CyberArk Deployment for Secure Payment Access Platform
Cyber Ark Deployment
The Privileged Access Management (PAM) project will build a new capability in one of our major retail clients in Australia to further uplift and secure users and systems accessing data related to PI; or Personal Information or have elevated privileges that can access critical business systems.
This new capability will be implemented by the CyberArk Privileged Account Security Solution – which combines an isolated vault server and a unified policy and discovery engine to provide security for privileged accounts.
The core PAM components are configured in an active-active configuration at the Application tier and load balancer. They support automatic failover to meet the High availability requirement.
The scope of the project is:
- Design a new PAM infrastructure for both non-prod and Prod environments.
- Build a new PAM infrastructure – Non-Prod and Prod (including OOB network) that adhere to PCI compliance.
- Install CyberArk components and other PAM-related software components to the new PAM infrastructure.
- Deliver a new build script template to automate CyberArk Privilege Session Manager (PSM) installation as standard for future PSM build processes.
- Build a new backup platform for PAM prod infrastructure.
- On-board the Payment platform asset/servers to the new PAM (CyberArk) platform.
- Ensure the New PAM platform is PCI compliant.
DR Service Level
- The PAM Production environment's Recovery Point Objective, or RPO, will be 60 minutes.
- The PAM Production environment's Recovery Time Objective, or RTO, will be 60 minutes.
- The PAM non-production environment will be Business Hours only support with an RPO of 72 hours and best effort, “next business day” RTO.
- Recovery of the f system depends on the component failing and may take a shorter time than 60 minutes to resume operation. Below is the RTO time of each component:
|Recovery Time Objective (RTO)||Time (Sec)||Comments|
|Cluster failover (failover from one node to another)||60 seconds||Automatic failover of the cluster to the next available node (no human intervention is required)|
|Manual DR failover (failover from Primary site to Secondary site)||~600 seconds||The time to manual failover is estimated at 5 minutes once initiated|
|Automatic DR failover (failover from Primary site to Secondary site)||~300 seconds||Once Automatic failover is configured, CyberArk is configured to perform the failover in the specified interval|
|PSM failover||120 seconds||Automatic failover of the load balancer to the next available node (no human intervention is required)|
|PVWA failover||120 seconds||Automatic failover of the load balancer to the next available node (no human intervention is required)|