Welcome to CyberArk Privilege Cloud

This topic provides an overview on Privilege Cloud, its capabilities, and architecture.


Privileged access represents the largest security vulnerability organizations face today. Privileged access exists in infrastructure and applications, whether on-premise or in the cloud. When employed properly, privileged access is used to maintain systems, facilitate automated processes, safeguard sensitive information, and ensure business continuity. But in the wrong hands, this access can be used to steal sensitive data and cause irreparable damage to the business.

Privileged access is exploited in nearly every cyber-attack. Bad actors, whether external attackers or malicious insiders, can abuse privileged access to disable security systems, to take control of critical IT infrastructure and applications, and to gain access to confidential business data and personal information.

CyberArk Privilege Cloud is a SaaS solution that enables organizations to securely store, rotate and isolate credentials (for both human and non-human users), monitor sessions, and deliver scalable risk reduction to the business.

Privilege Cloud protects, controls, and monitors privileged access across on-premises, cloud, and hybrid infrastructures.


The main capabilities of Privilege Cloud are:

Discover and manage credentials

Leverage automated tools to identify and secure privileged credentials across your organization.

Automating privileged credential rotation for both human and non-human users eliminates manually intensive, time consuming and errorprone administrative tasks, safeguarding credentials used in hybrid and cloud environments.

Isolate credentials and sessions

Elevate your security posture by establishing a secure control point to isolate sensitive sessions and prevent credential exposure.

Record and audit sessions

Reduce audit reporting efforts by automatically recording privileged sessions with a searchable log of privileged sessions.

Monitoring and recording capabilities enable security teams to view privileged sessions in real-time, and maintain a comprehensive, searchable audit trail of privileged user activity. By maintaining strict isolation between endpoints and targets, security teams can help mitigate the risk of malware spreading from infected endpoints to critical systems by never exposing endpoints (typically the weak point in the attack chain) to privileged credentials.

Secure credentials for applications and non-human users

Hard coded credentials used in homegrown applications can be removed and managed by Privilege Cloud. The solution also integrations with other leading security vendors to remove hardcoded credentials from applications when they require privileged access to perform set tasks.

Control least privilege access for *NIX and Windows

Allows privileged users to run authorized administrative commands from their native sessions while eliminating unneeded superuser privileges. It also enables organizations to block and contain attacks on Windows servers to reduce the risk of information being stolen or encrypted and held for ransom.

High-level architecture

The following diagram describes the Privilege Cloud architecture:

For a more detailed architecture diagram, see Privilege Cloud architecture.

Privilege Cloud Connector

The Privilege Cloud Connector is a server that hosts various connection components used by Privilege Cloud.

The following table describes each of the components:



Secure Tunnel

The Privilege Cloud Secure Tunnel enables you to securely connect Privilege Cloud with your LDAP and SIEM servers.

For details, see Deploy Secure Tunnel.

Central Policy Manager (CPM)

CPM changes passwords automatically on remote machines and stores the new passwords in the Privilege Cloud vault, with no human intervention, according to the organizational policy. It also enables organizations to verify passwords on remote machines, and reconcile them when necessary.

CPM is deployed as part of the Connector deployment, as described in Deploy the Privilege Cloud Connector.

Privilege Session Manager (PSM)

PSM enables organizations to secure, control, and monitor privileged access to network devices. PSM enables users to log onto remote (target) machines or open applications securely through a proxy machine. The established sessions on the target systems are fully isolated and the privileged account credentials are never exposed to the end-users or their client applications and devices.

 PSM is deployed as part of the Connector deployment, as described in Deploy the Privilege Cloud Connector. For a high availability deployment, see Set up PSM high availability

Unix Connector

The Unix Connector is a server that hosts the PSM for SSH.

PSM for SSH enables users to connect to target UNIX systems from their own workstation without interrupting their native workflow. It records all activities that occur during privileged sessions in a compact format that can be accessed by authorized auditors. It provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password.

For details, see Deploy PSM for SSH (Unix connector).

Data retrieval

You can extract data at any time by generating reports in the Privilege Cloud Portal in CSV format. For details, see Privilege Cloud report types.

You can also use REST APIs to extract data from Privilege Cloud in JSON format. For details, see REST APIs.

If you require assistance, contact CyberArk customer support.