What's new

New Secure Cloud Access versions are released and announced on a varying cadence. Occasionally, new versions that include only performance, stability and bug fixes, and do not require customer actions, are released without an announcement.

September 21, 2023

Secure Cloud Access data center in Canada

We've added a new data center to meet the market demand in the Canada region. The new data center is in addition to our existing data centers in Virginia, USA and UK-Ireland.

Improved usability

Error codes have been added to enable administrators to investigate and fix user connection issues.

For more information, see Error codes.

September 10, 2023

Workspace delegation

Many organizations aim to enforce segregation of duties, allowing cloud application owners to control access for security reasons and to reduce operational overhead.

Customers can now delegate administration of SCA by defining owners for cloud workspaces, at both the organization level and the specific workspace level. These owners, or delegates, can grant and approve access to their cloud services for other developers, vendors and admins.

Account mapping

SCA users can now configure and use the CyberArk Identity account mapping capability to define the mapping between their federated identities and identities they have configured in their cloud providers.

Updated permissions list

The following permission was added to the AWS onboarding process:

• iam:ListRoles

August 28, 2023

Secure Cloud Access data center in UK - Ireland

We've added a new data center to meet the market demand in the UK&I region. The new data center is in addition to our existing data center in Virginia, USA.

Integration with CyberArk Remote Access

Third-party vendors often need access to cloud services so they can perform maintenance and support activities. This type of privileged access can now be protected by SCA. Using the new integration between Remote Access and SCA, organizations can manage vendor access to their cloud services and apply zero standing privileges.

Currently, the Remote Access integration with SCA is available for AWS only.

Sync cloud workspaces and permissions on demand

CyberArk triggers an automatic sync of your cloud workspaces and cloud IAM roles to SCA every 12 hours. Cloud workspaces are synced against Cloud Entitlements Manager while cloud IAM roles are synced against the relevant cloud provider.

To support the dynamic nature of the cloud environment, you can now trigger an on-demand sync to ensure that you have the most up-to-date information about roles and workspaces when creating access policies.

August 7, 2023

Integration with third-party IdPs for all cloud providers

SCA can be integrated with third-party IdPs for AWS, Google Cloud, and Microsoft Azure. Customers can continue using their existing IdP and leverage SCA's ability to enforce zero standing privileges to the cloud management console.

On-demand access enhancements

Allowed identities

Cloud management is a sensitive resource because it allows access to all of your cloud services. As such, user access should be limited to those identities that are authorized administrators of the workspaces they want to access. With the new allowed identities feature, organizations can allow only certain identities to request access or elevated permissions to cloud management consoles.

Context-aware automatic approval

Additionally, as part of the on-demand access workflow organizations can now define the default approval method, either automatic or manual. Along with the default approval method, exceptions can be defined for identities that meet certain conditions.

For example, an organization can define the default approval method as manual, meaning all on-demand access requests must be handled by an administrator. However, if an identity submits a request to access a workspace tagged as "staging", this poses little to no risk so the request can be approved automatically.

Using this new capability, organizations can enforce security guidelines while reducing the workload for approvers, enabling them to handle only higher-risk access requests.

Approval channel enhancements

In addition to an out-of-the-box approval flow for Slack, organizations can now create custom approval flows in Identity Flows and apply them in SCA. This allows tailoring the approval channel work flow to better suit organizational needs.

May 7, 2023

On-demand access for end-users

Organizations have assorted personas with different access needs. For example, developers require daily access to perform development and maintenance tasks, while SRE users may occasionally need access to a production environment to troubleshoot a production issue.

SCA now provides a solution for both needs. Organizations can benefit from regular policy-based access for daily users, and on-demand access for unplanned or infrequent situations that require immediate attention for a critical issue. On-demand access enables users to request access to specific workspaces at specific times. With this new capability, organizations can further reduce exposure due to excessive privileges and grant elevated permissions only when actually required.

On-demand access comes with an out-of-the-box integration with Slack, and can be customized for other ChatOps channels or ticketing systems.

Support for Azure AD

Azure AD includes highly privileged roles such as Global Administrator. To keep cloud environments secure, organizations need a way to assign these roles on a Just-In-Time basis for sessions that are limited in length.

SCA introduces Just-In-Time access and privilege elevation for Microsoft Azure AD roles. This capability helps organizations improve their security posture and reduce risk by granting least-privilege, on-demand access to Azure AD roles for daily operations using SCA policies. Using SCA, cloud security administrators can grant Just-In-Time access to Azure AD roles at the tenant level. Users can access their Azure cloud environment from either the Azure management portal or the Azure CLI.

With this new enhancement, SCA now fully supports Microsoft Azure, with both Azure AD and Azure RBAC functionality.