will get a “permission denied” error.
- Add a Digital Certificate to Secure integrity and confidentiality between the vault and vulnerability management tool. A digital certificate guarantees the identity of a remote site and provides a secure connection through encryption keys. This way, if someone was to intercept the traffic, the data will be unreadable as it’s encrypted.
One additional consideration, to mitigate the risks of password based attacks and exploits, consider rotating the vault managed password on a regular basis.
For any additional information regarding securing your CyberArk AIM Vault please reach out to [email protected]
