Vishal J Rupani

  • CyberArk Architect
  • Wayne, NJ
  • Member Since Apr 13, 2023

Candidates About

 

Vishal J Rupani

 

Areas of Expertise include:

   CyberArk

   Access & Privilege Management

 

   Identity & Directory Services

   Cybersecurity

 

Powerbroker

   Change Auditor

 

CyberArk Architect - Independent Contractor                                                                                                              2010 to Current

 

Managed Healthcare – (Undisclosed under NDA) CyberArk:  Served as Technical Leader leading technical discussions and developed solution blueprints and engineering runbooks for various projects. Work closely with internal stakeholders (Directory Services, Security, Servers, Database and other groups) and vendors to validate design, solution and implementation.

 

CyberArk Upgrade: Worked very closely with CyberArk PSO, Support and in-house security engineers to upgrade CyberArk on premise from 9.1 to 9.9.

  • Discovery includes understanding existing privileged landscape. Used tools such as Quest ChangeAuditor, Reporter and PS scripts to identify service accounts across the enterprise.
    • Gathered new architecture requirements versus existing architecture upgrade requirements, business process, documentation requirements and governance alignment across on premise and cloud. Output specifically encompass Requirements document with must have’s and nice to have’s along with change control and quality requirements.
    • Planning included designing the CyberArk components to address improving availability. The CyberArk architecture consisted of the Primary site and disaster recovery site. The Primary site consists of:
      • Clustered Enterprise Password Vault (EPV) in its own domain
      • 15 Central Password Manager (CPM)
      • 4 Password Vault Web Access (PVWA) fronted by F5
      • 15 Privileged Session Manager (PSM) across datacenters fronted by F5.
      • The DR site consists of a Vault, CPM, PVWA and PSM. DR Module was setup for replication
  • Testing & Implementation: Working closely with engineering and operations developed runbook highlighting phased approach including detailed steps to upgrade the environments from Dev, QA, UAT to production. Documented remediation errors. Specifically developed runbooks to address.
      • Injecting additional PVWA’s into the Pool
      • Rollback including step by step process to recover services in the event the upgrade was not successful. Topics included, backing up the data using PA Replicate, backing up the key folders including keys. Uninstalling the upgraded version and installing the older version into specific folders to enable the recovery of the vault and rebuilding the other components.

 

·         PCI Compliance: Designed and deployed necessary components including, CPM and PSM accessing Shared Vault.

Implementation: Worked closely with operations to deploy CyberArk.

High Level configuration overview:

§  Validated security groups in AD for CyberArk

§  Aligned placement of PSM into segmented network.

§  Aligned RD Gateway HA design to enable tunneling into the segmented network.

§  Aligned parallel accounts into new safes to support resource access into PCI compliant autonomous Directory.;

 

Insurance – (Undisclosed under NDA) CyberArk: Migrated safes from legacy CyberArk environment to target environment and enabled Autodetection.

·         Pre-requisites: Prior to performing migrations ensured the following pre-requisites were aligned.

§  Validated Cluster configuration for EPV, CPM and other components such Ark Client.

§  Validated PVWA ldap integration to directory service using dedicated service account

§  Validated Master Policy and Safes

§  Validated Backup configuration

§  Validated DR

·         Safe Migration: Migrated safes from legacy environment to test environment confirming the accounts, passwords and aligning platforms.

§  Upon successful migration, coordinated with business stakeholders and migrated safes to target.

§  Provided upper management weekly dashboard reports on safe migration status including percentage completed, pending and in progress.

 

·         Auto-Detection: Developed the runbook to enable auto-detection and automatic vaulting of newly joined servers in Active Directory. Specifically aligned the following.

§  Auto-Detection Template including safes to leverage for placing the onboarded accounts, ldap bind account, notifications among other areas.

 

·         Support: Provided knowledge transfer and third level support to operations in execution of plan. Worked closely with CyberArk support to remediate issues. Worked closely with Microsoft and AWS to enable cloud deployment successfully. Areas that required alignment included vpc, vnet and portal views.  KT topics included vault administration, PVWA common tasks among other areas.

·         Documentation: Document appropriate blueprints and runbooks including Installation Qualification.

 

Credit Card - Pharma - (Undisclosed under NDA) Risk Assessment and Auditing remediation with CyberArk: Reviewed the ADRAP key findings and aligned necessary recommendations across critical areas.

 

a.       IDM, RBAC Model and Attestation Alignment: Aligned the IDM and PAM framework. Specifically architected the Active Directory RBAC model based on Role Modeling and Role Mining.

b.       Leveraged CyberArk and Quest solution stack to achieve objectives.

·         Architected the solution to move from CyberArk 9.1 to 9.4.

o    Built lab to simulate production.

o    Deployed EPV, CPM, PVWA, PSM, AIM

o    Aligned Maser Policies

o    Defined Vault Owners, Administrators and Users. Task segregation included:

1. Create new Safes

2. Create and manage user groups in PAM system

3. Create roles and assign the roles to user groups

4. Define and apply password policies

5. Manage user provisioning and de-provisioning

6. Perform full backup and restore

7. Define and generate reports.

·         Reviewed Windows Local Connector from OIM to member servers for account reconciliation and User Access Revalidation.

o    Aligned CyberArk Safe and CPM to facilitate governance of these accounts.

·         Worked with corresponding CMDB Sme to align the synchronization of the admindisplayname attribute and admindescription data to task instructions fields in CMDB to enable cross referencing of privilege accounts and corresponding group owners.

·         Review OIM managed Active Directory attributes across separate domains and forests to ensure correct synchronization of attributes within the Identity and Management Lifecycle is achieved.

·         Aligned Roles to ARS and analyzed patterns across user population and business teams to help define technology role templates. Created Access database and corresponding Sql queries to map users to existing roles and enable reporting of roles to business units.

c.        IVR: Participated in the IVR initiative to enable users to manage and change password use Voice, Two factor authentication and OTP (One-time Password). Worked with InfoSec to define pin and password strengths and constraints within the IVR solution.

d.       Auditing & Monitoring: Spearheaded design and implemented CyberArk Event Notification and Quest ChangeAuditor for Active Directory, key elements include:

·         Architecture (Layout, redundancy, sizing), Alert management

·         Developing test scenarios and documenting test results along with IQOQ to Quality

·         Proactively reviewed configuration refinements, database growth and event storms

 

Eisai - Integration & Consolidation: Worked on the integration of non-windows servers into Active Director using Centrify DirectControl. Deployed agents on Linux servers to enable ldap authentication to Active Directory and created zones for administrative control. Whitelisted commands based on admin roles per RBAC model.

 

  • Evaluated the feasibility of consolidating or decommissioning systems prior to the move. Executed the consolidation and or decommissioning if systems met predefined criteria from technology and business groups. Designed systems to achieve more availability by splitting certain services and introducing more redundant localized as well as remote services.

 

PG&E Utility - Privilege Management: Designed and deployed Powerbroker for Windows to server and end user computing environment. Deployed PB to 30000 client machines and enrolled 1200 windows servers, leveraged PB data-warehouse to gather user initiated privileged actions to build corresponding rules.

  • Designed backend environment encompassing SQL, SSRS, SSAS and IIS.

·         Configured necessary Rules and Collections

o    Rules included publisher and path related

o    Whitelist and blacklist creations

o    Staggered deployment of agent’s enterprise wide

o    Aligned operations and helpdesk to support the product

o    Created corresponding BeyondTrust Admin consoles with the GPO extensions to manage Powerbroker for Windows.

 

Aetna - Identity Consolidation and Password Synchronization: Researched, evaluated, proposed, architected and implementation the consolidation of identify across different operating companies.

  • Specifically evaluated SpecOps, iGoodworks and Dells Quick Connect.
  • Piloted Dells Quick Connected and rolled out the solution in production enabling users to synchronize passwords based on the employee attribute across directories.

 

1994-2009: Listed for Work History only: Ernst & Young, Quest Diagnostics, Minolta Corporation, Expanets, Memorial Sloan Kettering Cancer Center among others.

                                                                               

 

EDUCATION:

2017                       CyberArk Self-Paced and Individual Training

 

1996                       William Paterson                                                                                                                                  Wayne, NJ

·         Bachelor of Arts

 

Certifications

·         Pursuing MCSE 2012

·         MCP: Passed 70-410 (Current)

·         Working on 70-411

·         MCSE in Windows 2000 and Windows 2003

·         Sniffer Certified Professional (SCP)

·         Cisco Certified Network Associate