A customer is moving from an on-premises to a public cloud deployment.
What is the best and most cost-effective option to secure the server key?
A customer is moving from an on-premises to a public cloud deployment.
What is the best and most cost-effective option to secure the server key?
The best and most cost-effective option to secure the server key when moving to a public cloud deployment is to install the Vault using the native cloud images and secure the server key using native cloud Key Management Systems (KMS). This approach leverages the built-in security features and managed services offered by cloud providers, ensuring robust security with minimal additional cost. Utilizing native cloud KMS is generally more cost-effective and integrated than purchasing and managing additional hardware like a Hardware Security Module, or relying on less secure and potentially more cumbersome methods like manual filesystem permissions.
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/13.0/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm?TocPath=Installation%7CInstall%20PAM%C2%A0in%20a%20cloud%20environment%7CInstall%20the%20Digital%20Vault%20on%20the%20cloud%7C_____14
A is correct
Nope. This is NOT the cost-efficient choice.
The answer is C. https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/12.6/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm?tocpath=Installation%7CInstall%20Privileged%20Access%20Manager%20-%20Self-Hosted%C2%A0in%20a%20cloud%20environment%7CInstall%20the%20Digital%20Vault%20on%20the%20cloud%7C_____14
The recommendation from Cyberark is to use KMS (as per the reference) however this would not be anywhere near as “cost-effective” as just storing them on the filesystem and securing them with NTFS permissions as per a normal on-prem deployment but my understanding is that this is strongly discouraged. There are also several difference between the cloud and on-prem installs therefore the statement “Install the Vault in the cloud the same way you would in an on-premises environment.” isn’t exactly true either. Therefore I'd say the answer is C. https://docs.cyberark.com/PAS/Latest/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm#:~:text=To%20ensure%20the%20security%20of%20the%20keys%20in%20AWS%2C%20it%20is%20recommended%20to%20follow%20AWS%20best%20practices%20and%20encrypt%20them%20with%20KMS.
Correction the paramter does exist I'm trippin >.< However there is no requirement for a passphrase and it will work without it.
The answer is A.
mods, just delete this haha
You would use CAVaultManager.exe ChangeAwsKeys to make new keys and store in the cloud. https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/13.0/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm#ChangetheserverkeyonthePrimaryVault