Skip to main content

Skillber v1.0 is here!

Learn more

CyberArk — Enterprise PAM Platform

Checking access...

CyberArk is the market-leading Privileged Access Management platform, deployed by over half of the Fortune 500. As a PAM professional, you will likely encounter CyberArk in enterprise environments ranging from mid-size organisations to the largest global banks and government agencies.

This page provides a comprehensive overview of the CyberArk platform — its architecture, core components, operational workflows, and best practices.

Hands-On Lab Guides

Ready to get practical? This overview page covers the architecture and concepts. For step-by-step deployment and operations, follow the dedicated hands-on guides:

  1. CyberArk Lab Deployment — Set up a complete CyberArk lab with Vault, PVWA, CPM, and PSM
  2. CyberArk First Steps — First login, safe creation, user management, CPM policy configuration
  3. CyberArk Operations — Onboard accounts, test password rotation, configure PSM, use AIM, generate reports

CyberArk Architecture Overview

CyberArk follows a component-based architecture where each function is handled by a dedicated component, all centred around the Digital Vault.

┌─────────────────────────┐
│ PVWA (Web Interface) │
│ Password Vault Web │
│ Access │
└────────────┬────────────┘
┌──────────────┐ ┌────────────────┼────────────────┐ ┌──────────────┐
│ CPM │ │ │ │ │ AIM │
│ Central │ │ Digital │ │ │ Application │
│ Policy │◄───┤ Vault ├────────────────►───┤ Identity │
│ Manager │ │ (D-Vault) │ │ │ Manager │
└──────────────┘ └────────────────┘ │ └──────────────┘
┌──────────────┐ ┌────────────────┐ │ ┌──────────────┐
│ PSM │ │ PTA │ │ │ Conjur │
│ Privileged │ │ Privileged │ │ │ Secrets │
│ Session │ │ Threat │ │ │ Management │
│ Manager │ │ Analytics │ │ │ (K8s/DevOps) │
└──────────────┘ └────────────────┘ │ └──────────────┘

Component Roles

ComponentFull NameFunction
Digital VaultCyberArk VaultCentral credential storage — encrypted database of all privileged accounts
PVWAPassword Vault Web AccessWeb-based administrative interface and user portal
CPMCentral Policy ManagerPassword rotation, policy enforcement, account verification
PSMPrivileged Session ManagerSession proxy for recording and monitoring privileged sessions
PSMPPrivileged Session Manager for SSHSSH session proxy (Linux/Unix)
AIMApplication Identity ManagerAPI-based credential injection for applications
PTAPrivileged Threat AnalyticsBehavioural analytics and threat detection for privileged activity
ConjurConjur Secrets ManagementDevOps secrets management for container and cloud-native environments
EPVEnterprise Password VaultLegacy name for the core vault component

The Digital Vault

The Digital Vault is the heart of CyberArk — a hardened, encrypted repository for all privileged credentials.

Vault Structure

Vault
├── Safes (logical containers for credential storage)
│ ├── Safe: Windows-Local-Admin
│ │ ├── Account: SERVER01\Administrator
│ │ ├── Account: SERVER02\Administrator
│ │ └── Account: WORKSTATION001\Administrator
│ ├── Safe: Linux-Root
│ │ ├── Account: db-server-01\root
│ │ └── Account: web-server-01\root
│ ├── Safe: Service-Accounts
│ │ ├── Account: SQLSvc_Prod
│ │ └── Account: WebSvc_Prod
│ └── Safe: Domain-Admins
│ └── Account: CORP\krbtgt_backup
├── Policies (access control and password management)
│ ├── Policy: High-Risk-Servers
│ ├── Policy: Standard-Servers
│ └── Policy: Service-Accounts-90day
└── Users (administrators, end-users, application identities)
├── User: alice (Vault Admin)
├── User: bob (Security Team)
├── User: helpdesk (Operator)
└── User: monitoring-app (API User)

Vault Hardening

CyberArk vaults are hardened Linux servers with specific security measures:

  • Minimal OS footprint — Only required services installed
  • FIPS 140-2 encryption — AES-256 for stored credentials, TLS 1.2+ for transit
  • Dual Control — Administrative actions require two-person approval
  • Separation of Duties — Vault admin ≠ Audit ≠ Policy admin
  • Hardened SSH — Key-based auth only, no root SSH, IP-restricted
  • RAID 10 + Hot Spare — Disk-level redundancy
  • Backup to encrypted external media — Regular scheduled backups

Password Vault Web Access (PVWA)

PVWA is the primary interface for administrators, operators, and end-users.

User Roles

RolePermissionsTypical User
Vault AdminFull system configuration, user management, policy creationPAM team lead
Safe AdminManage specific safes, onboard accounts, define accessPAM administrator
Security AdminAudit, reporting, threat analysisSecurity operations
OperatorCheck out passwords, request access, no configurationHelpdesk, server admins
UserRequest access to specific accountsApplication owners
Application IdentityAPI-based credential retrieval via AIMDevOps, automation

Common PVWA Workflows

Password Checkout (Manual)
─────────────────────────
1. User logs into PVWA
2. User searches for account (e.g., "db-prod-sa")
3. User selects account and clicks "Copy Password" or "Connect"
(Option: Enter reason code for access justification)
4. Vault records access in audit log
5. User receives clipboard copy or connection file
6. If "Require Reason" enforced: compliance automatically logged
Password Checkin
───────────────
1. User completes task
2. User clicks "Check In" in PVWA (or closes PSM session)
3. CPM automatically rotates password (if policy requires)
4. New password is stored in vault
5. Old password is purged (no recovery possible)

Central Policy Manager (CPM)

CPM is responsible for password management — verification, rotation, reconciliation, and policy enforcement.

CPM Workflows

    graph LR
    A[CPM detects<br/>account due<br/>for rotation] --> B[CPM connects to<br/>target system<br/>with current password]
    B --> C{Password<br/>valid?}
    C -->|Yes| D[CPM generates<br/>new password<br/>per policy]
    C -->|No| E[CPM logs error,<br/>triggers alert]
    D --> F[CPM changes<br/>password on<br/>target system]
    F --> G[CPM updates<br/>password in vault]
    G --> H[CPM verifies<br/>new password<br/>works]
    H --> I[CPM logs<br/>successful<br/>rotation]
  

CPM Policy Configuration

Policy SettingOptionsRecommendation
Rotation Period1-365 days30 days for local admin, 90 days for service accounts
Password ComplexityUpper, Lower, Digits, SpecialAll four character types
Password Length8-100 characters25+ for interactive accounts, 50+ for service accounts
Reconcile Period1-365 days1 day (daily verification)
Post-Rotation ActionNone, Verify, Verify OnlyFull verify
PlatformsWindows, Linux, Database, AD, etc.Platform-specific drivers

CPM Platforms

CPM uses “Platforms” — connector definitions for different target system types:

Platform CategoryExamplesConnection Method
WindowsLocal admin, Domain admin, Service accountWinRM, RPC, WMI
Unix/LinuxRoot, Application userSSH
DatabaseOracle, SQL Server, MySQL, PostgreSQLNative DB protocol
DirectoryActive Directory, LDAPLDAP, PowerShell
CloudAWS IAM, Azure AD, GCPCloud API
NetworkCisco, Juniper, Palo AltoSSH, Telnet
CustomAny system with APICustom plugin (Python, PowerShell)

Privileged Session Manager (PSM)

PSM provides a secure proxy for privileged sessions, enabling recording, monitoring, and granular access control.

PSM Session Flow

User ──→ PVWA ──→ PSM ──→ Target System
│ │
│ ┌───┴───┐
│ │Record │
│ │Monitor│
│ │Control│
│ └───────┘
Credential
(never seen
by user)

Key capabilities:

  • Credential injection — User never sees the password
  • Full session recording — Keystroke and screen capture (RDP, SSH)
  • Real-time monitoring — Live session viewing by security team
  • Session termination — Security team can kill suspicious sessions
  • Granular command control — Allow/block specific commands on SSH sessions
  • File transfer control — Upload/download restrictions

PSM Connection Methods

ProtocolPSM ComponentRecording QualityTarget Types
RDPPSM-RDPFull screen + keystrokeWindows servers, workstations
SSHPSM-SSH or PSMPKeystroke + outputLinux, Unix, Network devices
WinSCPPSM-SCPFile transfer logWindows file servers
DatabasePSM-DBSQL query recordingOracle, SQL Server, MySQL

Session Recording Management

    graph LR
    A[PSM starts<br/>session] --> B[Record starts<br/>automatically]
    B --> C[Session ID<br/>generated]
    C --> D[Keystrokes logged<br/>in real-time]
    C --> E[Screen captures<br/>every N seconds]
    D --> F[Session ends]
    E --> F
    F --> G[Recording indexed<br/>and compressed]
    G --> H[Available in PVWA<br/>for replay]
  

Application Identity Manager (AIM)

AIM provides programmatic access to vault credentials for applications, scripts, and automation tools.

AIM Architecture

Application ──→ AIM Console ──→ Vault
│ │
│ ┌────┴────┐
│ │ Cache │
│ │ Local │
│ └─────────┘
Credential obtained
(via REST API or
AIM SDK)

AIM Credential Retrieval

Terminal window
# REST API call to retrieve credential
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'AppID=MyWebApp&Safe=Service-Accounts&Folder=Root&Object=WebSvc_Prod' \
https://aim-server:8081/AIMWebService/api/Accounts
# Response
{
"Content": "S3cur3P@ssw0rd!2026",
"UserName": "CORP\\WebSvc_Prod",
"Address": "sql-prod-01.corp.com",
"Folder": "Root",
"Safe": "Service-Accounts"
}

AIM Security

FeaturePurpose
Mutual authenticationBoth client and server verify identity
IP allow-listingRestrict AIM access to specific servers
Certificate-based authApplication identity via client certificates
Local cachingReduces vault load, provides fallback
Cache expirationCached credentials expire after configurable TTL
Audit loggingEvery credential retrieval is logged

Platform Onboarding Workflow

The standard process for bringing a new target system under CyberArk management:

    graph TD
    A[Identify target<br/>system] --> B[Create platform<br/>definition]
    B --> C[Create Safe for<br/>account storage]
    C --> D[Define access<br/>permissions]
    D --> E[Add account to<br/>CyberArk vault]
    E --> F[Define password<br/>policy]
    F --> G[Verify CPM can<br/>rotate password]
    G --> H{Success?}
    H -->|Yes| I[Enable automatic<br/>management]
    H -->|No| J[Troubleshoot<br/>connectivity]
    J --> G
  

Privileged Threat Analytics (PTA)

PTA provides behaviour-based threat detection for privileged activity.

PTA Detection Capabilities

DetectionDescriptionExample
Anomalous credential useAccount used from unusual location or timeDomain Admin login from non-US IP
Session fingerprintingUnusual command sequences in SSH sessionswget followed by chmod +x
Lateral movementSame credential used on multiple systems rapidlyService account hopping across 10 servers in 2 minutes
Privilege escalationAccount receives unexpected privilegesStandard user added to Domain Admins
Credential theftMultiple failed access attempts followed by successPassword spraying detected

Operational Best Practices

Vault Administration

  • Rule of least privilege — Users get only the safes and accounts they need
  • Dual control — Require two approvers for sensitive account access
  • Separation of duties — No single person should be Vault Admin + Safe Admin + Audit
  • Master Password — Split the vault master password using Shamir’s Secret Sharing
  • Regular DR testing — Quarterly vault recovery drills

Password Policies

Account TypeRotation IntervalPassword LengthCharacter Types
Local Administrator30 days25 charactersAll 4 types
Domain Admin30 days30 charactersAll 4 types
Service Account90 days50 charactersAll 4 types
Application Account90 days50 charactersAll 4 types
Network Device30 days20 charactersAll 4 types
Database Account30 days30 charactersAll 4 types

Monitoring and Alerting

AlertSeverityResponse
CPM password change failureHighInvestigate immediately — account may be locked
Concurrent session from multiple locationsCriticalPossible credential compromise
Account accessed outside business hoursMediumVerify with account owner
PSM session with blocked commandHighReview session recording
Vault backup failureCriticalResolve within 4 hours
Master password not rotated in 12 monthsMediumSchedule rotation

Integration Patterns

SystemIntegration MethodPurpose
SIEM (Splunk, Sentinel, QRadar)Syslog, CEFCentralised privileged activity monitoring
ITSM (ServiceNow, Jira)REST APIAccess request and approval workflows
IAM/IGA (SailPoint, Saviynt)SCIM, REST APIBirthright access and certification
AD / LDAPLDAP, PowerShellUser authentication and group membership
MFA (RSA, Duo, MS Authenticator)RADIUS, SAMLStep-up authentication for vault access
HCM (Workday, SAP)SCIM, CSV importAutomated user provisioning from HR data

Hands-On Learning Path

This overview page covered CyberArk architecture and concepts. Now put that knowledge into practice:

GuideWhat You Will LearnTime
CyberArk Lab Deployment →Set up 4 VMs, deploy Vault, install PVWA/CPM/PSM3-4 hours
CyberArk First Steps →First login, create safes, configure CPM, LDAP setup1-2 hours
CyberArk Operations →Onboard accounts, rotate passwords, PSM sessions, AIM1-2 hours

Key Takeaways

  • CyberArk is not a single product — it is a platform of integrated components (Vault, CPM, PSM, AIM, PTA)
  • The Vault is the foundation — all other components depend on the vault’s security and availability
  • CPM automates password hygiene — regular rotation eliminates the risks of static credentials
  • PSM solves the “zero-knowledge” problem — users access targets without ever seeing the password
  • Platform onboarding is the core operational skill — knowing how to add and manage accounts in CyberArk
  • Audit is non-negotiable — CyberArk generates rich audit data; centralise it in a SIEM for continuous monitoring
  • Master password management is critical — losing vault access means losing all privileged credentials