1. Preparation Before Update:
• Review Documentation: Check CyberArk’s release notes to understand the patch, its new features, and any possible issues or improvements it may introduce.
• Backup Critical Data: Before starting the update process, ensure that backups of the Vault, Privileged Session Manager (PSM), Central Policy Manager (CPM), and any important configurations are securely stored.
• Follow Change Management Protocols: Adhere to the organization’s change management process, making sure all necessary approvals are obtained from relevant teams.
2. Schedule Maintenance:
• Plan for Downtime: Schedule the update during a time when it will have minimal impact on users, ideally during non-peak hours or designated maintenance windows.
• Communicate Downtime: Notify all affected users, particularly those who rely on privileged accounts, about the planned downtime. Provide alternative access methods if required for emergency situations.
3. Perform the Patch Update:
• Update Sequence:
1. Start by updating non-critical components like the Web Portal or API integrations.
2. Proceed with updating key CyberArk components such as CPM, PSM, and Password Vault Web Access (PVWA).
3. Finally, apply the patch to the Primary Vault.
• Validate Each Update: After updating each component, verify its performance before moving on to the next one to ensure smooth operations.
• Update the Vault: Apply the patch to the Primary Vault first, followed by the Disaster Recovery (DR) Vault, ensuring synchronization between both in High Availability (HA) setups.
4. Post-Update Procedures:
• Check System Health: Once the patching is complete, ensure that all services are operational by reviewing Vault health metrics and checking component logs.
• Test Functionalities: Confirm that core functionalities such as password checkouts, session recordings, API interactions, and authentication systems are working as expected.
• Monitor Performance: Closely monitor the system for the next 24 to 48 hours to ensure no critical issues arise.
5. Document the Process:
• Record all steps taken during the patch update process, including any issues encountered and how they were resolved. Ensure that all documentation is up-to-date to reflect the changes made.
Managing Change Tasks in CyberArk
Change tasks in CyberArk must be handled with caution to ensure minimal disruption to services and to maintain security protocols.
1. Planning and Approval:
• Impact Analysis: Evaluate the potential impact of the change on business processes and CyberArk components.
• Approval Workflow: Log the change request in the organization’s change management system (e.g., Jira, ServiceNow) and obtain approvals from stakeholders before proceeding.
2. Executing the Change:
• Test in Non-Production: Always implement changes in a test environment before applying them to production to avoid unintended consequences.
• Implement in Production:
• Ensure role-based access is enforced so that only authorized personnel can execute changes.
• Apply the change carefully, such as modifying policies, adding/removing Safes, or adjusting session management rules.
3. Common Change Management Tasks:
• Safe Management: When creating or deleting Safes, ensure proper role assignments and access levels for users.
• Account Onboarding/Offboarding: Use CyberArk’s onboarding tool to add or remove privileged accounts, ensuring compliance with rotation policies and session monitoring requirements.
• Policy Adjustments: Make necessary changes to password policies, access controls, or session rules in line with organizational security standards.
• Integrations: Test any API-based integrations (e.g., with SIEM or cloud platforms) to ensure smooth operation before and after the change.
• Custom Scripts: Carefully test any new or modified scripts (e.g., for password rotation automation) in a non-production environment before rolling them out.
4. Post-Change Validation:
• Test Operations: After implementing changes, confirm that all key functionalities, such as password checkouts, user access, and session management, are working correctly.
• Rollbacks if Necessary: If issues arise post-change, promptly execute a rollback according to the planned fallback procedures, ensuring business continuity.
5. Auditing and Documentation:
• Log All Changes: Ensure that all change-related actions are properly logged, including configuration adjustments and the users impacted by them.
• Audit Logs: Regularly review CyberArk’s audit logs to ensure compliance with security protocols.
• Review and Improve: Conduct a post-change review with relevant teams to assess the impact and success of the change.
Following these best practices for patch updates and change tasks will help ensure that CyberArk maintains system security, operational efficiency, and compliance with organizational policies.
Comments