What's new

This section describes the new features and enhancements for each Privilege Cloud release.

2023 releases

July 2023 - Version 13.2

Connect using non-sticky sessions

Privilege Cloud Connector also enables communication over port 1858/TCP using non-sticky sessions. This means that outbound traffic from the customer's network to the Connector no longer depends on routing out to the internet through one static IP source. This simplifies installations and prerequisites to deploy Privilege Cloud Connectors.

See Outbound traffic network and port requirements.

Deployment and upgrade enhancements

Feature	Description
PSM Deployment on Windows Server 2022	Increasing the supportability matrix for PSM, you can now install the PSM component on Windows Server 2022 operating system. See Privilege Cloud software requirements.
Simpler PSM upgrade with automatic AppLocker configuration merge	The PSM secures its operational environment by using Windows AppLocker, which defines a set of rules that allow or deny applications from running on the PSM machine. CyberArk periodically updates the AppLocker to enhance product security. As of v13.2, when upgrading the PSM, you can automatically merge any custom changes that were made in your PSMConfigureAppLocker.xml file. All custom additions or changes are merged into the latest version of the xml file, allowing you to seamlessly retain your customized configurations and approved applications. See updated upgrade steps for: Upgrade PSM for Connector v12.7 and later Upgrade PSM for Connector v12.6 and earlier

Secure Tunnel enhancements

The new Secure Tunnel version 3.1 offers the following enhancements:

• Authenticate to Privilege Cloud using the system subdomain, in addition to the existing Customer ID authentication option.

• Option to connect through a proxy server and resolve DNS connection through proxy, for customers that want to limit external traffic from the Connector.

See Deploy Secure Tunnel

Simultaneous multi-audit of PSM sessions

To increase compliance and session auditing coverage, you can now monitor sessions simultaneously, using full audit capabilities: keystrokes, Windows titles, and SQL commands where applicable, providing a more holistic view of session activities.

See Configure recordings and audits (Windows and *NIX).

PSM for SSH deployment on SUSE 15 SP4

PSM for SSH now supports an updated service pack of SUSE 15 Operation system, SP4. See Supported Operating Systems.

Accessibility Improvement

Privilege Cloud Portal accessibility has been improved in this release and it is now WCAG 2.1 compliant for contrast and screen reader on the Accounts, CreateRequest, MyRequest and Incoming Requests pages.

Web Application framework improvements

The Web Application connection components and CPM plugin framework provide a simple way to create new PSM connection components for web and password management plugins (CPM plug-in) for web-based applications without needing any developer expertise or experience.

CyberArk has enhanced the Web framework to enable you to build custom conditional logic for the plugin or connection component, based on your web application conditional behavior.

To gain this new capability, download the latest frameworks from the Marketplace:

• Web Application connection components

• CPM plugin framework

Amazon Web Sevices (AWS) console with STS

The AWS STS connection component enables an end user to log in to the AWS platform using a secured connection from an internet browser via a PSM monitored session.

We have updated the AWS SDK third-party component that is used by the AWS STS to enhance security and apply technological improvements.

Download the latest AWS STS connection component from the Marketplace.

May 2023 - Version 13.1 update

April 2023 - Version 13.1 update

Privilege Cloud Service status page provides updates on service-wide incidents, issues, and planned activities.

March 2023 - Version 13.1 update

The following features are introduced or enhanced in CyberArkPrivilege Cloud version 13.1.

Windows 2022 Server target support

Privilege Cloud now supports Windows Server 2022 as a managed target system, including:

• Management of target accounts

• Management of service accounts, for example Windows Services

• Connecting through PSM to a target account

Support is backward-compatible and does not require any upgrade.

SAP Netweaver password management

The SAP NetWeaver plugin manages SAP NetWeaver ABAP, Java and Dialog privileged accounts.

The plugin now supports managing SAP application server accounts through SAP routers and SAP message servers (MS).

For more information, see SAP applications plugin.

CyberArk Endpoint Privilege Manager (EPM) password management

The CyberArk Endpoint Privilege Manager (EPM) for SaaS plugin enables admins to manage CyberArk Endpoint Privilege Manager (EPM) privileged accounts for SaaS users. This plugin is now officially supported by CyberArk.

January-February 2023 - Version 13.0 update

The following features are added to CyberArkPrivilege Cloud version 13.0, in addition to the original version 13.0 December release.

Install DPA connector on the Privilege Cloud Connector machine

You can now install your DPA connector on the same machine where you installed the Privilege Cloud Connector. This functionality reduces the system's footprint as only one machine is needed for both DPA and Privilege Cloud connectors.

This option is available when the Privilege Cloud Connector machine is within the domain.

Rocky Linux support for PSM for SSH

Starting from this version, PSM for SSH supports Rocky Linux 8.6.

Privilege Cloud data center in Milan

CyberArk has added a new data center in Milan to meet the market demand in the EMEA region.

2022 releases

December 2022 - Version 13.0

The following features are introduced or enhanced in CyberArk Privilege Cloud version 13.0.

Increased concurrency for web application sessions

To accommodate the expanding use of web-based connections, CyberArk has updated the Connector server specifications and has increased the number of concurrent web application sessions that are supported on a single connector.

Updated Chrome implementation specifications:

• For small implementation, the maximum total number of Chrome sessions per PSM server is increased to 15 concurrent connections.

• For mid-range implementation, the maximum total number of Chrome sessions per PSM server is increased to 45 concurrent connections.

• For large implementation, the maximum total number of Chrome sessions per PSM server is increased to 90 concurrent connections.

  To learn more, see Connector server's specification.

Amazon Web Services (AWS) Access Keys

The Amazon Web Services Access keys are long-term credentials for an Identity and Access Management (IAM) user or the AWS account root user. In this version we enhanced the current Access Keys plugin to allow changing the default AWS region in which the plugin is configured.

To learn more, see AWS access keys.

*NIX and SSH Keys

We have expanded the list of target machines that can be managed using *NIX and SSH Keys plugins. In addition to previously supported platforms, customers can now manage *NIX machines also on IBM AIX 7.3 and RHEL 8.4 platforms.

SAP GUI connector

The SAP GUI Connector enables users to set up a secure session to a SAP GUI client. The connector is supported on the latest SAP GUI platform version 7.7.

New User experience for application authentication configuration

When creating and editing applications you can follow from the Privilege Cloud’s Applications page, the system shows you how to follow the best security practices. To learn more, see Credential Providers Security overview.

When performing a bulk upload of applications, the system displays alerts regarding non-adherence to security best practices.

October 2022 - Version 12.7

New self-service configuration options

We continue to expand Customers self-service capabilities by adding more useful categories for independent system experience configuration without involving CyberArk support.

The following configuration options are now available for independent administrative control:

Area	Description
Reports	Define reports generation parameters to limit number of records, or display parameters such as columns selection, column names editing, reports colors, description, and sort by. To learn more, see Configure report settings.
Applications List and Application Details UI Configuration	Configure the Applications List and the Application Details pages in the Privilege Cloud Portal. For example, you can now configure which authentications to display on the Applications List page. To learn more, see Configure displayed authentications on the Applications page and Applications page parameters.

July 2022 - Version 12.6

Self service Configuration Options

Self-service capabilities are getting more focus, and customers can now configure system experience and functionality at any time without involving CyberArk support.

The following configuration options are now available for independent administrative control:

Area	Description
Search Properties	Configure parameters to define account search properties for searching for an account. To learn more, see Add accounts search properties
Dual Control	Configure parameters to define dual control access to accounts. You can now define connection request creation, request view and confirmation properties such as request timeframe settings, request mandatory specifications and more. To learn more, see Dual control properties
Ticketing Systems	Configure parameters to implement ServiceNow ticketing system. This integration enables dual control workflows using ticket creation and approval flows. To learn more, see: Ticketing system properties Enable ticket validation and dual control
Account UI Preferences	You can configure the information an end user can see and the actions that an end user can perform in the Accounts  pages. For example, number of accounts displayed, or which types of views will be displayed. To learn more, see Configure the Accounts pages
Connection Components	Configure privileged SSO to remote devices for a specific connection component, such as PSM-RDP or PSM-SSH. Related connection component available configurations: user parameters, target settings, Web Form settings and more. To learn more, see PSM and PSM for SSH connector properties
Privileged Session Management UI	Configure parameters to define how PSM related items are displayed in the Privilege Cloud portal, and the user experience in privileged sessions. To learn more, see Configure the PSM user experience
Privileged Session Management	Configure parameters to define PSM and PSM for SSH settings: recording properties, live sessions properties, monitoring sessions properties and many more. To learn more, see: Set maximum session records to display Configure live session monitoring Configure recordings and audits (Windows and UNIX)

Terminate privileged session after dual control timeframe expiration

Controlling the timeframe in which end users access the organization's assets is important from an accountability and compliance perspective.

In this version, in addition to enforcing when a user can start their privileged session with an account, you now have the option to enforce the Dual Control request's timeframe that is associated with the session, and trigger session termination once that threshold is reached.

To learn more, see Terminate privileged session after dual control timeframe expiration.

Secure web applications connection Component and CPM Plugins support for both Edge and Chrome browsers

The Web Application Connection Components and CPM Plugin Frameworks provide a simple way to create new PSM Connection components for web and password management plugins (CPM plug-in) for web based and SaaS applications without needing any developer expertise or experience.

We have updated these frameworks to support both Chrome (version 100 and above) and Edge browsers (version 103 and above).

To learn more, see Web Application CPM Plugin Framework and Secure Web Application Connectors Framework.

April 2022 - Version 12.5

The following features are introduced or enhanced in CyberArk Privilege Cloud version 12.5.

Simpified Safe Management user interface

The new Safe Management user interface aligns with the new Privilege Cloud look and feel for a cleaner and more modern look. The new user interface offers a wizard-led workflow that provides an end-to-end Safe management experience.

The new Safes view in the Privilege Cloud Privilege Cloud Portal replaces the classic interface and offers extended management capabilities, to:

• Create and edit Safes within a new flexible workflow supported by wizard-led steps.

  

• Easily assign members to Safes thanks to enhanced user filtering capabilities.

  

• Manage Safe members and permissions as part of the Safe creation and editing flow. Permissions are easier to manage thanks to predefined permission sets (Read only, Approver, Account manager, Full, Customized).

  

Telemetry tool enhancements offer increased visibility into password management

New features and viewing options enable Privilege Cloud customers to gain additional value from CyberArk's Telemetry tool. Newly added password management policy-related attributes allow customers to analyze overall password security levels and gain actionable insights.

Newly added metrics include:

ServiceNow Rome and San Diego versions support

Integrating a privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Rome & San Diego versions.

Rest APIs

This version enhances API support by adding the following APIs:

API	Value description
User management APIs	Disable User - Disables a specific user in the Vault. Enable User - Enables a disabled user in the Vault.
Account management API	Get Account REST API is enhanced in this version, allowing to filter the returned list according to Saved Filters. Over 20 Saved Filters enable you to display accounts according to predefined criteria, based on account and operation status, such as Deleted, DisabledPasswordByCPM, and ScheduledForReconcile.
SCIM API	Get Group Details API retrieves the details of a specific user group according to group ID.

Secure Tunnel version 3.0

CyberArk Secure Tunnel is enhanced with the following expansions and improvements:

• Expanded capacity - Supporting 30 Active Directory connections (raised from 20)

• Fixes and improvements for improved secure connection with your LDAP, SIEM, and RADIUS servers

Dual Account templates

For critical business applications that must be highly available and use Secrets Manager Credential Providers or Conjur Enterprise, we recommend using dual accounts. To simplify the configuration, we now offer a way to configure and implement dual accounts using a template and scripts located on the CyberArk Marketplace. The template and scripts ease the configuration process and reduce the required manual steps.

For more information, see Configure dual accounts.

2021 releases

August 2021 - Version 12.2

CyberArk Telemetry tool

Within the Technical Community, Privilege Cloud customers can now see data about adoption, time to value, component usage, license utilization and more. The Telemetry tool is a dashboard that presents this information in an easy-to-consume way, with additional information including compliance status for managed accounts, used platforms and plugins, and logged on users.

New and unified user interface

As the number of CyberArk solutions grows, the look and feel, as well as the consistency and continuity across the CyberArk Identity Security platform becomes even more critical.

We have now introduced a clean, modern, and more accessible look and feel for the Privilege Cloud Portal. The new design will be aligned with Identity, Remote Access, Endpoint Privilege Manager and Cloud Entitlements Manager offerings, and will include:

• New look for the Application layout

• New look for the Filters and Search in all pages

• New and accessible colors contrast and backgrounds

• Deprecation of the comfortable and compact view.

Some screens have not been changed and will be redesigned in the future.

We also have introduced a new Safes view to list Safes along with the assigned CPM server and description

• Single pane of glass for Safe details

• Manage permissions of existing Safe members

To learn more, see Create Safes and assign access.

Link and unlink accounts in Account Details page

As an ongoing mission to simplify the user experience, we have added the ability to create linked accounts. Linked accounts are needed when there is more than one account for the password management process. Users can now select an account to associate as a Linked Account.

To learn more, see Linked accounts.

Linking and unlinking of accounts can also be done using Linked accounts REST APIs.

ServiceNow Quebec support

Integrating the privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Quebec version. The ServiceNow integration is now available in the CyberArk Marketplace.

REST APIs    

This release includes several improvements in our REST API Web services around the User Management, Safes ,and Accounts areas for easier automation and usage.

The following new APIs were added:

API	Description
Get Safe details	Retrieves the details of a single Safe
Get Safe member	Retrieves the set of permissions a member has for a Safe
Update Safe member	Updates the set of permissions a member has for a Safe
Delete Safe member	Removes all permissions a member has for a Safe
Update Safe	Updates a Safe's details

We also enhanced the following APIs:

API	Description
Add account group	We expanded this REST API to add Account Group with Policy Type of Rotational Group in addition to PolicyType of Group. This enables our customers to add Rotational Groups via REST APIs. Rotational group platforms are associated with a group of accounts where the credentials are changed asynchronously.  This is beneficial in a dual account deployment.
Get users	Added ability to filter by user name and added sort options
Get groups	Added sort options

Managing Google Cloud Platform (GCP) IAM users    

We've introduced a new plugin that can manage passwords for Google Cloud Platform (GCP) IAM users when the IAM user is enabled, or not, with MFA. The plugin is available on the CyberArk Marketplace.

To learn more, see Google Cloud Platform (GCP) - Account management plugin.

Managing MS SQL 2019 passwords

MSSQL 2019 database is now officially supported with our existing MSSQL ODBC plugin. This applies to the MSSQL ODBC 13.1 The plugin is available on the CyberArk Marketplace.

Set a global PSM default connection method (RDP file or HTML5)

Until now, when configuring remote access all connections were established exclusively with HTML5 Gateway and Privilege Cloud admins needed to manually set a toggle to work with both connection methods (for example, HTML5 for remote access and RDP file for working within the network).

In this release, the default connection method is set to RDP, so when you configure remote access, all you need to do is configure the toggle on specific platforms. However, you can also choose to set the default connection method to HTML5, which can be easily done for you by CyberArk support.

Remote access connections - troubleshooting

During remote access connections, if an error occurred, the session was closed immediately. Now session error codes are displayed in the HTML5 connection tab when the end-user fails to establish a connection. The end-user sees the error message code and admins can then use the error code to troubleshoot the issue.

To learn more, see Troubleshooting connection issues.

Improved User Experience in PSM for SSH when integrating with Ticketing systems

In this version we added a retry mechanism that enables users to correct and re-enter the ticket ID when it includes invalid control characters, such as backspace or escape. This ensures session continuity and prevents the need to reconnect and initiate a new session to correct the entered Ticket ID. In addition, the retry mechanism is configurable and enables you to set the maximal number of retries.

Migration support for Conjur Enterprise with Privilege Cloud’s hybrid SaaS offering

If you have Conjur Enterprise deployed alongside your self-hosted PAM environment, you can now migrate to Privilege Cloud while supporting the same Conjur Enterprise deployment.

To learn more, see Conjur Enterprise V12.2.

June 2021

Offline access to privileged accounts

CyberArk Privilege Cloud is where customers manage their “keys to the kingdom” credentials, some of which are needed for critical operations and business continuity.

While our solution offers high availability and resiliency, we want to make sure that you can access business-critical accounts in those rare cases when the service is unavailable or if the user has no connectivity ("offline"). Utilizing the new CyberArk Mobile app, CyberArk now provides access to credentials even when Privilege Cloud is unavailable. Within the app, users can see the list of accounts to which they have permissions and select those that will be available for offline access. The Mobile app securely stores credential, protected with multi-factor and biometric authentication. When Privilege Cloud is unavailable, users can retrieve the stored credentials from the app and use them to connect directly to remote machines.

See Connect when Privilege Cloud is unavailable for more details for the end user. See Configure offline access to target machines for more details for the administrator. See Remote Access What's new for more details on the Mobile app release.

This capability is subject to additional license fees. personal privileged you CyberArk representative to inquire about it.

Privilege CloudConnector version 12.1.1 available

Privilege Cloud Connector version 12.1.1 is now available. Refer to Privilege CloudConnector end of life dates to determine the best time for you to upgrade your Connector.

For additional information about this release, see Release notes.

May 2021 - Version 12.1

New System Health dashboard

This release introduces a new System Health page, which provides administrators with a high-level health status report of the different components in Privilege Cloud and Secrets Manager Credential Providers environments.

Administrators can also reset passwords for the CyberArk component applicative users directly from the System Health dashboard. This helps streamline recovery from Privilege Cloud components connectivity issues.

To learn more, see Monitor system health.

ServiceNow Paris version support

Integrating a privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Paris version.

The ServiceNow Paris version integration is now available in the CyberArk Marketplace.

Accessibility improvements for the Accounts page

This release includes several accessibility improvements. We added missing tooltips to several attributes in our Accounts page.

Privileged Session Manager for SSH connections with modern authentication methods, including SAML, and single multi-factor authentication to multiple targets

To use these capabilities, *nix administrators who access target servers through PSM for SSH will either start by accessing the Privilege Cloud Portal and selecting the required authentication method, generate an SSH Key with a pre-configured validity period that will be used to connect through PSM for SSH to any target server authorized for them or by using a dedicated REST APIs for generating the SSH key. For greater security, admins can protect the generated SSH key with a passphrase and proactively invalidate it in case of an incident. These capabilities for modern authentication and MFA caching for PSM for SSH can be achieved with any authentication method supported by Privilege Cloud, via the Privilege Cloud Portal or API.

Platform Management enhancements

In this version we expanded the Platform Management interface to include access workflow policies indications, showing workflow-related settings and exceptions for each platform. This enables customers, using a single pane of glass, to gain better visibility of a platform and its effective policy.

In addition, Import Platform now supports importing Group and Rotation Group platforms in both the UI and the Rest API.

REST API

This release includes several improvements in our Safes, accounts, and User Management REST API Web services for easier automation and usage.

Get secret versions (New)	Returns the versions of the account's secret.
Link an account (New)	Enables you to associate an existing account as a linked account of a different account. The linked account can be a Reconcile Account, a Logon Account or any other linked account defined on the platform level.
Delete Safe (New)	Deletes an existing empty Safe.
Add Safe member (New)	Adds a user or a group as a member with a specific set of permissions to an existing Safe.
Delete discovered accounts (New)	Enables Admins to clear all Discovered Accounts and their dependencies from the Pending List.
Get all Safes (New)	Returns a list of all Safes the requested user has permissions to view. This API is available with several capabilities, such as paging and searching according to specified values to create a more precise list.
Add Safe (New)	Enables the user to create a new Safe.
Get all Safe members (New)	Returns a list of all the members of a specific Safe.
Update group (New)	Enables the user to edit the name of an existing group.
Get users (Updated)	In addition to the information this API provides, for each user in the returned list the API also returns the groups the user is a member of.
Get groups (Updated)	In addition to the information this API provides, for each group in the returned list the API also returns the users that are members of the group.

Generate Password REST API

This version introduces an option to generate an account password using REST API.

To generate a password for managed accounts, you can now call the Generate Password REST API and send the account ID details.

The API retrieves the account's old password and determines the new password complexity according to the account's platform policy.

To learn more, see Generate password.

Manage VMWare ESX/i 6.7 and 7.0 accounts

Management of VMWare ESX/i root and local privileged accounts via the ESX/i REST API and CLI is now supported for ESX/i 6.7 and ESX/i 7.0.

To learn more, see VMWare ESX/i.

The CPM plugin is now available in the CyberArk Marketplace.

PSM for SSH deployment on Red Hat Enterprise Linux 8 and CentOS 8

Customers transitioning or upgrading their Linux environments to the latest Red Hat Enterprise Linux 8 OS edition or CentOS 8 can now leverage the secure and native access capabilities of PSM for SSH by deploying it on these OS versions. This is applicable for Red Hat Enterprise Linux 8.0, 8.1, and 8.2 and CentOS 8.0, 8.1, and 8.2.

SSH Key Authentication to PSM for SSH in using your own SSHD

PSM for SSH installation can coexist with the operating system's original SSH daemon (SSHD) without replacing it. Customers who use SSH key authentication to CyberArk in PSM for SSH connections can now do so using their own SSHD version.

This is only supported for SSHD version 7.8 or above.

Support for OpenSSH 7.8 and above default SSH key format

Starting from this version, PSM for SSH supports the new default OpenSSH SSH key format both for authenticating to PSM for SSH and for connecting to target machines using PSM for SSH's OpenSSH client application.

Additional information about this format can be found in the OpenSSH 7.8 release notes.

This format is not supported by CPM and PSM and can only be used for PSM for SSH native connections.

Manage AWS root user account enforced with MFA

The AWS account root user is the secret zero, the AWS account owner who has full access to all resources in the account. AWS recommends not to use the root user, not to share the user, to use a strong password and to enable Multi-factor Authentication (MFA). These are great recommendations, but manually managing the user is still a risk, since there is always the human factor, which most of the time is the weakest link.

We are happy to release a new plugin that can automatically manage the AWS account root user password even if it is enforced with MFA by leveraging Time-based One-time Password (TOTP).

The plugin is available on CyberArk Marketplace.

Support MFA for Azure and AWS IAM users

Azure and AWS PSM connectors now support logging in to the cloud console with the IAM user enforced with Multi-factor Authentication (MFA). The user must enter the MFA code during the login sequence, therefore this step will be promoted to the user via the RDP session.

2020 releases

December 2020

The following features and enhancements are included in the Privilege Cloud December 2020 release:

Bulk upload of accounts

There is a frequent need to upload a large number of known accounts into Privilege Cloud from an existing repository. This is especially valuable during early stages of implementing Privilege Cloud, migrating from another PAM solution, or onboarding a new department into the Privilege Cloud solution.

To address this challenge, we have introduced a new Bulk Upload of Accounts option within Privilege Cloud Portal. Using the Bulk Upload operation reduces 50% of the onboarding time in Privilege Cloud Portal compared to existing REST APIs scripts, and enables a much faster roll-out of PAM programs.

The new Bulk Upload of Accounts option includes a dedicated UI where the user can download a sample file, review the process status, and download a detailed result file with the failed accounts.

In addition, the Bulk Upload is asynchronous and enables customers to disconnect from Privilege Cloud Portal while the onboarding request still runs in the background, ensuring that all accounts are onboarded.

We want to encourage you to use the Bulk Upload method and promote its use in REST API-based solutions.

The available REST APIs are:

Create bulk upload of accounts	Enables a user to add multiple accounts to existing Safes and groups.
Get bulk account upload result	Checks the status of a single bulk account upload and returns the results.
Get all bulk account uploads for user	Returns the status of all bulk account uploads that the user performed.

To learn more, see Add multiple accounts from a file.

Platform Management - search and filters

In this release we've added filtering capabilities to target platforms and the ability to search according to platform types.

To learn more, see Manage platforms.

Export discovered accounts

To better understand and share the progress in the deployment and onboarding of privileged accounts, customers are now able to extract and export the Pending Accounts list using two new REST APIs. The ability to export this list provides administrators an easier and more accessible way to manipulate the output data according to their needs, prioritizing and delegating the discovered accounts to multiple teams for better and faster coordination during the onboarding process.

In addition, administrators can provide valuable insights to their management, as well as demonstrate a return on investment (ROI) for their work on the Privilege Cloud implementation by tracking metrics such as the number of privileged and non-privileged, local, or domain accounts, or SSH keys that are still waiting to be onboarded and protected.

The available REST APIs are:

Get discovered accounts	Returns a list of all discovered accounts from the Pending Accounts list.
Get discovered account details	Returns information about a specific discovered account and its dependencies from the Pending Accounts list.

These APIs support capabilities such as paging, filtering, and searching according to specified values to create a more focused list.

Azure Discovered Accounts

Discovered Accounts APIs now support Microsoft Azure Active Directory (Azure AD) users.

The enhanced REST APIs are:

Add discovered accounts	An API that enables you to add newly discovered accounts including Azure Active Directory (Azure AD) users to the Pending Accounts list in Privilege Cloud Portal.
Get discovered accounts	An API that returns a list of all discovered accounts from the Pending Accounts list, including Azure Active Directory (Azure AD).

Management of Windows Domain accounts with Kerberos

We are happy to introduce a new Windows CPM plugin for managing Windows domain accounts over LDAP.

The new plugin enables you to manage members of protected user groups over Kerberos and TLS/SSL.

Protected Users is a global security group and its primary function is to prevent users' credentials from being abused on the devices where they log in.

To learn more, see Windows Domain Accounts via LDAP.

Credential rotation for IAM users with MFA

MFA mitigates risks associated with password-only authentication methods by requiring additional factors of authentication.

More and more organizations are turning to MFA to secure their cloud environments and protect against unauthorized access, data breaches, and password-based cyber-attacks.

Credential management for the following cloud IAM users and keys authenticating to cloud consoles with MFA, is now supported for all of CyberArk out-of-the-box cloud plugins:

• Amazon Web Services (AWS) IAM passwords and access keys

• Microsoft Azure Active Directory user passwords and application keys

• Google Cloud Platform (GCP) service accounts

To enhance the credential rotation of Azure Active Directory accounts, we have added keys support for logon and account reconciliation to Azure plugins.

To learn more, see Microsoft Azure Password Management and Microsoft Azure Application Keys.

Automatic Check-in in PSM sessions with exclusive access

The Enforce check-in/check-out exclusive access policy in the Master Policy enables organizations to restrict account credentials' use to a single user at a time.

In PSM sessions, until now, the credentials were locked automatically when the user connected with an account, but users had to manually check in the credentials to the Vault to release the account.

In this release we simplified the end-users' experience significantly by ensuring that once the PSM session ends, the account is automatically checked in without any user intervention.

To learn more, see Automatically unlock accounts.

Run custom code prior to connection when accessing Web applications through PSM

PSM can connect to Web applications using custom-built connectors. In some cases, there is a need to invoke custom operations before the actual connection to the target occurs, such as creating a temporary user just-in-time and using it for access. PSM connectors for Web applications can now be configured to run custom code prior to logging in to the target and can even provide on-the-fly data for the login process.

The Secure Web Application Connectors Framework PSM can be found in the CyberArk Marketplace.

Docs enhancements

Our documentation now employs a new SearchUnify custom search engine, which enables you to: 

• Search for content across all products
• Filter search results by product and category
• Perform advanced searches

Like Google, SearchUnify provides:

• ‘Did you mean’ functionality
• Auto suggestions

Released components

Component	Version
CyberArk Privilege Cloud Connector	11.7.0.1
CyberArk Secure Tunnel	2.0.1

September 2020

The following features and enhancements are included in the Privilege Cloud September 2020 release:

Alero integration for remote vendor access

In addition to supporting remote access for employees, we now integrate with CyberArk Alero to support remote access for vendors. Providing a way to access the organization’s assets in a secure way, with no additional footprint on the customer’s premise.

This integration provides full audit capabilities and session isolation for sensitive assets that enable remote vendors VPN-less access while leveraging Zero-Trust access, JIT Provisioning, and biometric Multi-Factor Authentication.

To learn more, see Configure remote access for vendors.

EPM integration for securing loosely connected devices

One of the most common activities for managing local admin credentials is changing them on a regular basis. The mobility strategy that most organizations employ allows employees to work from any location, making it difficult to enforce the credentials policy because endpoints are not always accessible from the organization network.

To mitigate this issue, the CyberArk Endpoint Privilege Manager (EPM) integrates with Privilege Cloud to manage these Windows and Mac devices and change passwords as required, according to the organization policy.

To learn more, see Manage loosely connected devices.

Detailed email notifications

The Privilege Cloud event email notification service now provides detailed information on various events, including direct link URLs, to simplify the administrator's workflow and approval process. For example, when a request to access an account is being submitted, the approver receives an email with a link to the specific request.

To learn more, see Email notifications.

Privilege Cloud data center in Japan

We've added a new data center in Japan to meet the market demand in the APJ region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, London, Sydney and Canada further extends our global network.

Privilege Cloud Connector

The new Privilege Cloud Connector installer now enables you to select which function to install on the connector server. You can choose to install the CPMPSM, or both.

In addition, you can choose whether to install the CPM in disaster recovery (DR) mode or not.

To learn more, see Run the Connector installer.

Released components

Component	Version
CyberArk Privilege Cloud Connector	11.5.1.2
CyberArk Secure Tunnel	2.0.0

Enhancement requests

ID	Description
4990	Add a direct link to Privilege Cloud portal in approver email

August 2020

The following features and enhancements are included in the Privilege Cloud August 2020 release:

Remote access

Providing access to your company employees from remote is essential to maintain business operations in an efficient and simple manner. Exposing the company's internal assets to the public network poses a great risk and must be secured. Privilege Cloud now integrates with CyberArk's Alero to allow remote company employees to access internal assets, VPN-less, protected with Privilege Cloud with no additional footprint.

You can also use remote access capabilities to access assets, when inside the network, and not only remotely.

To learn more, see Configure remote access for employees.

Privilege Cloud data center in Canada

We've added a new data center in Canada to meet the market demand in the North American region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, London, and Sydney, further extends our global network.

Platform management UI enhancements

Introducing our new platform management view with ability to import and connect PSM connectors.

The new view includes:

• Separate tabs according to platform types: Targets, Dependents, Groups, and Rotational Groups

• Aggregated view for each system type

• Single pane of glass of a platform and its effective policy

• Platform settings for password rotation verification and reconciliation

• Actions like: Import Platform, Edit, Duplicate, Activate/Deactivate, Export, Import and Delete.

• Onboarding of PSM Connectors to a platform – the ability to easily import PSM connectors and link them to a platform, all from one location.

Getting a List of platforms can also be done using REST API.

To learn more, see Manage platforms.

Automatic onboarding rules

You can now create and manage predefined rules that automatically onboard newly discovered accounts. This minimizes the time it takes to onboard and securely manage accounts, reduces the time spent on reviewing pending accounts, and prevents human errors that may occur during manual onboarding.

To learn more, see Onboarding rules.

Automatic dependencies discovery

Managing service accounts can be challenging, but also very important. These accounts can be very powerful and as a result are often targeted in attacks. The first challenge in managing these accounts is understanding where they are.

In this release, we introduce a major improvement to the dependencies discovery process, which allows it to discover and onboard dependencies for already managed accounts (that were added manually or using REST APIs) in addition to those that were onboarded by the discovery scanner.

Similar to the current behavior, accounts with a newly discovered dependencies will be disabled with the reason “Newly discovered dependency”, so the accounts' owners can review and validate that the new service is legitimate and is not a backdoor service aiming to inherit account's password.

To learn more, see Scan for accounts using Account Discovery.

SSH Keys support

You can now add, edit, and download SSH Key accounts, just as you would password accounts.

Add new SSH keys using the Add Account button located in the Accounts List, by selecting Unix as the System Type.

Direct link for accounts

This release introduces a new way to create a direct URL for a specific account details page.

Users can see this link in the new Account Group in the Account Details split view, where each Account group member has its own link to its specific account.

For simple sharing of accounts, users can send a direct URL to an account.

SAML authentication using REST API

This release introduces a new, updated way to authenticate to Privilege Cloud using the SAML authentication REST API.

This API uses the Logon REST method with the SAML authentication type (POST /auth/saml/logon) and supports only IdP initiated flows, meaning the user should already be authenticated and the SAML response should be sent to the Privilege Cloud Portal SAML authentication API.

IdP initiated flow is now supported for customers who wish to use it. While CyberArk recommends using SP initiated flow as it ensures a more secured authentication channel, customers who rely on business applications using IdP initiated flow only, may enable this option using the EnableIdPInitatedSso configuration.

To learn more, see SAML logon.

User Management Rest API improvements

This release provides several improvements to our REST API Web services for easier automation and usage.

• Get user details. This API now also returns a list of groups in which the user is a member.

• Delete group. A new API that deletes an existing group.

PSM for SSH deployment on SUSE v12 SP2

Customers working with SUSE Linux Servers can now deploy PSM for SSH on SUSE Linux Enterprise Server v12 SP2.

Listing of Active PSM for SSH sessions in the Monitoring page

Auditors and Security teams can now view what PSM for SSH sessions are currently active, what commands are being performed and what is the risk score of each active session. This enables them to gain fuller visibility into user activities in the environment and achieve better monitoring.

Enhanced Audit Capabilities for PSM for SSH Just-in-Time access with SSH Certificates

Just in Time access with short-lived SSH certificate authentication enables organizations to provide secure access to remote *nix machines without the need to onboard the account to PAS, and without a need for credentials, public keys or standing access on the target.

Customers can now use this approach and benefit from the following capabilities that are available in other PSM for SSH authentication flows:

• Create audit records and text recording files of keystrokes typed by privileged users in the session

• View the session in the Monitoring page

• Enable configuring prompts used for detecting passwords that may have been typed by users and hiding them from appearing in the audit records and text recordings.

• Apply Command Access Control that enables blocking unauthorized SSH commands that a privileged user attempts to execute.

Enhanced Audit Capabilities for Automation Tools Access to *NIX machines through PSM for SSH

In addition to audits of remotely executed SSH commands (as usually used by automation tools), auditors can now also view audits of commands executed or performed on the target after logging in to a shell prompt. This could be useful when using the same account for automation tools and human access.

Smart-Card (PKI) authentication in direct PSM connections

We expanded the variety of authentication methods for direct PSM connections. In addition to CyberArk, LDAP, and RADIUS authentication, users can now authenticate to Privilege Cloud through direct connections with a user certificate, utilizing PKI infrastructure. These user certificates are usually stored on a smart card, to help facilitate a strong authentication policy. The PSM PKI authentication integrates seamlessly with the domain PKI infrastructure, allowing customers who already use PKI in their organization to immediately benefit from this new capability.

To learn more, see Configure PKI authentication for RDP connections.

FIPS support for SSH plugins

To benefit from the enhancements in our new terminal-based CPM engine (TPC), you can now use SSH-based plugins with the new FIPS support.

This release also includes bug fixes, enhanced security and performance.

To learn more, see Configure SSH-based features.

SAP plugin improvements

The SAP plugin allows management of SAP Netweaver accounts, which are used for many SAP applications (including SAP ERP). This SAP plugin already supports built-in and Dialog accounts used for human interactions. In this release, we added support for management of non-human accounts, designed for applications' use, such as 'System', 'Communication Data' and 'Service' user.

In addition, for enhanced security, the updated SAP plugin supports the secured SAP protocol, SNC, by default.

The plugin is available for download in the CyberArk Marketplace and is provided out of the box with any new Privilege Cloud installation.

To learn more, see SAP applications.

March 2020

The following features and enhancements are included in the Privilege Cloud March 2020 release:

Privilege Cloud data center in Sydney

We have added a new data center in Sydney to meet the market demand in the APJ region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, and London, further extends our global network.

RADIUS authentication support

We believe that deploying the Privilege Cloud environment in a secure manner is critical for our customers, and we see MFA as a cornerstone of secured Privilege Access. In this release, Privilege Cloud we have added support for RADIUS authentication for enforcing MFA for Windows and UNIX native access.

To learn more, see Configure RADIUS authentication

Self-service for PSM Connection Components management

Privilege Cloud now supports self-service management of PSM connection components. A new set of Web services enables customers and partners to add new targets for which secure sessions can be brokered without the need to involve the Cloud Services team, to streamline Privilege Cloud deployments. A simple script that wraps these Web services is also available.

ServiceNow ticketing integration

Privilege Cloud now supports ticketing integration with ServiceNow, to enable ticketing-based approval workflows for our customers.

To learn more, see Integrate with enterprise ticketing system.

New connection component for SQL Server Management Studio 18

A new PSM connection component was added to the PSM installation and to CyberArk Marketplace to enable secure access to SQL Server Management Studio (SSMS) 18.

Account groups

Account Groups are often used to synchronize passwords among multiple accounts. In this release, we added the ability to use Accounts Groups from the Privilege Cloud Portal and simplified the process of creating Account Groups and linking them to existing accounts.

REST API

Concurrent logins using REST API	To facilitate automating PAM deployments and operation, you can now use the login REST API with concurrent logins. Using a new parameter that can be controlled in the Login command, an application can be used to authenticate multiple times to Privilege Cloud without managing the sessions and without the application disconnecting. This new method enables an application to work simultaneously using the login REST API and any authentication method supported in the REST API, maintaining each thread in its own session with its own token. To learn more, see Logon REST API.
Enhancements in Connection Components REST API	You can manage PSM connectors using a centralized repository. This simplifies management and ensures that all PSM servers are aligned with the required connectors and configuration. Any newly imported or updated connector in the repository is fetched by the PSM servers automatically, reducing the time it takes to configure new connectors. The Connection Component REST API has been enhanced. In addition to importing the connection component configuration to the Privilege Cloud Portal, this API also uploads the connection component package (a zip archive of relevant artifacts such as the Universal Connector executable and additional files needed for it to run) to the central safe in the Vault. To learn more, see Import connection component.
REST API documentation	We have simplified the REST API section in our documentation to make it easier for you to find a REST API based on a topic, and to find references for more usage examples. To learn more, see REST APIs.

January 2020

The following features and enhancements are included in the Privilege Cloud January 2020 release:

SOC2 certification

This is a new certification that is performed by an independent audit team, for assessing Privilege Cloud's system security, availability and confidentiality factors, and has determined that the service meets the complex cloud security requirements of today's world.

Native access for *nix administrators

The PSM for SSH preserves the benefits of the PSM, such as isolation, control, and monitoring, while enabling users to connect transparently to target Linux/Unix systems from their own workstation, using their choice of SSH client and without interrupting their native access workflow.

PSM for SSH records all activities that occur during privileged sessions in a compact format and stores them in Privilege Cloud, where they can be accessed by authorized auditors. It also provides privileged Single Sign-On capabilities and allows users to connect to target devices without exposing them to privileged credentials.

To learn more, see Connect to Unix machines (using PSM for SSH).

Just in Time with short-lived SSH certificates

Secure access with SSH in dynamic or large-scale environments is problematic. Managing local account credentials and SSH keys for each user and server requires either high levels of automation or a large amount of manual processes, especially when machines are frequently spun-up. Having static SSH keys, shared accounts, or personal accounts leads to a larger number of privileged accounts, standing access on the target, and a larger attack surface, and does not follow the least privilege concept.

Privilege Cloud introduces Just in Time access with SSH certificate authentication to remote *nix machines without the need to onboard the account to Privilege Cloud, and without a need for credentials, public keys or standing access on the target.

An administrator stores a single private key in the Vault that acts as a certificate authority for certificate signing and stores the corresponding public SSH key on the remote machines.

There is no need to generate a private-public key pair for each account and remote machine.

End-users SSH to a remote machine through the PSM. After authenticating to Privilege Cloud, CyberArk signs and uses a short lived SSH certificate to authenticate to the remote machine with an isolated and controlled session.

Let's look at the following use case, for example:

Tina is an Information Technology Lead who is a Privilege Cloud service Administrator in her company. Paul is a Linux administrator who manages a group of administrators who oversee the production servers.

For Paul's administrators to have secure access to new production servers, Tina generates an SSH key pair that will act as a certificate authority (CA) for the production servers and stores the private key in an account in Privilege Cloud. The account is configured as an SSH certificate type and does not have a specific address assigned to it, so that it can be used for all production servers.

Tina also grants permissions to this account only to the production administrators.

Paul has set up a template for the production servers so that each new server is spun-up with the production CA public key as a trusted CA key.

Now, when a new production server is spun-up, Paul's administrators (for example, John) can instantly SSH to it through the Unix Connector, by specifying the target address and that it is a production server:

ssh john@root#production@TargetAddress@UnixConnectorAddress

After authenticating to Privilege Cloud, the PSM will sign an SSH key with the production CA private key so that the target can trust it and authenticate the user.

Native access for Windows and applications administrators

Privilege Cloud now supports native access for Windows and application administrators.

Users can now connect securely through the PSM to the target systems directly from their desktop using any standard RDP client application such as MSTSC or connection manager, preserving their native user experience and workflow.

To learn more, see Connect using RDP.

LDAP integration

You can now manage your Privilege Cloud-LDAP integration with more control and flexibility.

The Privilege Cloud Portal includes a new module for LDAP integrations and management. Using this module, you can define the LDAP domain and directory mappings that determines whether a user account or group may be created in Privilege Cloud, and according to which criteria.

To learn more, see LDAP integration.

Privilege Cloud data center in London

We’ve added a new data center in London to meet the market demand in the EMEA region.

The new data center, in addition to our existing data centers based in North Virginia and Frankfurt, further extends our global network.

CyberArk Secure Tunnel installation wizard

CyberArk Secure Tunnel allows you to securely connect Privilege Cloud with your LDAP and SIEM servers. Various high availability configurations are supported, making sure LDAP authentication is always available in case of disaster or unavailability of one or more connector servers.

This release introduces an installation wizard that simplifies and streamlines the setup and configuration of the Cyberark Secure Tunnel. By the end of the process, you will establish connection and trust between your network and Privilege Cloud.

To learn more, see Install and configure Secure Tunnel.

Non-human access management

Privilege Cloud integrates with Application Access Management (AAM) Credential Providers to eliminate hard-coded application credentials embedded in applications, scripts, or configuration files and instead managing them within Privilege Cloud as privileged accounts.

This release of Privilege Cloud includes a new application management module, accessible from the Privilege Cloud Portal, where you can manage application authentication, accounts and access control.

To learn more, see Application Management.

You can also manage applications using the New Applications REST APIs.

Credential Providers

New Application Server Credential Provider JDBC Driver for Tomcat

Introducing a new Tomcat Secure JDBC Proxy Driver for Generic Data Sources using either XA or non-pooled and pooled DataSources, supporting Oracle, DB2, and MS SQL Server databases. This new driver replaces the existing JDBC Proxy Driver, providing support for custom properties. It supports only specific DataSources. Supports: Tomcat 7, 8.5 and 9.

Credential Providers hash authentication security improvements

For improved security, Credential Provider Hash Authentication now supports SHA-2 encryption. Note: For applications using a version of Credential Provider earlier than 11.2 with hash authentication, the following steps are required: Generate a new hash value for each existing hash value of the application. To learn more, see Generate an application hash value. Update the application's details in Privilege Cloud Portal with the new hash value or using the REST API. To learn more, see Update applications.

Enhanced account functionality

We’ve enhanced the functionality and UX in the Accounts page:

• You can now delete an account from the UI.
• When you create an account from the UI, you can now add another, continuously, streamlining the process of account provisioning.
• The following parameters are now displayed for each account:
  • Account Name
  • Created Time

Web Services

This release introduces several new and updated REST API Web services for easier automation and usage.

Improvements when searching accounts	Searching for accounts and performing actions on them may be a common use case if you rely on automation and REST APIs. This release introduces an enhanced Get Accounts REST API, which includes a new searchType parameter, which allows you to get accounts that either contain or start with the value specified in the Search parameter. For examples on how to use our REST APIs, access GitHub.
New Applications REST APIs	We added the following Applications REST API methods: List applications List a specific application Add application List all authentication methods for a specific application Delete specific application Add application authentication Delete a specific authentication To learn more, see Applications.

2019 releases

October 2019

The following features and enhancements are included in the Privilege Cloud October 2019 release:

Removing hardcoded credentials from applications

Securing, managing and automatically replacing embedded and locally stored credentials can impose significant challenges and overhead costs to IT and security departments. Consequently, many organizations never change embedded passwords or locally stored SSH keys for applications, leaving the organization vulnerable to an attack.

Privilege Cloud now integrates with Application Access Manager (AAM) Credential Providers to empower developers and security teams to proactively secure resources, such as scripts, automated processes and applications when accessing sensitive information and assets, by using privileged accounts.

To learn more, see Secrets Manager Credential Providers integration

C³ Alliance Program

Privilege Cloud now supports integrations from the C³ Alliance partnership program.

By securing privileged accounts and using privileged data to detect and respond to threats, C³ Alliance provides joint customers the best protection against advanced threats through a comprehensive set of innovative cyber security solution.

Members of C3 Alliance include producers of enterprise software, infrastructure and security solutions, including authentication services, security information and event management (SIEM), vulnerability management scanners, and robotic process automation (RPA).

To learn more, see C³ Alliance Program.

Privilege Cloud data center in Frankfurt

We have added a new data center in Frankfurt to meet with the market demand in the EMEA region. The new data center, in addition to our existing data center based in North Virginia, is aimed at extending our global network with Privilege Cloud.

New User Management module

User management capabilities are key for streamlining administration of authorized users in Privilege Cloud. Our new User Management module includes the following capabilities:

• Create and edit CyberArk users
• Create groups and assign users to these groups
• View all users (both LDAP and CyberArk users)
• Disable a user or activate a suspended user
• Reset a user’s password

To learn more, see Add and manage users.

CyberArk Secure Tunnel HA

CyberArk Secure Tunnel enables LDAP-based authentication from Privilege Cloud to your LDAP server. We now support different high availability configurations to make sure LDAP authentication is always available in case of disaster or unavailability of one or more connector servers.

The following configurations are supported:

• Secure Tunnel can connect to multiple domain controllers in an Active Directory (AD)
• Secure Tunnel can connect to multiple AD domains
• Multiple Secure Tunnels can be deployed in a single network segment or multiple network segments

To learn more, see Deploy Secure Tunnel.

Windows 2019 Server target support

We now support Windows Server 2019 as a managed target system, including:

• Management of local accounts
• Management of service accounts (like Windows Services)
• Discovery of local and service accounts using the AD
• AD integration is now extended to support AD running on Windows 2019 Server

Connecting to Windows 2019 server targets using the PSM is also supported.

Manual password update

In some cases, a password needs to be changed manually and not automatically. In such cases you can set the password manually from the Account Details page. The password is changed only in the Vault, to match the password already set in the target machine.

To learn more, see Change password.

Performance improvements

The PSM session start-up phase is now 5 times faster.

Support for Firefox browser

The Privilege Cloud Portal now supports Firefox browser.

New REST APIs

This release introduces several new REST API Web services for easier automation and usage.

We added/updated the following REST API methods:

User Management	Get user details (updated) Add user(updated) Update user Delete user Create group
Platforms	Get platforms Get safes by platform ID
LDAP	Delete directory mapping

For examples on how to use our REST APIs, access GitHub.