{"id":184,"date":"2025-05-03T20:02:20","date_gmt":"2025-05-03T20:02:20","guid":{"rendered":"https:\/\/sme-access.com\/?p=184"},"modified":"2025-05-19T08:33:51","modified_gmt":"2025-05-19T08:33:51","slug":"securing-privilege-web-access-part-2","status":"publish","type":"post","link":"https:\/\/sme-access.com\/?p=184","title":{"rendered":"Securing Privilege Web Access \u2013 Part 2"},"content":{"rendered":"\n<p>In <a href=\"https:\/\/sme-access.com\/?p=170\" target=\"_blank\" rel=\"noreferrer noopener\">Part 1<\/a> of this series, we explored the limitations of legacy approaches to securing access to privileged web applications\u2014think jump servers, hardened browsers, and connector chaos. Now it\u2019s time to move from theory to practice.<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-6c531013 wp-block-group-is-layout-flex\">\n<p><a href=\"https:\/\/sme-access.com\/wp-admin\/edit.php?post_type=post\"><\/a><\/p>\n\n\n\n<p>Starting with this post, we\u2019ll walk through a series of real-world use cases, each showing how to modernize and secure access to different types of privileged web applications using an identity-first, browser-native approach.<\/p>\n<\/div>\n\n\n\n<p>Yes, you read that right\u2014this is just the first use case. In total, we\u2019ll cover four key scenarios, each reflecting a different challenge and architectural pattern:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Legacy Web Apps with Basic Login\/Password<\/li>\n\n\n\n<li>Modern Web Apps with SAML\/OIDC \u2013 CyberArk Identity as the IdP<\/li>\n\n\n\n<li>Modern Web Apps with SAML\/OIDC \u2013 CyberArk Identity is not the IdP<\/li>\n\n\n\n<li>Cloud Consoles (AWS, Azure, GCP)<\/li>\n<\/ul>\n\n\n\n<p>In this post, we\u2019ll dive into the first use case:<\/p>\n\n\n\n<p>\ud83d\udc49 <strong>Modernizing access to legacy privileged web applications that still rely on usernames and passwords.<\/strong><\/p>\n\n\n\n<p>Let\u2019s explore how to modernize access to these privilege applications by extending PAM controls into the Access Management (AM) domain.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"465\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Priv-apps-wpm-3-1024x465.png\" alt=\"\" class=\"wp-image-224\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Priv-apps-wpm-3-1024x465.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Priv-apps-wpm-3-300x136.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Priv-apps-wpm-3-768x349.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Priv-apps-wpm-3-1536x698.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Priv-apps-wpm-3-2048x931.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In the next step I will use CyberArk Identity Security Platform stack to explain and share with you how we can modernise and secure privilege web apps.<\/p>\n\n\n\n<p><strong>Onboarding a Web Application in CyberArk Identity<\/strong><\/p>\n\n\n\n<p>Onboarding a web application is the first and most essential step in securing user access. With <strong>CyberArk Identity<\/strong>, there are several ways to onboard a web application, depending on whether it\u2019s already available in the catalog or needs to be configured manually.<\/p>\n\n\n\n<p>Here are the main methods:<\/p>\n\n\n\n<p><strong>1. Application Catalog<\/strong><\/p>\n\n\n\n<p>CyberArk Identity offers a wide range of <strong>preconfigured applications<\/strong> that support secure <strong>Single Sign-On (SSO)<\/strong> out of the box. If the app you want to onboard is available in the catalog, it\u2019s just a matter of a few clicks to add it and assign it to users.<\/p>\n\n\n\n<p><strong>2. Infinite Apps (App Capture)<\/strong><\/p>\n\n\n\n<p>For apps not listed in the catalog, you can use the <strong>Infinite Apps<\/strong> feature, available through the <strong>CyberArk Identity Browser Extension for Firefox<\/strong>.The built-in <strong>App Capture<\/strong> tool automatically identifies the login fields (username and password) on the app\u2019s sign-in page and adds the app to your portal with SSO capabilities.<br>If automatic detection doesn\u2019t work, you can manually select the required fields \u2014 making it easy to onboard virtually any username-password app.<\/p>\n\n\n\n<p><strong>3. Generic and Custom Templates<\/strong><\/p>\n\n\n\n<p>When the application isn\u2019t in the catalog and <strong>App Capture<\/strong> isn\u2019t suitable (e.g., for apps with complex authentication or NTLM-based logins), CyberArk Identity provides <strong>generic and custom templates<\/strong>.<\/p>\n\n\n\n<p>You can choose from four types of templates, depending on the complexity of the application:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.cyberark.com\/identity\/latest\/en\/content\/applications\/appscustom\/custuserpswdapps.htm?TocPath=Administrator%7CIntegrate%20apps%7CAdd%20custom%20applications%7CCustom%20user-password%20applications%7C_____0\">Custom user-password applications<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.cyberark.com\/identity\/latest\/en\/content\/applications\/appscustom\/custbrwsextuserpswdapps.htm?TocPath=Administrator%7CIntegrate%20apps%7CAdd%20custom%20applications%7CCustom%20browser%20extension%20user-password%20applications%7C_____0\">Custom browser extension user-password applications<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.cyberark.com\/identity\/latest\/en\/content\/applications\/appscustom\/custbrwsrextadv.htm?TocPath=Administrator%7CIntegrate%20apps%7CAdd%20custom%20applications%7CCustom%20Browser%20Extension%20(advanced)%20applications%7C_____0\">Custom Browser Extension (advanced) applications<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.cyberark.com\/identity\/latest\/en\/content\/applications\/appscustom\/ntlmaddconfig.htm?TocPath=Administrator%7CIntegrate%20apps%7CAdd%20custom%20applications%7C_____8\">Add and configure the generic NTLM and Basic application<\/a><\/p>\n\n\n\n<p>I won\u2019t dive into the differences between the custom templates here, but if you&#8217;re curious or need help choosing the right one, feel free to ask in the comments!<\/p>\n\n\n\n<p>To show how simple it is to onboard a privileged web application, we&#8217;ll walk through the process using <strong>App Capture<\/strong>. This method doesn\u2019t require advanced skills or extra services \u2014 it\u2019s quick, intuitive, and works for nearly any web app.<\/p>\n\n\n\n<p>In this example, we&#8217;re onboarding a <strong>privileged web application<\/strong>: CyberArk&#8217;s <strong>Endpoint Privilege Management<\/strong> console. But the same steps apply to any other web-based app using username and password authentication.<\/p>\n\n\n\n<p><strong>Step 1: Sign in to Your CyberArk Identity Tenant<\/strong><\/p>\n\n\n\n<p>Start by logging in to your <strong>CyberArk Identity<\/strong> admin portal.<\/p>\n\n\n\n<p><strong>Step 2: Launch App Capture<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click on <strong>Settings<\/strong><\/li>\n\n\n\n<li>Expand the <strong>Advanced<\/strong> section<\/li>\n\n\n\n<li>Select <strong>Capture<\/strong><\/li>\n<\/ul>\n\n\n\n<p>This will launch the <strong>App Capture utility<\/strong> via the CyberArk Identity Browser Extension.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"630\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-16.04.05-1024x630.png\" alt=\"\" class=\"wp-image-188\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-16.04.05-1024x630.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-16.04.05-300x184.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-16.04.05-768x472.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-16.04.05-1536x945.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-16.04.05-2048x1259.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Step 3: Capture the Application<\/strong><\/p>\n\n\n\n<p>The utility will attempt to automatically detect the <strong>username<\/strong> and <strong>password<\/strong> fields on the login page. If it can\u2019t, no worries \u2014 you can switch to manual mode and select the fields yourself.<\/p>\n\n\n\n<p>In our case, the automatic option works just fine:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click <strong>Next<\/strong><\/li>\n\n\n\n<li>Answer the few questions about the app<\/li>\n\n\n\n<li>Click <strong>Next<\/strong> again<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1001\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.08.29-1024x1001.png\" alt=\"\" class=\"wp-image-190\" style=\"width:556px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.08.29-1024x1001.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.08.29-300x293.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.08.29-768x751.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.08.29.png 1428w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Step 4: Customize Your App<\/strong><\/p>\n\n\n\n<p>Give your application a name and adjust any optional settings.<br>When you&#8217;re ready, click <strong>Finish<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"693\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.09.36-1024x693.png\" alt=\"\" class=\"wp-image-191\" style=\"width:538px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.09.36-1024x693.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.09.36-300x203.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.09.36-768x520.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.09.36-1536x1040.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.09.36.png 1610w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Step 5: Finalize and Deploy<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add the app to your admin portal<\/li>\n\n\n\n<li>Click <strong>Submit<\/strong><\/li>\n\n\n\n<li>Close the App Capture utility<\/li>\n<\/ul>\n\n\n\n<p>That\u2019s it! You\u2019ll now see the newly onboarded application in your <strong>CyberArk Identity<\/strong> application list \u2014 ready to assign to users and apply intelligent privilege controls.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"534\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.11.47-1024x534.png\" alt=\"\" class=\"wp-image-192\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.11.47-1024x534.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.11.47-300x156.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.11.47-768x400.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.11.47-1536x800.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-04-at-22.11.47.png 1996w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Now that our web application is onboarded, the next steps will guide you through setting up Web SSO using vaulted credentials.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p><strong>\ud83d\udee1\ufe0f<\/strong><strong> Step 1 \u2013 Secure Web SSO with Vaulted Credentials<\/strong><\/p>\n\n\n\n<p>We\u2019ll start with the <strong>authentication layer<\/strong>\u2014a crucial component, especially for privileged access.<\/p>\n\n\n\n<p>Since this application still relies on a <strong>username and password<\/strong>, we\u2019ll combine <strong>PAM controls<\/strong> with <strong>modern IAM concepts<\/strong> to achieve both <strong>security<\/strong> and <strong>usability<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The privileged credentials (username and password) are <strong>securely stored in a CyberArk Safe<\/strong>, where they are <strong>vaulted and rotated<\/strong> using the <strong>CyberArk Central Policy Manager (CPM)<\/strong>.<\/li>\n\n\n\n<li>When a user initiates access, CyberArk Identity will <strong>retrieve the password securely at runtime<\/strong>, <strong>autofill it<\/strong>, and <strong>perform web SSO<\/strong> on behalf of the user.<\/li>\n<\/ul>\n\n\n\n<p>\u2705 <strong>From a user experience perspective<\/strong>, this approach is seamless. Users access the app directly from their browser\u2014<strong>no jump servers, no RDP, no latency<\/strong>.<\/p>\n\n\n\n<p>\u2705 <strong>From a security perspective<\/strong>, the credentials are never exposed or known to the user. They are centrally managed, rotated, and tightly controlled within the PAM layer.<\/p>\n\n\n\n<p>Now let\u2019s do some practice.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>I&#8217;ll assume that you have a basic understanding of CyberArk PAM and CyberArk Identity, both part of the CyberArk Identity Security Platform. If you need more details, feel free to ask in the comments.<\/p>\n<\/blockquote>\n\n\n\n<p><strong><em>\ud83d\udd10 CyberArk PAM \u2013 Onboarding a Privileged Web App Account<\/em><\/strong><\/p>\n\n\n\n<p><strong>Step 1: Create a Safe<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Log in to <strong>CyberArk PAM<\/strong> as an admin.<\/li>\n\n\n\n<li>Go to <strong>Administration \u2192 Safes \u2192 Add Safe<\/strong>.<\/li>\n\n\n\n<li>Create a safe named <strong>EPM_Priv_Web_Apps<\/strong>, add a description, and complete the setup.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udcd6 <a href=\"https:\/\/docs.cyberark.com\/privilege-cloud-shared-services\/latest\/en\/content\/privilege%20cloud\/privcloud-manage-safes.htm\">Create and Manage Safes \u2013 CyberArk Docs<\/a><\/p>\n\n\n\n<p><strong>Step 2: Add Safe Member<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Open the <strong>EPM_Priv_Web_Apps safe<\/strong> \u2192 <strong>Members tab \u2192 Add Member<\/strong>.<\/li>\n\n\n\n<li>Add user: <strong>post01@sme-access.com<\/strong><\/li>\n\n\n\n<li>Assign only these permissions:\n<ul class=\"wp-block-list\">\n<li>\u2705 <strong>List Accounts<\/strong><\/li>\n\n\n\n<li>\u2705 <strong>Use Accounts<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udcd6 <a href=\"https:\/\/docs.cyberark.com\/privilege-cloud-shared-services\/latest\/en\/content\/privilege%20cloud\/privcloud-manage-safe-members.htm\">Add Members to Safes \u2013 CyberArk Docs<\/a><\/p>\n\n\n\n<p><strong>Step 3: Add a Privileged Account<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Navigate to <strong>Accounts \u2192 Add Account<\/strong>.<\/li>\n\n\n\n<li>Select:\n<ul class=\"wp-block-list\">\n<li><strong>Platform<\/strong>: Generic Web App<\/li>\n\n\n\n<li><strong>Safe<\/strong>: EPM_Priv_Web_Apps<\/li>\n\n\n\n<li>Enter the app URL, <strong>username<\/strong>, and <strong>password<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Save.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udcd6 <a href=\"https:\/\/docs.cyberark.com\/privilege-cloud-shared-services\/latest\/en\/content\/privilege%20cloud\/privcloud-onboard.htm\">Add Accounts \u2013 CyberArk Docs<\/a><\/p>\n\n\n\n<p><strong><em>\ud83c\udf10 CyberArk Identity \u2013 Assigning Users to the apps &amp; Configuring Credentials<\/em><\/strong><\/p>\n\n\n\n<p><strong>Step 1: Assign User to the Application<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the <strong>CyberArk Identity Admin Portal<\/strong>, go to <strong>Apps<\/strong>.<\/li>\n\n\n\n<li>Click on the app <strong>onboarded previously<\/strong> (from <em>Step 5: Finalize and Deploy<\/em>).<\/li>\n\n\n\n<li>Click <strong>&#8220;Add User&#8221;<\/strong> and assign your users, AD groups or Identity role to the app. I&#8217;m using the user <code><strong>post01@sme-access.com<\/strong><\/code>.<\/li>\n<\/ol>\n\n\n\n<p>\u2705 Once assigned, the app status changes to <strong>Deployed<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"857\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-3-1024x857.png\" alt=\"\" class=\"wp-image-211\" style=\"width:965px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-3-1024x857.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-3-300x251.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-3-768x643.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-3-1536x1286.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-3-2048x1714.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Step 2: Provide Privileged Credentials<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the same app settings, go to the <strong>&#8220;Account Mapping&#8221;<\/strong> section.<\/li>\n\n\n\n<li>Set the login method to <strong><code>All users share one name<\/code><\/strong> and check <strong><code>Get password from Safe<\/code> and<\/strong> <strong><code>Users cannot view or copy an account's secret<\/code><\/strong><\/li>\n\n\n\n<li>Search the safe name and select account name stored earlier in the <code>EPM_Priv_Web_Apps<\/code> safe.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"851\" height=\"509\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-10-at-17.31.35.png\" alt=\"\" class=\"wp-image-199\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-10-at-17.31.35.png 851w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-10-at-17.31.35-300x179.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/Screenshot-2025-05-10-at-17.31.35-768x459.png 768w\" sizes=\"auto, (max-width: 851px) 100vw, 851px\" \/><\/figure>\n\n\n\n<p><strong>Step 3: Test the Connection<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to the <strong>CyberArk Identity User Portal<\/strong> (<a href=\"https:\/\/aay4219.id.cyberark.cloud\/my\">https:\/tenant-id.id.cyberark.cloud\/my<\/a>) as <code><strong>post01@sme-access.com<\/strong><\/code> or your test user.<\/li>\n\n\n\n<li>Launch the app from the portal or from the CyberArk Identity browser extension.<\/li>\n<\/ol>\n\n\n\n<p>\u2705 CyberArk Identity will retrieve the credentials from PAM, autofill the login form, and complete SSO.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"368\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image.png\" alt=\"\" class=\"wp-image-201\" style=\"width:1062px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image.png 975w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-300x113.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-768x290.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"562\" height=\"439\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-1.png\" alt=\"\" class=\"wp-image-202\" style=\"width:799px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-1.png 562w, https:\/\/sme-access.com\/wp-content\/uploads\/2025\/05\/image-1-300x234.png 300w\" sizes=\"auto, (max-width: 562px) 100vw, 562px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>However, there&#8217;s a <strong>critical caveat<\/strong> here.<br>While the password isn\u2019t visible, it <strong>still passes through the user\u2019s browser session<\/strong>. This creates a potential attack vector\u2014if the endpoint is compromised (malware, keylogger, malicious browser extension, browser exploit, etc), an attacker could hijack the session or extract the credential mid-flight.<\/p>\n<\/blockquote>\n\n\n\n<p>That\u2019s why <strong>this setup alone is not enough<\/strong>.<\/p>\n\n\n\n<p><strong>\ud83e\uddf1<\/strong><strong> What\u2019s Next? Defense in Depth<\/strong><\/p>\n\n\n\n<p>In the next blog, we\u2019ll explore how to <strong>layer additional CyberArk Identity Security Controls<\/strong> to strengthen the architecture\u2014enabling <strong>RBAC<\/strong>, <strong>Step-up MFA<\/strong>, <strong>workflow approval, least privilege, secure browsing, modern session isolation and recording<\/strong>, and <strong>continuous authentication and threat detection<\/strong>.<\/p>\n\n\n\n<p>This way, we\u2019re building a <strong>defense-in-depth strategy<\/strong> that secures access to critical assets without compromising user experience.<\/p>\n\n\n\n<p>Let\u2019s keep going \ud83d\udcaa and see you in the next blog<\/p>\n\n\n\n<p>Enjoy !<\/p>\n\n\n\n<p>\u0634\u0643\u0631\u064b\u0627 \/ Thank you \/ Merci<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Part 1 of this series, we explored the limitations of legacy approaches to securing access to privileged web applications\u2014think jump servers, hardened browsers, and connector chaos. Now it\u2019s time to move from theory to practice. Starting with this post, we\u2019ll walk through a series of real-world use cases, each showing how to modernize and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[9],"tags":[16],"class_list":["post-184","post","type-post","status-publish","format-standard","hentry","category-access-management","tag-cyberark-identitysecurity-pam-iam-websso-privilegedaccess-accessmanagement-cybersecurity-iamthoughts"],"_links":{"self":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts\/184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=184"}],"version-history":[{"count":5,"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts\/184\/revisions"}],"predecessor-version":[{"id":226,"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts\/184\/revisions\/226"}],"wp:attachment":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}