CyberArk deployment
★★★★★ 4.5 CE

CyberArk Deployment Options & Rollout 2026

CyberArk Privilege Cloud hosts the vault and console as SaaS, but you deploy a Connector and endpoint agents in your own network. It is heavier than plain SSO.

CyberArk Deployment verdict

Verified today·5 sources checked

CyberArk Privilege Cloud is a SaaS-plus-connector privileged-access platform.

CyberArk hosts the digital Vault and the PVWA console. You deploy a Connector inside your network so the Central Policy Manager can rotate credentials and the Privileged Session Manager can broker and record isolated sessions.

How to roll it out

Plan a CyberArk rollout as a privileged-access program, not a quick SSO switch. The SaaS Privilege Cloud removes the vault-hosting effort. Your real work is elsewhere. You deploy the Connector where it can reach targets, onboard privileged accounts for CPM rotation, then broker and record sessions through PSM, and roll EPM agents to Windows, macOS, Linux endpoints. Size the Connector footprint to your network segmentation, with extra CPMs per network and separate machines for multiple PSM or CPM disaster recovery. Treat the Connector as a security-critical bridge that needs resilience planning. For machine identities and DevOps secrets, automate with CyberArk Secrets Manager as code, using the Terraform provider, the CLI, REST, plus Summon, so application secrets are never hardcoded. Choose CyberArk when you need deep privileged-access control and session auditing. For plain workforce SSO, a lighter IdP is less work.

Honest limits
  • It is a SaaS-plus-connector model. The vault and console are hosted, but the Connector and endpoint agents run in your environment and need deployment and resilience planning.
  • This is privileged access management, structurally heavier than SSO. Expect a vault, console, rotation, plus session components and per-endpoint agents.
  • Machine-identity automation is a separate surface. CyberArk Secrets Manager, or Conjur, handles secrets as code, distinct from the human-PAM appliance.
Model
SaaS vault + on-prem Connector
Components
Vault, PVWA, CPM, PSM
Endpoint
EPM agents (Win/macOS/Linux)
As code
Secrets Manager (Conjur)
Sessions
PSM isolation + recording
View sources

This page covers how CyberArk deploys and is administered. Its compliance posture and pricing live on their own pages.

Deploy CyberArk: commands and config

What you run at each CyberArk layer

LayerWhat you runNotes
Delivery modelPrivilege Cloud SaaS (Public Cloud)Vault and console hosted by CyberArk, FedRAMP-listed
Customer componentPrivilege Cloud ConnectorInstalled in your environment; reaches targets
VaultCentral digital VaultStores credentials; PSM fetches from it
ConsolePVWA web interfaceSingle console to request, access and manage
Connector placementCo-located or split componentsSeparate machines for multiple PSM or CPM disaster recovery
InfrastructureAmazon Web Services, with BC/DRDocumented in the trust center

CyberArk connectors and integration surface

IntegrationTypeCapabilitiesSetup
Digital VaultCredential storeCentral encrypted vault · Source of truth for secretsSaaS-hosted
PVWA (web access)ConsoleRequest, access and manage privileged passwordsSaaS-hosted
CPM (Central Policy Manager)Rotation engineAutomatic password rotation · Multi-network via single VaultConnector
PSM (Privileged Session Manager)Session brokerSecure and monitor sessions · Session recording to Vault · Session isolationConnector
Endpoint agents (Win/macOS/Linux)EPM agentRemove local admin · Least privilege · App controlPer-endpoint install
Secrets Manager (Conjur)Machine secretsTerraform provider · CLI and REST · Summon injectionAs code

CyberArk rollout plan and risk points

  • Start with the hosted control plane (vault and PVWA console) and deploy the Connector into your environment so it can reach targets.
  • Onboard privileged accounts to the Vault and let the CPM rotate their passwords, with additional CPMs on different networks all storing into the single Vault.
  • Broker and isolate privileged sessions through PSM, which fetches credentials from the Vault and records the session for audit.
  • Plan Connector resilience: components are usually co-located, but multiple PSM instances or CPM disaster-recovery solutions are installed on separate machines.
  • Roll Endpoint Privilege Manager agents to Windows, macOS and Linux devices as the final layer, removing local admin rights and applying out-of-the-box anti-ransomware policy.

CyberArk Deployment FAQ

How is CyberArk Privilege Cloud deployed?

As a SaaS-plus-connector model. CyberArk hosts the digital Vault and the PVWA web console, and the FedRAMP government offering is classified SaaS on public cloud. You deploy a Privilege Cloud Connector inside your network. The Connector needs access to targets so the Central Policy Manager can rotate passwords and the Privileged Session Manager can broker and isolate sessions. Endpoint Privilege Manager adds agents on Windows, macOS, Linux.

What are the main CyberArk components?

A central Vault stores the credentials. The Password Vault Web Access, or PVWA, is the single web console to request, access, plus manage privileged passwords. The Central Policy Manager rotates passwords and can run across multiple networks into one Vault. The Privileged Session Manager secures, monitors and records privileged sessions, uploading the recordings to the Vault for auditors. Endpoint agents enforce least privilege on the devices themselves.

Can I automate CyberArk secrets as code?

Yes, through CyberArk Secrets Manager, or Conjur. The official cyberark/conjur Terraform provider reads secrets and manages hosts, groups, policy branches, memberships, plus permissions, authenticating with an API key or environment variables. The Conjur CLI and REST API retrieve the same secrets for scripts and pipelines. Summon injects them as environment variables, as in summon terraform apply, so application and DevOps secrets are never hardcoded.

Is there anything to install on-premises?

Yes, the Connector and the endpoint agents. The vault and console are SaaS-hosted, but the Privilege Cloud Connector is installed in your environment to reach targets for password rotation and session isolation. Its components usually sit on one host, though multiple PSM instances or CPM disaster-recovery setups go on separate machines. EPM agents deploy per endpoint across Windows, macOS, Linux.

How much effort is a CyberArk rollout versus SSO?

More. Privileged access management is structurally heavier than single sign-on. You deploy and resilience-plan Connectors, with extra CPMs per network and separate machines for multiple PSM or CPM disaster recovery. You then onboard privileged accounts for rotation, configure session isolation, and roll agents to every endpoint. The SaaS Privilege Cloud removes vault-hosting work, but expect a multi-component program. Choose it when you need deep privileged-access control and session auditing, not just workforce login.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Cyberark OfficialOfficial product pageJuly 10, 2026
Cyberark Developer docsPrivilege%20cloud Privcloud Detailed ArchitectureJuly 10, 2026
Cyberark Trust centerProduct documentationJuly 10, 2026
FedRAMP MarketplaceFedRAMP authorization statusJuly 10, 2026
Terraform RegistryConjur LatestJuly 10, 2026

Every fact on this CyberArk page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.