Cybersecurity threats never cease, so having the right vendor solutions in place to protect your enterprise is critical.
Keeping those solutions up-to-date with the latest releases/patches is just as important. That said, you need to be mindful of what each upgrade includes (is it a “must” from a security perspective, or just a “might be nice” from a feature perspective?). Not every version provides the value needed to offset the upgrade process, and the decision is unique to each organization. We often see customers upgrading for the sake of upgrading or not upgrading because they don’t have time, money, or resources. Neither of these is the best approach from a security or business value perspective. To add to the complexity, if you are several releases back it takes a considerable amount of time and energy to review the aggregate value of each release and determine the best path forward. We can help.
Because IDMWORKS serves over 750 customers, we have unique insights into how your peers are using the same vendor solutions, and what value an upgrade might provide (and what version you should be running). With all the excitement we’ve been hearing from our clients using CyberArk around newly released features and their desire to upgrade to a current version, we thought it would be an opportune moment to walk through what that upgrade might look like. To do that, we sat down with our CyberArk practice to document their insights and lessons learned across dozens of recent customer upgrades. They shared with us a set of best practices that can serve as a guide while you evaluate your own environment. And if you’d like help along the way, we’ve got you covered.
The Upgrade Process
Pre-upgrade Preparations
Before you start the process of upgrading the existing Vault implementation, we recommend you perform the following checks:
- If you have a very small maintenance window and you have to do the upgrade in multiple stages, ensure the component server version is backward compatible. This way you don’t have to rush to upgrade the EPV and component servers all at once (or) in the same maintenance window
- Always ensure there is a good fallback or rollover plan in place before you start the upgrade.
- Map the components one-to-one and ensure no components are missed in the upgrade plan or during the upgrade process.
- Ensure daily backups are working and vault metadata will be backed up the day of the upgrade.
- Ensure you have enough disk space for each upgrade on all the servers planned for the upgrade.
- Ensure you have the following on all the servers planned for upgrade:
● Software binaries for the new version
● Customer license for the new version
● Documentation; up-to-date version of the Privileged Access Security documentation
● Vault Administrator account password
● Windows Administrator password for all the EPV and component servers
For more details, refer to the latest version of the Privileged Access Security System Requirements document and Privileged Access Security Installation Guide.
Upgrade Process
It may sound self-serving, but even if it’s not IDMWORKS, we highly recommend leveraging trained, certified IAM pros to support you in performing an upgrade. They will have the knowledge and experience to help you avoid common pitfalls and help you realize the full value of an upgrade in a much quicker fashion.
On to the upgrade process; here is a short list of the upgrade sequence:
EPV
1.Backup ALL CyberArk Vault files:
● Safes (check the location in TSParm.ini)
● Entropy file – located in the Safe folder
● Server & Client installation directories
2.Stop the following Vault related services:
● Cyberark Event Notification Engine
● PrivateArk Server
● PrivateArk Database
● PrivateArk Remote Control
● CyberArk Logic Container
3.Run the Vault installation SET.EXE to upgrade the vault.
HA EPV
– Please see the Privileged Access Security Installation Guide
PVWA
1.Backup the following folders and files:
● The PVWA installation folder
● The Log folders
● Current configuration files for post-upgrade references
2.Pre-requisites:
● The .Net Framework 4.5.2
● Ensure the Vault is running. If not, restart the Vault then restart IIS.
From the Password Vault Web Access installation package, run the Password Vault Web Access installation to begin the upgrade.
CPM
Ensure that the PVWA is upgraded first, this ensures the CPM can install all the new platforms automatically. Then:
1.Backup the following:
● CPM installation folder.
● Policies folder in the PasswordManagerShared Safe that contains the CPM platform configurations.
2.Stop the following services:
● CyberArk Password Manager service
● CyberArk Central Policy Manager Scanner
From the Policy Manager installation package, run the Central Policy Manager installation to begin the upgrade
PSM
- Stop the PSM service
- From the Privileged Session Manager installation package, run the Privileged Session Manager installation to begin the upgrade procedure
PSMP
– Please refer to the Privileged Access Security Installation Guide for details
DR site
– Please refer to the Privileged Access Security Installation Guide for details
Post-upgrade recommendations
Once the upgrade process has been completed for each component, we recommend you perform the following tests:
- Log into the PVWA to verify access
- Perform a password change, verification and reconcile
- Validate DR failover
- Verify PSM and PSMP functionality
- Remove the old installation files
Conclusion
While the upgrade process itself is fairly straightforward, we’ve unfortunately seen errors that could lead to costly, and sometimes catastrophic mistakes that are hard to recover from. That said, if you’re planning to forge ahead, here are some common pitfalls we’ve seen where upgrades were performed using in-house or improperly trained resources. Watch out for:
-
- Improper backup and rollback procedures
- Rushing to upgrade without proper planning or release management approval
- Upgrading without understanding the need for an upgrade
- Not following proper post-upgrade procedures such as server hardening
IDMWORKS invests a significant amount of time in testing each major and minor release before recommending which specific version a client should upgrade to. We’d love to help ensure your next upgrade is smooth, quick, and realizes maximum value in minimal time.