
CyberArk Deployment Options & Rollout 2026
CyberArk Privilege Cloud hosts the vault and console as SaaS, but you deploy a Connector and endpoint agents in your own network. It is heavier than plain SSO.
CyberArk Deployment verdict
CyberArk Privilege Cloud is a SaaS-plus-connector privileged-access platform.
CyberArk hosts the digital Vault and the PVWA console. You deploy a Connector inside your network so the Central Policy Manager can rotate credentials and the Privileged Session Manager can broker and record isolated sessions.
Plan a CyberArk rollout as a privileged-access program, not a quick SSO switch. The SaaS Privilege Cloud removes the vault-hosting effort. Your real work is elsewhere. You deploy the Connector where it can reach targets, onboard privileged accounts for CPM rotation, then broker and record sessions through PSM, and roll EPM agents to Windows, macOS, Linux endpoints. Size the Connector footprint to your network segmentation, with extra CPMs per network and separate machines for multiple PSM or CPM disaster recovery. Treat the Connector as a security-critical bridge that needs resilience planning. For machine identities and DevOps secrets, automate with CyberArk Secrets Manager as code, using the Terraform provider, the CLI, REST, plus Summon, so application secrets are never hardcoded. Choose CyberArk when you need deep privileged-access control and session auditing. For plain workforce SSO, a lighter IdP is less work.
- It is a SaaS-plus-connector model. The vault and console are hosted, but the Connector and endpoint agents run in your environment and need deployment and resilience planning.
- This is privileged access management, structurally heavier than SSO. Expect a vault, console, rotation, plus session components and per-endpoint agents.
- Machine-identity automation is a separate surface. CyberArk Secrets Manager, or Conjur, handles secrets as code, distinct from the human-PAM appliance.
- Model
- SaaS vault + on-prem Connector
- Components
- Vault, PVWA, CPM, PSM
- Endpoint
- EPM agents (Win/macOS/Linux)
- As code
- Secrets Manager (Conjur)
- Sessions
- PSM isolation + recording
This page covers how CyberArk deploys and is administered. Its compliance posture and pricing live on their own pages.
Deploy CyberArk: commands and config
Point the cyberark/conjur provider at your Secrets Manager; credentials come from environment variables, so no API key sits in the config.
terraform {
required_providers {
conjur = { source = "cyberark/conjur" }
}
}
# CONJUR_APPLIANCE_URL / CONJUR_ACCOUNT /
# CONJUR_AUTHN_LOGIN / CONJUR_AUTHN_API_KEY / CONJUR_CERT_FILE
provider "conjur" {}- The cyberark/conjur provider exposes conjur_secret as a data source and an ephemeral resource (kept out of state)
- Authn types include api-key, JWT and cloud managed identity (ARM client ID)
- Summon and the CLI authenticate the same identity; grant least-privilege on the secret
Real CyberArk commands from the official docs. Pick a task to see what it does, then copy the command.
What you run at each CyberArk layer
| Layer | What you run | Notes |
|---|---|---|
| Delivery model | Privilege Cloud SaaS (Public Cloud) | Vault and console hosted by CyberArk, FedRAMP-listed |
| Customer component | Privilege Cloud Connector | Installed in your environment; reaches targets |
| Vault | Central digital Vault | Stores credentials; PSM fetches from it |
| Console | PVWA web interface | Single console to request, access and manage |
| Connector placement | Co-located or split components | Separate machines for multiple PSM or CPM disaster recovery |
| Infrastructure | Amazon Web Services, with BC/DR | Documented in the trust center |
CyberArk connectors and integration surface
| Integration | Type | Capabilities | Setup |
|---|---|---|---|
| Digital Vault | Credential store | Central encrypted vault · Source of truth for secrets | SaaS-hosted |
| PVWA (web access) | Console | Request, access and manage privileged passwords | SaaS-hosted |
| CPM (Central Policy Manager) | Rotation engine | Automatic password rotation · Multi-network via single Vault | Connector |
| PSM (Privileged Session Manager) | Session broker | Secure and monitor sessions · Session recording to Vault · Session isolation | Connector |
| Endpoint agents (Win/macOS/Linux) | EPM agent | Remove local admin · Least privilege · App control | Per-endpoint install |
| Secrets Manager (Conjur) | Machine secrets | Terraform provider · CLI and REST · Summon injection | As code |
CyberArk rollout plan and risk points
- Start with the hosted control plane (vault and PVWA console) and deploy the Connector into your environment so it can reach targets.
- Onboard privileged accounts to the Vault and let the CPM rotate their passwords, with additional CPMs on different networks all storing into the single Vault.
- Broker and isolate privileged sessions through PSM, which fetches credentials from the Vault and records the session for audit.
- Plan Connector resilience: components are usually co-located, but multiple PSM instances or CPM disaster-recovery solutions are installed on separate machines.
- Roll Endpoint Privilege Manager agents to Windows, macOS and Linux devices as the final layer, removing local admin rights and applying out-of-the-box anti-ransomware policy.
CyberArk Deployment FAQ
How is CyberArk Privilege Cloud deployed?
As a SaaS-plus-connector model. CyberArk hosts the digital Vault and the PVWA web console, and the FedRAMP government offering is classified SaaS on public cloud. You deploy a Privilege Cloud Connector inside your network. The Connector needs access to targets so the Central Policy Manager can rotate passwords and the Privileged Session Manager can broker and isolate sessions. Endpoint Privilege Manager adds agents on Windows, macOS, Linux.
What are the main CyberArk components?
A central Vault stores the credentials. The Password Vault Web Access, or PVWA, is the single web console to request, access, plus manage privileged passwords. The Central Policy Manager rotates passwords and can run across multiple networks into one Vault. The Privileged Session Manager secures, monitors and records privileged sessions, uploading the recordings to the Vault for auditors. Endpoint agents enforce least privilege on the devices themselves.
Can I automate CyberArk secrets as code?
Yes, through CyberArk Secrets Manager, or Conjur. The official cyberark/conjur Terraform provider reads secrets and manages hosts, groups, policy branches, memberships, plus permissions, authenticating with an API key or environment variables. The Conjur CLI and REST API retrieve the same secrets for scripts and pipelines. Summon injects them as environment variables, as in summon terraform apply, so application and DevOps secrets are never hardcoded.
Is there anything to install on-premises?
Yes, the Connector and the endpoint agents. The vault and console are SaaS-hosted, but the Privilege Cloud Connector is installed in your environment to reach targets for password rotation and session isolation. Its components usually sit on one host, though multiple PSM instances or CPM disaster-recovery setups go on separate machines. EPM agents deploy per endpoint across Windows, macOS, Linux.
How much effort is a CyberArk rollout versus SSO?
More. Privileged access management is structurally heavier than single sign-on. You deploy and resilience-plan Connectors, with extra CPMs per network and separate machines for multiple PSM or CPM disaster recovery. You then onboard privileged accounts for rotation, configure session isolation, and roll agents to every endpoint. The SaaS Privilege Cloud removes vault-hosting work, but expect a multi-component program. Choose it when you need deep privileged-access control and session auditing, not just workforce login.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Cyberark Official | Official product page | July 10, 2026 |
| Cyberark Developer docs | Privilege%20cloud Privcloud Detailed Architecture | July 10, 2026 |
| Cyberark Trust center | Product documentation | July 10, 2026 |
| FedRAMP Marketplace | FedRAMP authorization status | July 10, 2026 |
| Terraform Registry | Conjur Latest | July 10, 2026 |
Every fact on this CyberArk page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore CyberArk
Every page on CyberArk in one place, you are on deployment.
Snapshot, score and verdict
Frameworks covered and what a security review will ask
You are here
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
