DATA SHEET

CyberArk Dynamic Privileged Access

The Challenge
Always-on, standing privileged access to infrastructure presents bad actors an opportunity — compromise the
identity or credentials relating to such accounts, then abuse privileged access to steal data or disrupt operations.
Across a hybrid cloud environment, attackers target privileged access to Virtual Machines (VMs) and servers to
achieve goals like exfiltrating PII data and compromising machines hosting critical applications.

All IT environments have built-in, system accounts which will always have persistent permissions and therefore
should be treated with maximum security. These accounts are best secured with full credential vaulting, isolation and
monitoring of sessions, and thorough approval workflows.

Yet many identities with operational, day-to-day access to infrastructure do not need standing access. Especially with
rapid, high-scale introduction of instances in ephemeral cloud environments, where access is needed only for the job
at hand.

Many solutions for minimizing standing access privileges using the “Just-in-Time (JIT)” paradigm are cumbersome
for end users, as they require the installation of agents on both user workstations and target instances. Implementing
these solutions at scale is a significant challenge.

The Solution
CyberArk Dynamic Privileged Access is a non-intrusive, agentless SaaS solution that provisions JIT access to cloud-
hosted Virtual Machines as well as on-premises servers, reducing the risk of standing access rights. The service
brokers ephemeral sessions based on attribute-based access control policies, enabling organizations to intelligently
provision access based on business requirements.

Dynamic Privileged Access helps organizations efficiently extend Identity Security controls across modern
infrastructure, driving measurable risk reduction and enabling greater cloud adoption. While some system and break-
glass accounts will always require standing access rights, Dynamic Privileged Access can help organizations move
closer to a Zero Standing Privileges (ZSP) approach by minimizing operational standing access.

From day one of implementation, the solution delivers native user experiences while retaining full session isolation
— enabling operational efficiencies for end users (i.e. Linux and Windows administrators, DevOps engineers, or
application owners). Users will be granted VPN-less access to target systems, across both private networks on-
premises and in the cloud.
www.cyberark.com
Operational access will be allowed only at specific times and for specific durations using attribute-based access
control (ABAC) policies. Only authorized and validated identities will be provisioned access with native, MFA-secured
experience via the RDP / SSH client of their choice. They can also natively and securely transfer files to and from
Linux VM targets.

Combined with Privileged Access Manager, Dynamic Privileged Access accelerates Zero Trust initiatives by helping
organizations implement least privilege and reduce risk across the breadth of their modern infrastructure.

How it Works

Native SSH / RDP flow with

support for modern MFA
RDP RDP
SSH
SSH

Through reverse tunnel

• The end user initiates an MFA secured, VPN-less connection request from anywhere in the world, using their
SSH/RDP client of choice to access a server or VM.
• The request flows through the Dynamic Privileged Access service, which performs the authentication directly
with a Directory Service or with any Identity Provider.
• Once the end user is authenticated, there is an authorization step to make sure the user is eligible to access the
requested target using attribute-based access control policies. Each such policy includes the permissions that
will be assigned for access to the target.
• Once the end user is authorized, ephemeral access is created for her on the target. A lightweight connector
within the customer’s environment opens an inbound SSH/RDP session to the target as well as a non-intrusive,
secure reverse tunnel toward the DPA service.
• The end user launches and performs the requested session, while it is isolated and monitored.

Benefits
• Just-in-Time Privileged Access: Reduce the risk associated with standing access to the IT estate. Minimize
standing access by provisioning access for the right purpose, at the right time. Enforce strong, risk-aware MFA
for eac h specific identity based on behavioral analytics, progressing Zero Trust security initiatives.
• Native and Secure Connectivity: Native connection support enables end users to leverage their personal
credentials and their preferred RDP or SSH clients.
• Accelerated Time to Value: The solution is seamlessly integrated into CyberArk’s Identity Security Platform
Shared Services, providing unified user management, authentication and simple component deployment.

©Copyright 2022 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk
Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions.
Any other trade and service names are the property of their respective owners. U.S., 06.22. Doc. TSK-1438

CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject to
change without notice.

www.cyberark.com