CyberArk Privilege Cloud Version 14.5 introduces new capabilities to improve security, operational efficiency and user experience. This release includes new discovery and session management capabilities, extended support for Azure GovCloud, GCP and CyberArk Identity users, Central Policy Manager (CPM) and seamless integration with CyberArk Conjur Cloud.
Improvements Include
- Enhancements to Discovery Service
- Account offboarding insights
- Enhanced capacity and granularity
- Enhancements to Session Management with Secure Infrastructure Access
- Locate virtual machine (VM) targets using a search string from FQDN name
- Additional connectivity tests for troubleshooting and validations
- Access Windows targets with zero standing privileges (ZSP) with an ephemeral domain user
- AWS RDS IAM user authentication for MariaDB, MySQL or PostgreSQL databases with ZSP
- Simplified authentication and MFA key download
- Improved visibility with audit events
- Migrate standalone AWS accounts from SIA and manage your cloud environment with CyberArk
- Access with ZSP to Azure targets with Azure VMId
- Privilege Cloud Integration with CyberArk Audit Service
- Azure GovCloud Support
- Identity Service User Management Plugin
- Google Cloud Platform Connection (GCP) Component
- Open Database Connectivity (ODBC) Framework
- Conjur Cloud Support
Discovery Service Enhancements
Account offboarding insights
The CyberArk Discovery service can now identify accounts absent from the scanned target. It uses the period of absence to generate a list of recommended accounts for deletion/offboarding from the Privilege Cloud vault. This helps maintain visibility and environmental hygiene.
Recommendations to delete accounts are provided based on the following criteria:
- A discovery mechanism previously identified the account
- The account has not been discovered in any recent discovery scan
- Recent scans have discovered at least one other account from the same target in the last 15 days
Enhanced capacity and granularity
The CyberArk Discovery service extends its scan coverage and granularity to identify accounts at the active directory (AD) level or within specific AD groups for greater precision and focus. This includes:
- Scanning for accounts within specified AD groups to increase flexibility and coverage from the OU level to the AD group level
- Scanning for privileged users at the AD level to extend the existing discovery of accounts on target machines
Session Management Enhancements with the Secure Infrastructure Access (SIA) Component
Locate virtual machine targets using a search string from the FQDN name
You can now search for VM targets in access policies using a string that is part of the FQDN name when looking for policies that control access to specific VMs. This allows you to search for and return access policies more efficiently and it is particularly useful for environments with dynamic naming conventions.
Additional connectivity tests for troubleshooting and validations
With this release, you can easily test the connection from a selected connector to target machines and the SIA backend endpoints. This simplifies troubleshooting connectivity issues and validates network configuration.
*Note - This feature is supported only for connectors of version 1.9.X and later.
Access Windows targets with ZSP with an ephemeral domain user
End users can now connect with an ephemeral domain user to access Windows targets on-premises or in the cloud, supporting progress toward zero standing privileges. This ephemeral domain user will be added to an AD group based on the access policy and deleted at the end of the session.
Previously, the SIA component enabled secure access to Windows targets using only ZSP with an ephemeral local user, which was also added to the local group on a target and then deleted at the end of the session. Creating ephemeral domain users allows IT users to attain additional administrative privileges and perform their work more efficiently.
Learn more about setting up ZSP access to Windows targets with an ephemeral domain user.
AWS RDS IAM user authentication for MariaDB, MySQL or PostgreSQL databases with ZSP
In addition to using a local ephemeral user, you can now use AWS IAM database authentication for ZSP access to AWS RDS databases (MariaDB, MySQL and PostgreSQL). This method leverages the benefits of AWS IAM database authentication, such as enhanced security, centralized user management and ease of administration.
Simplified authentication and MFA key download
With this release, users can now connect to multiple Linux targets using a token (SSH MFA key) generated once for all targets and valid for a configurable time frame. Previously, users had to use an SFTP command to generate and download the token. This allows users to download the token directly from the secure access space and supports the following use cases:
- Users that prefer authenticating in ways that are not supported by native SSH client access
- Users that use native clients that do not support SFTP
Learn more about MFA caching in Linux.
Generating audit events in SIA settings for improved visibility
All changes in the SIA settings now generate audit events that can be viewed on the audit activities page, ensuring detailed monitoring and improved visibility for auditors.
Migrate standalone AWS accounts from SIA and manage your cloud environment with CyberArk services
As previously announced, customers can now migrate standalone AWS accounts from SIA to the administration space, where they can integrate their AWS cloud environments with CyberArk services and manage these connections securely through a centralized view.
Learn more about migrating AWS accounts.
Access with zero standing privileges to Azure targets with Azure VMId
Customers can now connect to Windows and Linux targets in Azure with ZSP using the Azure virtual machine ID (VMId), in addition to the connection option with an IP address. This allows admins to utilize attribute-based access policies for users accessing Azure targets with VMid, improving efficiency and enhancing customer experience.
Learn more about the recent releases of the SIA component.
CyberArk Privilege Cloud Integration with Audit Service in the Identity Security Platform
With this release, audit events from Privilege Cloud are sent to the CyberArk Identity Security Platform’s Audit service, where auditors can review them alongside events from other CyberArk solutions. This will provide customers with:
- A unified interface for audit across services, improving user experience
- Report export of audit logs to CSV files for easy and efficient review and sharing
- Agentless integration with SIEM system to share audit events, eliminating the need for on-premises agents
Learn more about Privilege Cloud and Audit service integration.
Azure GovCloud Support
CyberArk Privilege Cloud offers a new level of security and efficiency to government operations with enhanced support for Government Cloud (GovCloud) within our Azure Central Policy Manager (CPM) and Privileged Session Management (PSM) components. The Microsoft Azure password management, Microsoft Azure application keys, and Azure cloud services management have been updated to support GovCloud environments fully.
Identity Service User Management Plugin
The CyberArk Identity Service User Management plugin enhances the management of service users within CyberArk Identity. This plugin simplifies user management within a service, reducing manual intervention and minimizing errors.
Google Cloud Platform Connection (GCP) Component
The GCP connection component enhances user management for all GCP IAM users. This new connection component allows customers who manage their GCP IAM users through GCP management to easily connect to the GCP from the CyberArk platform. It uses the GCPSamlCertificate platform to securely store the SAML certificate during the connection, empowering organizations to better manage access to their Google Cloud resources.
Download the new GCP Connection Component from the CyberArk Marketplace.
Open Database Connectivity (ODBC) Framework
The new Open Database Connectivity (ODBC) framework is optimized for performance and compatibility with the modern Oracle platforms.
Supported Oracle Instant Client Versions:
- 21.8: Version 14.5.0 and above.
- 19.8: Version 14.5.0 and above.
Download the new Database Credentials Management Framework - Oracle from the CyberArk Marketplace.
Conjur Cloud support
A new CPM plugin was added for rotating API Keys used by Conjur Cloud hosts/workloads, enabling organizations to securely manage their API keys. For Privilege Cloud customers who also use Conjur Cloud, this ensures that their cloud-based applications operate smoothly and securely within the Conjur ecosystem.
Learn more about the Conjur Cloud plugin.
To learn more about the new features of CyberArk Privilege Cloud, please visit:
Release notes and documentation.
Upgrade Process for Privilege Cloud Connector.
Component downloads are available in the CyberArk Marketplace.
