Welcome to CyberArk Privilege Cloud
This topic provides an overview on Privilege Cloud, its capabilities, and architecture.
Overview
Privileged access represents the largest security vulnerability organizations face today. Privileged access exists in infrastructure and applications, whether on-premise or in the cloud. When employed properly, privileged access is used to maintain systems, facilitate automated processes, safeguard sensitive information, and ensure business continuity. But in the wrong hands, this access can be used to steal sensitive data and cause irreparable damage to the business.
Privileged access is exploited in nearly every cyber-attack. Bad actors, whether external attackers or malicious insiders, can abuse privileged access to disable security systems, to take control of critical IT infrastructure and applications, and to gain access to confidential business data and personal information.
CyberArk Privilege Cloud is a SaaS solution that enables organizations to securely store, rotate and isolate credentials (for both human and non-human users), monitor sessions, and deliver scalable risk reduction to the business.
Privilege Cloud protects, controls, and monitors privileged access across on-premises, cloud, and hybrid infrastructures.
Capabilities
The main capabilities of Privilege Cloud are:
Discover and manage credentials |
Leverage automated tools to identify and secure privileged credentials across your organization. Automating privileged credential rotation for both human and non-human users eliminates manually intensive, time consuming and errorprone administrative tasks, safeguarding credentials used in hybrid and cloud environments. |
Isolate credentials and sessions |
Elevate your security posture by establishing a secure control point to isolate sensitive sessions and prevent credential exposure. |
Record and audit sessions |
Reduce audit reporting efforts by automatically recording privileged sessions with a searchable log of privileged sessions. Monitoring and recording capabilities enable security teams to view privileged sessions in real-time, and maintain a comprehensive, searchable audit trail of privileged user activity. By maintaining strict isolation between endpoints and targets, security teams can help mitigate the risk of malware spreading from infected endpoints to critical systems by never exposing endpoints (typically the weak point in the attack chain) to privileged credentials. |
Secure credentials for applications and non-human users |
Hard coded credentials used in homegrown applications can be removed and managed by Privilege Cloud. The solution also integrations with other leading security vendors to remove hardcoded credentials from applications when they require privileged access to perform set tasks. |
Control least privilege access for *NIX and Windows |
Allows privileged users to run authorized administrative commands from their native sessions while eliminating unneeded superuser privileges. It also enables organizations to block and contain attacks on Windows servers to reduce the risk of information being stolen or encrypted and held for ransom. |
CyberArk Identity Security Platform Shared Services
CyberArk Identity Security Platform Shared Services unify administrative processes across CyberArk SaaS solutions to drive operational efficiencies for security teams.
The following shared services support CyberArk’s hosted business services:
Service |
Description |
---|---|
Identity Security Intelligence |
Offers AI-powered detection, investigation, and response to anomalous or risky behavior |
Audit |
Organizes all session data needed to satisfy audit and compliance |
Identity Administration |
Provides consistent identity management, authentication, and authorization layers |
Privilege Cloud on shared services is part of the extended CyberArk solution that offers a single administrative experience for multiple services.
Connectors
Privilege Cloud Connector
The Privilege Cloud Connector is a server that hosts various connection components used by Privilege Cloud.
The following table describes each of the components:
Components |
Description |
---|---|
Secure Tunnel |
The Privilege Cloud Secure Tunnel enables you to securely connect Privilege Cloud with your SIEM servers. For details, see Deploy Secure Tunnel. |
Central Policy Manager (CPM) |
CPM changes passwords automatically on remote machines and stores the new passwords in the Privilege Cloud vault, with no human intervention, according to the organizational policy. It also enables organizations to verify passwords on remote machines, and reconcile them when necessary. CPM is deployed as part of the Connector deployment, as described in Deploy the Privilege Cloud Connector. |
Privilege Session Manager (PSM) |
PSM enables organizations to secure, control, and monitor privileged access to network devices. PSM enables users to log onto remote (target) machines or open applications securely through a proxy machine. The established sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices. PSM is deployed as part of the Connector deployment, as described in Deploy the Privilege Cloud Connector. For a high availability deployment, see Set up PSM high availability |
CyberArk Identity Connector
The CyberArk Identity Connector is used for integrating with your Active Directory server for user provisioning. It is deployed on the same machine as the Privilege Cloud Connector.
For details, see Deploy the CyberArk Identity Connector to add Active Directory users
Unix Connector
The Unix Connector is a server that hosts the PSM for SSH.
PSM for SSH enables users to connect to target UNIX systems from their own workstation without interrupting their native workflow. It records all activities that occur during privileged sessions in a compact format that can be accessed by authorized auditors. It provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password.
For details, see Deploy PSM for SSH (Unix connector).
Data retrieval
You can extract data at any time by generating reports in the Privilege Cloud Portal in CSV format. For details, see Privilege Cloud report types.
You can also use REST APIs to extract data from Privilege Cloud in JSON format. For details, see REST APIs.
If you require assistance, contact CyberArk customer support.